Data Processing Agreement
Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Telepath Pro (“Processor”) and the customer (“Controller”) and applies to all paid subscription plans.
This DPA is automatically incorporated into and forms part of the Terms of Service for all paid subscribers. No separate signature is required. By subscribing to a paid plan, the Controller accepts the terms of this DPA.
This DPA is entered into pursuant to Article 28(3) of the UK General Data Protection Regulation (UK GDPR) and sets out the subject matter, duration, nature, purpose, type of personal data, and categories of data subjects for all processing carried out by Telepath Pro on behalf of the Controller.
For enterprise customers requiring a countersigned DPA for their procurement process, please contact privacy@telepath.pro and we will arrange this within 5 business days.
1. Definitions
“Controller” means the customer — the business or individual who determines the purposes and means of processing personal data uploaded to Telepath Pro.
“Processor” means Telepath Pro, operated as a sole trader by Tom Pople trading as Telepath Pro, 1 Bolsover Road, Hove, BN3 5HQ, United Kingdom.
“Personal Data” has the meaning given in UK GDPR — any information relating to an identified or identifiable natural person.
“Processing” has the meaning given in UK GDPR — any operation performed on personal data.
“Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
“UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
“Services” means the Telepath Pro platform, including ICP report generation, pipeline scoring, and associated features as described at telepath.pro.
2. Scope and Purpose of Processing
2.1 Role of the parties
The Controller is the data controller in respect of personal data uploaded to or processed by Telepath Pro. Telepath Pro acts as data processor, processing personal data only on behalf of and on the instructions of the Controller.
2.2 Purpose of processing
Telepath Pro processes personal data solely for the purpose of providing the Services — specifically:
- Generating Ideal Customer Profile (ICP) analysis from historical deal data
- Scoring pipeline opportunities against the Controller's ICP
- Providing sales intelligence insights and recommendations
Telepath Pro will not process personal data for any other purpose, including training AI models, benchmarking against other customers, or any commercial purpose beyond delivering the Services.
2.3 Duration
Processing begins when the Controller connects their CRM or uploads data to the platform and continues for the duration of the subscription, plus a 30-day retention period following cancellation as described in Section 7.
3. Categories of Data Processed
3.1 Data Telepath Pro DOES process
Sales representative data (employee data):
- Sales representative names
- Sales representative work email addresses
- Sales representative CRM identifiers (e.g. HubSpot owner IDs)
- Deal attribution and performance metrics per representative
Commercial deal data (non-personal / company-level):
- Company names of accounts (legal entities, not personal data)
- Deal values and financial metrics
- Industry classifications
- Company size and headcount bands
- Geographic regions
- Sales cycle durations
- Technology stack information
- Lead source classifications
- Deal stage and pipeline status
- CRM deal identifiers (routing keys)
3.2 Data Telepath Pro does NOT process or store
Telepath Pro has been specifically designed to avoid processing the following categories of data:
- Contact names of the Controller's prospects or customers
- Personal email addresses of the Controller's prospects or customers
- Phone numbers of the Controller's prospects or customers
- Physical addresses of individuals
- Any special category data as defined in UK GDPR Article 9
- Payment card details (processed directly by Stripe, never accessed by Telepath Pro)
3.3 Data subjects
The personal data processed under this DPA relates to the following categories of data subjects:
- Sales representatives and revenue team members employed by or contracted to the Controller
4. Controller's Obligations
The Controller represents and warrants that:
4.1 It has a lawful basis under UK GDPR for processing and sharing the personal data with Telepath Pro, including for the processing of employee data (sales representatives) under legitimate interests or contractual necessity.
4.2 Where required, it has provided appropriate notice to data subjects (sales representatives) that their performance data may be processed by third-party service providers including Telepath Pro.
4.3 The data uploaded to Telepath Pro does not include special category data, criminal conviction data, or data relating to children.
4.4 It will promptly inform Telepath Pro of any changes to its processing instructions that may affect Telepath Pro's obligations under this DPA.
5. Processor's Obligations
Telepath Pro agrees to:
5.1 Process only on instructions — Process personal data only in accordance with the Controller's documented instructions (as set out in this DPA and the Terms of Service) unless required to do so by applicable law.
5.2 Confidentiality — Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
5.3 Security — Implement and maintain appropriate technical and organisational security measures as described in Section 6.
5.4 Sub-processors — Not engage sub-processors without complying with the requirements of Section 8.
5.5 Data subject rights — Assist the Controller in responding to data subject rights requests within the timescales required by UK GDPR, insofar as this is possible given the nature of the processing.
5.6 Breach notification — Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting the Controller's data.
5.7 Data Protection Impact Assessments — Provide reasonable assistance to the Controller in carrying out data protection impact assessments where required.
5.8 Audit — Upon reasonable written request (no more than once per year), provide the Controller with information reasonably necessary to demonstrate compliance with this DPA.
5.9 No sale of data — Never sell, rent, or otherwise commercialise the Controller's personal data to any third party.
6. Security Measures
Telepath Pro implements the following technical and organisational measures to protect personal data:
Encryption:
- All data in transit encrypted using TLS 1.2 or higher
- All data at rest encrypted using AES-256
- API tokens and authentication credentials encrypted using industry-standard algorithms (bcrypt for passwords, HMAC-SHA256 for API keys)
Access controls:
- Access to production systems restricted to authorised personnel only
- Multi-factor authentication required for all production system access
- Principle of least privilege applied to all system access
Infrastructure security:
- Application hosted on Vercel (SOC2 Type II certified)
- Database hosted on Supabase (SOC2 Type II certified)
- Regular dependency security scanning
- Automated security updates applied
Organisational measures:
- Regular review of data processing practices
- Privacy by design principles applied to all new features
- Sub-processors assessed for security compliance before engagement
7. Data Retention and Deletion
7.1 Retention during subscription
Personal data is retained for the duration of the active subscription.
