Parties and application
This Data Processing Addendum, including its Schedules (the “DPA”), is entered into between the customer that has agreed to a Service Agreement (“Customer”) and STDİO BİLİŞİM SANAYİ VE TİCARET LİMİTED ŞİRKETİ, registered with the Ankara Trade Registry under number 506958 and MERSİS number 4826851464800001, operating as CompanyEnrich, with its registered address at BAHÇELİEVLER MAH. 91 SK. NO: 1 GÖLBAŞI / ANKARA, Türkiye (“CompanyEnrich”).
For a self-service Customer, this DPA is incorporated by reference into the CompanyEnrich Terms of Service and becomes binding when the Customer accepts those Terms, including by registering for or using the Services. For a Customer that enters into an order form or other negotiated agreement, this DPA becomes binding when it is incorporated into that agreement or separately executed by both parties. The applicable Terms, order form, negotiated agreement, or other agreement governing Customer's use of the Services is the “Service Agreement”. If Customer enters into the Service Agreement on behalf of an affiliate, Customer represents that it is authorized to bind that affiliate.
This DPA applies only to CompanyEnrich's Processing of Customer Personal Data on behalf of Customer. It does not govern Processing for which CompanyEnrich acts as an independent Controller, as explained in Sections 2 and 14.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Service Agreement.
- “Account Data”
- means Personal Data relating to Customer's account, authorized users, billing contacts, commercial relationship, support communications, and administration of the Services.
- “Applicable Data Protection Law”
- means privacy and data-protection law applicable to the Processing under this DPA, including, where applicable, the GDPR, UK GDPR, Swiss Federal Act on Data Protection, Türkiye's Law No. 6698 on the Protection of Personal Data (KVKK), and applicable United States state privacy laws.
- “CompanyEnrich Data”
- means company, professional, market, funding, hiring, advertising, technology, workforce, and related data that CompanyEnrich obtains, licenses, compiles, verifies, classifies, or generates independently of Customer Content and makes available through the Services.
- “Controller,” “Data Subject,” “Personal Data,” “Process,” “Processed,” and “Processing”
- have the meanings given by Applicable Data Protection Law. “Controller” includes a “business” where that term is used under applicable United States privacy law.
- “Customer Content”
- means information, records, files, identifiers, queries, and other content submitted to the Services by or for Customer.
- “Customer Personal Data”
- means Personal Data contained in Customer Content that CompanyEnrich Processes on behalf of Customer to provide the Services. Customer Personal Data excludes CompanyEnrich Data, Account Data, and Service Data.
- “GDPR”
- means Regulation (EU) 2016/679. “UK GDPR” means the GDPR as incorporated into United Kingdom law.
- “Restricted Data”
- means special-category or sensitive Personal Data, data relating to children, government identification numbers, financial-account credentials, payment-card data, protected health information, biometric identifiers, precise geolocation, or data regulated by sector-specific law, except to the extent the parties expressly agree in writing that the Services may Process it.
- “Security Incident”
- means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. It excludes unsuccessful attempts that do not compromise Customer Personal Data.
- “Service Data”
- means telemetry, usage information, logs, diagnostic information, and similar data generated through operation of the Services and Processed by CompanyEnrich for billing, security, abuse prevention, support, reliability, and improvement, subject to Applicable Data Protection Law.
- “Subprocessor”
- means a third party appointed by CompanyEnrich to Process Customer Personal Data on behalf of Customer.
2. Scope and roles
2.1 Customer Personal Data. Customer is the Controller of Customer Personal Data and CompanyEnrich is its Processor. If Customer acts as a Processor for another Controller, CompanyEnrich acts as Customer's Subprocessor. Each party will comply with obligations applicable to its role.
2.2 Independent Processing. To the extent CompanyEnrich determines the purposes and means of Processing CompanyEnrich Data, Account Data, or Service Data, CompanyEnrich acts as an independent Controller. This DPA does not convert that Processing into Processing on Customer's behalf.
2.3 Factual roles control. The parties acknowledge that their legal roles are determined by the facts and Applicable Data Protection Law, not solely by the labels used in this DPA.
2.4 Processing details. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Schedule 1.
3. Instructions and Customer obligations
3.1 Documented instructions. CompanyEnrich will Process Customer Personal Data only on Customer's documented instructions, unless law applicable to CompanyEnrich requires otherwise. The Service Agreement, Customer's configuration and use of the Services, authorized support requests, and other written instructions consistent with the Service Agreement constitute Customer's documented instructions.
3.2 Additional instructions. If Customer requests Processing outside the scope of the Service Agreement, CompanyEnrich may require the parties to agree on feasibility, fees, safeguards, and amended Processing details before acting.
3.3 Unlawful instructions. CompanyEnrich will inform Customer if, in CompanyEnrich's reasonable opinion, an instruction infringes Applicable Data Protection Law. CompanyEnrich may suspend the affected Processing while the parties resolve the issue.
3.4 Customer responsibilities. Customer is responsible for:
- the lawfulness, fairness, accuracy, and transparency of its collection and use of Customer Personal Data;
- providing required notices and obtaining any required consents or other legal basis;
- ensuring its instructions and use of the Services comply with Applicable Data Protection Law and the Service Agreement;
- responding to Data Subjects and regulators as Controller; and
- not submitting Restricted Data unless expressly authorized in writing.
4. CompanyEnrich obligations
4.1 Compliance. CompanyEnrich will comply with obligations directly applicable to it as a Processor under Applicable Data Protection Law.
4.2 Confidentiality. CompanyEnrich will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations and access Customer Personal Data only as necessary to perform their duties.
4.3 Legal requirements. If CompanyEnrich is required by law to Process Customer Personal Data other than on Customer's instructions, CompanyEnrich will notify Customer before the Processing unless the law prohibits notice.
4.4 No sale or targeted advertising. CompanyEnrich will not sell or share Customer Personal Data or use it for advertising targeted to individuals on CompanyEnrich's own behalf. This restriction does not limit CompanyEnrich's independent Processing of CompanyEnrich Data, Account Data, or Service Data as described in this DPA and the Privacy Policy.
4.5 United States service-provider terms. To the extent an applicable United States privacy law treats CompanyEnrich as Customer's processor, contractor, or service provider, CompanyEnrich will:
- Process Customer Personal Data only for the limited and specified purposes described in the Service Agreement and this DPA;
- provide the level of privacy protection required by that law and notify Customer if CompanyEnrich determines it can no longer meet an applicable obligation;
- not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for a purpose other than the permitted purposes and Customer's documented instructions, except as allowed or required by law;
- not combine Customer Personal Data with Personal Data received from another person or collected from CompanyEnrich's own interaction with an individual, except as permitted by law; and
- allow Customer to take reasonable and appropriate steps to verify that Processing is consistent with Customer's obligations and to stop and remediate unauthorized Processing, subject to Section 11.
CompanyEnrich certifies that it understands and will comply with the restrictions in this Section 4.5.
4.6 Request logging and debugging. CompanyEnrich may retain minimized API and MCP request inputs in operational logs for logging and debugging. CompanyEnrich does not retain API response content in those logs and records only response status or outcome information, such as whether a request succeeded or failed. Logged Customer Personal Data remains Customer Personal Data and will not be used for model training or incorporated into CompanyEnrich Data.
5. Security
5.1 Appropriate measures. Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the risks to individuals, CompanyEnrich will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
5.2 Schedule 2. Schedule 2 describes the categories of security measures applicable to Customer Personal Data. CompanyEnrich may update the measures as technology and risks evolve, provided that an update does not materially reduce the overall protection of Customer Personal Data during the term.
5.3 Customer security. Customer is responsible for securely configuring and using the Services, managing its users and credentials, and protecting Customer Personal Data in Customer-controlled systems.
6. Security Incidents
6.1 Notice. CompanyEnrich will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data.
6.2 Information and contact. To the extent known and available, notice will describe the nature of the Security Incident, affected data and Data Subjects, likely consequences, measures taken or proposed, and a contact for further information. Notice will be sent to Customer's account or designated notice contact and will identify security@companyenrich.com as CompanyEnrich's security contact. CompanyEnrich may provide information in phases as it becomes available.