7.2 Post-cancellation retention
Following cancellation or termination of the subscription, personal data is retained for 30 days to allow for data export requests. After this period, all personal data is permanently and irreversibly deleted from Telepath Pro's systems and all sub-processor systems.
7.3 Deletion on request
The Controller may request deletion of all personal data at any time by:
- Using the “Delete my account and all data” function in account Settings
- Emailing privacy@telepath.pro
Telepath Pro will complete the deletion within 7 days of receiving the request and provide written confirmation.
7.4 Retention of anonymised data
Telepath Pro may retain anonymised, aggregated data (from which no individual or company can be identified) beyond the retention periods above for the purpose of improving the Services. This data is not personal data and is not subject to this DPA.
7.5 Legal hold
Notwithstanding the above, Telepath Pro may retain data for longer periods where required by applicable law, for example for financial record-keeping obligations (7 years for payment records).
8. Sub-processors
8.1 Authorised sub-processors
The Controller provides general authorisation for Telepath Pro to engage the following sub-processors:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database and authentication | EU (Ireland) | Standard Contractual Clauses |
| Vercel | Application hosting | USA | Standard Contractual Clauses |
| OpenAI | Embedding generation and AI analysis | USA | Standard Contractual Clauses |
| Anthropic | AI report generation and insights | USA | Standard Contractual Clauses |
| Resend | Transactional email delivery | USA | Standard Contractual Clauses |
| Stripe | Payment processing | USA | EU-US Data Privacy Framework |
| Upstash | Rate limiting (Redis) | EU | Standard Contractual Clauses |
8.2 Changes to sub-processors
Telepath Pro will provide at least 30 days written notice by email before engaging any new sub-processor or making material changes to existing sub-processor arrangements. The Controller may object to such changes within 14 days. If the Controller objects and Telepath Pro cannot accommodate the objection, the Controller may terminate the subscription and receive a pro-rata refund for any unused prepaid period.
8.3 Sub-processor obligations
Telepath Pro enters into written agreements with all sub-processors imposing data protection obligations equivalent to those in this DPA. Telepath Pro remains liable to the Controller for the acts and omissions of its sub-processors.
9. International Data Transfers
Where personal data is transferred outside the UK, Telepath Pro ensures that appropriate safeguards are in place in accordance with UK GDPR Chapter V:
- Standard Contractual Clauses (SCCs) — used for transfers to sub-processors in the USA (OpenAI, Anthropic, Vercel, Resend)
- EU-US Data Privacy Framework — used for sub-processors certified under this framework (Stripe)
- Adequacy decisions — used where the destination country has been deemed adequate by the UK government
All sub-processors are required to maintain equivalent data protection standards regardless of location.
10. Data Subject Rights
10.1 Assistance
Telepath Pro will assist the Controller in fulfilling its obligations to respond to data subject rights requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
10.2 Direct requests
If Telepath Pro receives a data subject rights request directly from one of the Controller's data subjects, Telepath Pro will:
- Not respond to the request directly (unless legally required)
- Forward the request to the Controller within 5 business days
- Provide reasonable assistance to the Controller in responding
11. Personal Data Breaches
11.1 Notification
In the event of a personal data breach affecting the Controller's data, Telepath Pro will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide details of: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
11.2 Cooperation
Telepath Pro will cooperate fully with the Controller in investigating, mitigating, and remediating any personal data breach.
11.3 Controller responsibilities
The Controller is responsible for determining whether the breach requires notification to the ICO and/or affected data subjects under UK GDPR Article 33 and 34.
12. Liability
12.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
12.2 The Controller indemnifies Telepath Pro against any claims, losses, or penalties arising from the Controller's failure to comply with its obligations under this DPA or applicable data protection law.
12.3 Telepath Pro indemnifies the Controller against any claims, losses, or penalties arising from Telepath Pro's failure to comply with its obligations under this DPA, up to the liability cap set out in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
14. Changes to This DPA
Telepath Pro may update this DPA from time to time to reflect changes in the law, our services, or our sub-processor arrangements. We will provide at least 30 days written notice of material changes by email. Continued use of the service after the effective date constitutes acceptance of the updated DPA.
15. Contact
For any questions relating to this DPA or to request a countersigned copy for your procurement process:
Email: privacy@telepath.pro
Post: Telepath Pro, 1 Bolsover Road, Hove, BN3 5HQ, United Kingdom
ICO Registration: ZC101774
Annex A — Description of Processing
| Subject matter | ICP analysis and pipeline scoring using CRM and deal data |
| Duration | Duration of subscription plus 30-day retention period |
| Nature of processing | Collection, storage, analysis, structuring, and deletion |
| Purpose | Providing ICP reports and pipeline scoring services |
| Type of personal data | Sales rep names, work emails, CRM identifiers |
| Categories of data subjects | Sales representatives employed by or contracted to the Controller |
| Controller's obligations | Ensuring lawful basis for processing; providing appropriate notices to data subjects |