6.3 Response. CompanyEnrich will take reasonable steps to contain, investigate, mitigate, and remediate the Security Incident and will reasonably assist Customer with legally required notifications.
6.4 No admission. Notice of a Security Incident is not an admission of fault or liability.
7. Data-subject rights
7.1 Customer responsibility. Customer is responsible for responding to requests by Data Subjects relating to Customer Personal Data.
7.2 Requests received by CompanyEnrich. If CompanyEnrich receives a request concerning Customer Personal Data, it will promptly notify Customer and will not respond on Customer's behalf unless instructed by Customer or required by law.
7.3 Assistance. Taking into account the nature of the Processing, CompanyEnrich will provide reasonable assistance through appropriate technical and organizational measures to help Customer respond to requests for access, correction, deletion, restriction, portability, or objection.
8. Subprocessors
8.1 General authorization. Customer generally authorizes CompanyEnrich to engage the providers identified as DPA Subprocessors on the CompanyEnrich Subprocessors page. Providers listed there as outside the DPA are not authorized as Subprocessors solely by appearing on that page.
8.2 Changes. CompanyEnrich will provide Customer with at least thirty (30) days' advance notice by email or other electronic notice before a new or replacement Subprocessor begins Processing Customer Personal Data. If an urgent replacement is reasonably necessary to protect the Services or Customer Personal Data, CompanyEnrich may appoint the replacement sooner and will provide notice as soon as reasonably practicable.
8.3 Objections. Customer may object to a new Subprocessor on reasonable data-protection grounds by contacting legal@companyenrich.com during the thirty-day notice period. The parties will work in good faith to address the objection. If no commercially reasonable solution is available, either party may terminate the affected Services, subject to the Service Agreement.
8.4 Flow-down terms. CompanyEnrich will enter into a written agreement with each Subprocessor imposing data-protection obligations that provide materially equivalent protection for Customer Personal Data. CompanyEnrich remains responsible for each Subprocessor's performance of its data-protection obligations to the extent required by Applicable Data Protection Law.
9. Compliance assistance
Taking into account the nature of the Processing and information available to CompanyEnrich, CompanyEnrich will provide reasonable assistance to Customer with:
- security of Processing;
- assessment and notification of Personal Data breaches;
- data-protection impact assessments; and
- prior consultation with a supervisory authority where legally required.
If assistance requires material work beyond the standard functionality of the Services, the parties may agree on reasonable fees and scope, except to the extent the assistance is required because CompanyEnrich breached this DPA.
10. Return and deletion
10.1 During the term. CompanyEnrich will delete or return Customer Personal Data when instructed by Customer where the Services provide that functionality or where required by Applicable Data Protection Law.
10.2 Standard retention periods. Unless applicable law requires a different period or the parties agree otherwise in writing:
- minimized API and MCP request inputs retained for operational logging and debugging are deleted within ninety (90) days;
- application and security logs are deleted within ninety (90) days;
- API response content is not stored; only status or outcome information, such as success or failure, is retained as part of the applicable logs; and
- support messages containing Customer Personal Data are deleted within ninety (90) days after the support interaction is closed.
10.3 End of Services. Upon termination or expiry of the affected Services, CompanyEnrich will, at Customer's choice, return or delete Customer Personal Data and delete remaining copies, unless applicable law requires continued retention. Customer must request return before deletion begins. When return is requested, CompanyEnrich will provide a manual export through its support process in a commonly used format and by reasonably secure means.
10.4 Backups. Customer Personal Data in backups or archives may remain for up to twelve (12) months before being overwritten in the ordinary backup cycle. During that period, it will remain protected, isolated from ordinary use, and Processed only for recovery, security, or legal compliance.
10.5 Evidence. On reasonable request, CompanyEnrich will confirm completion of deletion required under this Section.
11. Information and audits
11.1 Information. CompanyEnrich will make available information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and equivalent Processor obligations under Applicable Data Protection Law.
11.2 Documentation first. Where possible, Customer will first use current policies, summaries, questionnaires, certifications, or independent assessments made available by CompanyEnrich.
11.3 Audit conditions. If that information is insufficient, Customer may conduct an audit itself or through an independent auditor. Unless required by a regulator, following a Security Incident, or based on a reasonable suspicion of material non-compliance, audits will be limited to once in any twelve-month period, conducted on reasonable advance notice during normal business hours, subject to confidentiality obligations, and designed to avoid unreasonable disruption or exposure of other customers' information.
11.4 Costs. Customer will bear its audit costs and reimburse CompanyEnrich's reasonable costs for an audit, except where an audit identifies CompanyEnrich's material breach of this DPA.
12. International transfers
12.1 Documented instructions. Customer authorizes CompanyEnrich and its Subprocessors to Process Customer Personal Data in the locations identified in the Subprocessor list, subject to this DPA and Applicable Data Protection Law.
12.2 EEA transfers. Where Customer Personal Data protected by the GDPR is transferred to CompanyEnrich in a country that has not been recognized as providing an adequate level of protection, the European Commission Standard Contractual Clauses adopted by Decision (EU) 2021/914 (the “EU SCCs”) are incorporated into this DPA and apply as completed in Schedule 4, unless another valid transfer mechanism applies.
12.3 United Kingdom. For a restricted transfer governed by the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, version B1.0 in force 21 March 2022, as revised in accordance with its terms (the “UK Addendum”), is incorporated into this DPA and completed as described in Schedule 4, unless another valid transfer mechanism applies.
12.4 Switzerland. For a transfer governed by the Swiss Federal Act on Data Protection (the “FADP”) that requires safeguards, the EU SCCs apply with the Swiss adaptations in Schedule 4, unless another valid transfer mechanism applies.
12.5 Türkiye. Where CompanyEnrich transfers Personal Data from Türkiye to a foreign recipient and the KVKK requires an appropriate safeguard, CompanyEnrich will use the applicable unmodified standard contract published by the Turkish Personal Data Protection Board or another lawful mechanism. A required KVKK standard contract is a separate instrument between the relevant transfer parties; this DPA does not modify or replace it. CompanyEnrich will make or allocate the required notification to the Turkish Personal Data Protection Authority within five business days after the standard contract is signed.
12.6 Transfer assessment and supplementary measures. Schedule 5 provides operational information reasonably necessary to support Customer's assessment of a restricted transfer. Each party will document any transfer assessment required of it by Applicable Data Protection Law. CompanyEnrich will provide reasonable cooperation and will implement supplementary measures where required and appropriate.
13. Government and law-enforcement requests
Unless prohibited by law, CompanyEnrich will notify Customer of a legally binding request by a public authority for Customer Personal Data. CompanyEnrich will assess the validity of the request, challenge requests it reasonably considers unlawful or disproportionate where appropriate, and disclose only the minimum Customer Personal Data legally required.
14. Independent-controller processing
14.1 CompanyEnrich Data. CompanyEnrich sources, licenses, compiles, verifies, classifies, and maintains CompanyEnrich Data independently of Customer's instructions. To the extent CompanyEnrich determines the purposes and means of Processing Personal Data within CompanyEnrich Data, CompanyEnrich acts as an independent Controller.
14.2 Customer use of outputs. Customer is responsible for determining a lawful basis, providing required notices, honoring applicable rights, and otherwise complying with law when Customer stores, combines, discloses, or uses Personal Data returned by the Services for Customer's own purposes.
14.3 Account and Service Data. CompanyEnrich may Process Account Data and Service Data as an independent Controller for account administration, billing, support, security, abuse prevention, reliability, legal compliance, and improvement as described in the Privacy Policy.
14.4 No reclassification by contract. Nothing in this Section overrides a role assigned by Applicable Data Protection Law based on the parties' actual activities.
15. Liability
Each party remains responsible for its own compliance with Applicable Data Protection Law. The limitations, exclusions, and allocation of liability in the Service Agreement apply to this DPA to the fullest extent permitted by law, except that nothing limits rights or liabilities that cannot lawfully be limited.
16. Term, precedence, and changes
16.1 Term. This DPA begins when it becomes binding under the “Parties and application” section and continues while CompanyEnrich Processes Customer Personal Data.
16.2 Precedence. If documents conflict regarding protection of Customer Personal Data, the order of precedence is: applicable mandatory transfer clauses, this DPA, and then the Service Agreement.
16.3 Updates. CompanyEnrich may update this DPA to reflect legal or operational changes. CompanyEnrich will provide notice of material changes and will not materially reduce the protection of Customer Personal Data during a current subscription term without Customer's agreement, unless required by law.
17. General
The governing law and dispute-resolution provisions of the Service Agreement apply to this DPA, except where mandatory transfer clauses require otherwise. If any provision is unenforceable, it will be interpreted to best accomplish its purpose and the remainder will continue in effect. Notices under this DPA must be sent to the contacts specified in the Service Agreement; notices to CompanyEnrich may be sent to legal@companyenrich.com.
Schedule 1
Details of Processing
| Subject matter | Processing Customer Personal Data to provide, support, secure, and maintain the Services requested by Customer. |
|---|---|
| Duration | The term of the affected Services plus the period required to return or delete Customer Personal Data under Section 10. |
| Nature of Processing | Receiving, recording, minimizing, logging, organizing, hosting, retrieving, querying, matching, enriching, transmitting, returning, supporting, securing, debugging, and deleting Customer Personal Data. |
| Purposes | Providing enrichment, company and people search, CRM enrichment, reverse lookup, batch processing, API, MCP, support, operational logging, debugging, security, and related functionality initiated or configured by Customer. |
| Frequency | As initiated or configured by Customer through the Services. Minimized request inputs may be retained in operational logs for the applicable retention period. API response content is not retained in those logs; only status or outcome information, such as success or failure, is recorded. |
| Data Subjects | Customer users; Customer's employees, contractors, representatives, prospects, leads, business contacts, candidates, applicants, customers, and other individuals whose Personal Data Customer submits. |
| Personal Data | Names; work or personal email addresses; business telephone or mobile numbers where submitted; job titles, seniority, department, employer, professional-profile URLs, work history, and business location; company names, domains, social URLs, and company identifiers; person identifiers; CRM record identifiers and fields; list names; structured search filters and exclusions; natural-language, semantic-search, and MCP query text; support-message content; and other Personal Data selected and submitted by Customer. |
| Restricted Data | Not intended or permitted unless the parties expressly agree in writing and document additional safeguards. |
| Controller rights and obligations | Customer retains the rights and obligations of Controller, including determining purposes and means, issuing lawful instructions, maintaining a legal basis, providing notices, and responding to Data Subjects. |
Schedule 2
Technical and organizational measures
CompanyEnrich maintains the following technical and organizational measures for systems used to Process Customer Personal Data, as applicable to the nature and risks of the Processing:
- Protection in transit and at rest. TLS/HTTPS is used to protect data in transit, and data stored by CompanyEnrich is encrypted at rest.
- Authentication and access control. Multi-factor authentication is required for production and infrastructure accounts. Production access is limited according to job responsibilities and business need.
- Access lifecycle. Production and infrastructure access is revoked when personnel leave CompanyEnrich or no longer require that access.
- Secrets management. Production credentials, keys, and other secrets are stored outside source code.
- Logging. CompanyEnrich maintains security and application logging to support operation, monitoring, investigation, and incident response.
- Dependency and security updates. CompanyEnrich maintains a process for reviewing and applying relevant dependency and security updates.
- Backup and restoration. Backups are performed, and restoration procedures are tested.
- Development practices. Code changes are reviewed before production deployment.
- Personnel confidentiality. Personnel with access to Customer Personal Data are subject to confidentiality obligations.
- Incident response. CompanyEnrich maintains documented steps for identifying, escalating, containing, investigating, remediating, and communicating Security Incidents. Security alerts are routed to designated responsible personnel for assessment, and executive management coordinates required customer communications.
- Provider access review. CompanyEnrich periodically reviews access granted to relevant service providers.
Schedule 3
Authorized Subprocessors
The current list of providers identified as DPA Subprocessors, their purposes, Processing locations, and relevant transfer information will be maintained at companyenrich.com/subprocessors. This list becomes the authorized Subprocessor list when this DPA becomes effective.
Schedule 4
Restricted-transfer terms
4.1 European Economic Area
Incorporation. The official, unmodified text of the EU SCCs is incorporated by reference and forms part of this DPA when Section 12.2 applies. The selections and information below complete the EU SCCs. If the EU SCCs are replaced, the successor clauses will apply to the extent required by law after CompanyEnrich gives notice under Section 16.3.
Modules and options.
- Module Two applies when Customer is a Controller and CompanyEnrich is a Processor.
- Module Three applies when Customer is a Processor and CompanyEnrich is its Subprocessor.
- The optional docking clause in Clause 7 is included.
- For Clause 9, Option 2—general written authorization—is selected. The notice period for a new or replacement Subprocessor is thirty (30) days, subject to the urgent-replacement provision in Section 8.2.
- The optional independent dispute-resolution language in Clause 11(a) is not included.
- For Clause 17, Option 1 is selected and the EU SCCs are governed by the laws of Ireland.
- For Clause 18(b), the parties select the courts of Ireland.
Annex I.A — List of parties.
| Data exporter | Customer and any Customer affiliate authorized to use the Services and protected by this DPA. The exporter's legal name, address, contact details, and authorized contact are those identified in the Service Agreement, order form, CompanyEnrich account, or DPA execution record. Activities relevant to the transfer are Customer's use of the Services. Customer is a Controller for Module Two or a Processor for Module Three. |
|---|---|
| Data importer | STDİO BİLİŞİM SANAYİ VE TİCARET LİMİTED ŞİRKETİ, Ankara Trade Registry number 506958, MERSİS number 4826851464800001, BAHÇELİEVLER MAH. 91 SK. NO: 1 GÖLBAŞI / ANKARA, Türkiye; legal@companyenrich.com. Activities relevant to the transfer are providing, supporting, securing, and maintaining the Services. CompanyEnrich is a Processor for Module Two or a Processor acting as a Subprocessor for Module Three. |
| Signature and date | The parties' execution of this DPA, or Customer's valid electronic acceptance of the Service Agreement incorporating this DPA, constitutes their signature of Annex I.A on the effective date of the DPA. CompanyEnrich will retain the applicable acceptance or execution record. A party will provide a separate signature where required by applicable law or reasonably requested for evidentiary purposes. |
Annex I.B — Description of transfer.
- Data Subjects, categories of Personal Data, frequency, nature and purpose: as described in Schedule 1. Transfers may occur continuously or as initiated or configured by Customer during the term.
- Sensitive data: Restricted Data is not intended or permitted unless the parties first expressly agree in writing on the relevant data and additional safeguards.
- Retention: for the Service term and the deletion periods described in Section 10 and Schedule 1.
- Subprocessor transfers: the subject matter, nature, and duration are limited to the services and data categories identified for each DPA Subprocessor in Schedule 3 and the linked Subprocessor register.
Annex I.C — Competent supervisory authority. The competent authority is determined under Clause 13 of the EU SCCs. Where Customer is established in the EEA, it is the authority responsible for overseeing Customer's compliance with the GDPR; where the exporter is not established in the EEA but is subject to the GDPR, it is the authority determined under Clause 13(b).
Annex II — Technical and organizational measures. Schedule 2 and Schedule 5 form Annex II to the EU SCCs.
Annex III — Subprocessors. Schedule 3 forms Annex III to the EU SCCs.
4.2 United Kingdom
The mandatory clauses of the UK Addendum are incorporated by reference and form part of this DPA when Section 12.3 applies. Its tables are completed as follows:
- Table 1 — Parties and start date: the parties, addresses, key contacts, and signatures are those in Annex I.A above. The start date is the effective date of this DPA.
- Table 2 — Selected EU SCCs: the version is the EU SCCs adopted by Decision (EU) 2021/914, using Module Two or Module Three and the selections in Section 4.1 above as applicable.
- Table 3 — Appendix information: Annex I.A, Annex I.B, Annex II, and Annex III are completed by Sections 4.1 and Schedules 1–3 and 5 of this DPA.
- Table 4 — Ending the Addendum: both the Importer and the Exporter may end the UK Addendum in accordance with Section 19 of its mandatory clauses.
4.3 Switzerland
For a transfer subject to the FADP, the parties adopt the GDPR protection standard for all transferred Personal Data and apply the following adaptations:
- references to the GDPR are understood to include the FADP to the extent the transfer is governed by the FADP;
- the Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority for the transfer to the extent governed by the FADP, in parallel with any competent EEA authority where the GDPR also applies;
- the law selected for Clause 17 is Irish law and the courts selected for Clause 18(b) are the courts of Ireland; and
- the term “Member State” will not be interpreted to prevent Data Subjects in Switzerland from enforcing their rights in Switzerland, including bringing a claim at their place of habitual residence under Clause 18(c).
4.4 Türkiye
The role-specific standard contracts published by the Turkish Personal Data Protection Board are not incorporated into this DPA because they must be used without modification and executed with each relevant foreign recipient. Where required for a transfer by CompanyEnrich, CompanyEnrich will select the applicable controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller form based on the parties' actual roles, complete and sign the Turkish form, and ensure notification to the Turkish Personal Data Protection Authority within five business days after signature. If a foreign-language version is also executed, the Turkish version prevails.
4.5 Precedence and alternative mechanisms
If a term of this DPA conflicts with the EU SCCs or UK Addendum, the applicable mandatory transfer terms prevail. If a competent authority or court invalidates or restricts a transfer mechanism, the parties will cooperate in good faith to implement a valid replacement. A transfer may instead rely on an applicable adequacy decision or another lawful mechanism; use of that mechanism does not reduce the protections otherwise required by this DPA.
Schedule 5
Transfer information and supplementary measures
This Schedule provides factual information to support an exporter assessment under the EU SCCs, UK Addendum, FADP, or other Applicable Data Protection Law. It is not a legal conclusion about the laws of a destination country, and each exporter remains responsible for any assessment the law requires it to make.
| Importer and access location | CompanyEnrich is established in Türkiye. Authorized CompanyEnrich personnel may access Customer Personal Data from Türkiye when required to operate, secure, debug, or support the Services. |
|---|---|
| Primary hosting | Production compute is hosted by Hetzner in Helsinki, Finland. Production databases, backups, and replicas are hosted in Finland. |
| Network processing | Cloudflare proxies the website, API, MCP service, and selected routes through its global network. API request and response content may be processed in transit together with IP addresses, network metadata, security events, and logs. |
| Support and communications | Gleap receives name, email address, user identifier, and content voluntarily included in a support message. Screenshot capture, session recording, device diagnostics, and console or network logging are not enabled. Google Workspace may receive support or service-related email; its data-region setting is “No preference.” |
| Data minimization and retention | CompanyEnrich may retain minimized API and MCP request inputs for logging and debugging for up to 90 days. API response content is not stored in operational logs; only status or outcome information is recorded. Application and security logs and support messages are retained for up to 90 days under the applicable rule. Customer Personal Data in backups may remain for up to 12 months before being overwritten. |
| Security measures | TLS/HTTPS in transit; encryption at rest; multi-factor authentication for production and infrastructure accounts; access limited by job responsibility; access revocation; secrets stored outside source code; application and security logging; dependency and security updates; backups and tested restoration; pre-production code review; personnel confidentiality obligations; documented incident response; and periodic provider-access review. |
| Government requests | CompanyEnrich will follow Section 13: assess legal validity, challenge requests reasonably considered unlawful or disproportionate where appropriate, notify Customer unless prohibited, and disclose only the minimum data legally required. |
| Onward transfers | Onward recipients, purposes, data categories, locations, and available safeguards are identified in Schedule 3 and the current Subprocessor register. CompanyEnrich contractually requires materially equivalent data-protection obligations from its Subprocessors as described in Section 8.4. |
| Additional services | No separate monitoring, transactional-email, error-tracking, or AI/model service is authorized to receive production Customer Personal Data as of the date shown at the top of this DPA. |
| Assessment support | Customer may request reasonably available information relevant to a transfer assessment by contacting legal@companyenrich.com. Requests remain subject to confidentiality, security, and proportionality limitations. |
Questions about this DPA?
Send legal and operational feedback to legal@companyenrich.com.