Trust & transparency

CompanyEnrich Trust Center

Review the controls, infrastructure, privacy practices, and legal documents behind CompanyEnrich.

How we operate

How CompanyEnrich handles data

Concrete boundaries and controls for independently sourced business data and Customer Personal Data.

Data scope & sources

CompanyEnrich focuses on company and professional information for business workflows and publishes the source categories used to build those records.

Explore our data

Customer data boundaries

Minimized API and MCP request inputs may be logged for operations. Response content is not retained in those logs, and logged Customer Personal Data is not used for model training.

Review processing terms

Security & retention

Controls include encryption, MFA, job-based access, code review, tested restoration, incident response, and defined deletion periods for logs and backups.

See security measures

Assurance status: we publish confirmed controls and do not claim security certifications that have not been independently obtained.

View documented controls
Trust questions

Privacy, data & security FAQs

Plain answers for customers, security and legal teams, and individuals.

Is CompanyEnrich a controller or a processor?

It depends on the data and the activity. For Customer Personal Data submitted to the Services, the Customer is the controller and CompanyEnrich is the processor—or a subprocessor if the Customer is itself a processor.

CompanyEnrich acts as an independent controller for data it independently sources, licenses, compiles, verifies, classifies, or generates, and for account and service data where it determines the purposes and means of processing. The distinction is explained in Section 2 of the DPA.

What types of personal data does CompanyEnrich process?

Depending on how you interact with CompanyEnrich, this may include professional and business information returned by the Services; Customer Content and API queries; account, billing, and support information; and website, device, and cookie data. See Our Data, the Privacy Policy, and the Cookies Policy for the relevant details.

Where does CompanyEnrich's company and professional data come from?

CompanyEnrich uses source categories such as public and official registries, company websites, public filings and disclosures, public web and maps data, market and technology sources, professional profile networks, and licensed providers. Records then pass through collection, normalization, deduplication, validation, enrichment, and refresh steps described on Our Data.

Does CompanyEnrich reuse data a Customer submits?

The DPA states that Customer Personal Data is processed only on documented instructions to provide the Services. Minimized API and MCP request inputs may be retained in operational logs for logging and debugging; response content is not retained in those logs, and only success or failure information is recorded. Logged Customer Personal Data is not used for model training or incorporated into CompanyEnrich's independent dataset.

CompanyEnrich will not sell or share Customer Personal Data or use it for advertising targeted to individuals on CompanyEnrich's own behalf.

This does not cover CompanyEnrich Data that CompanyEnrich independently sources, licenses, compiles, verifies, classifies, or generates. See Sections 3–4 of the DPA.

Is a Data Processing Addendum available?

Yes. The CompanyEnrich DPA covers processing instructions, confidentiality, security, data-subject rights, subprocessors, deletion, audits, and international transfers. It is automatically incorporated into the CompanyEnrich Terms for self-service customers and becomes binding when those Terms are accepted. An enterprise customer may instead incorporate it into an order form or execute it separately.

Which subprocessors and service providers does CompanyEnrich use?

The current Subprocessors & Providers Register lists providers such as Hetzner for core hosting, Cloudflare for network delivery and security, Clerk for authentication, Paddle for billing, Google services, LinkedIn, Microsoft Clarity, and UserMotion for analytics and advertising, and Gleap for support. The effective register separates providers that may process Customer Personal Data under the DPA from providers used for account administration, billing, website and product analytics, and advertising.

How are international data transfers handled?

Where a restricted transfer applies, the DPA incorporates the European Commission's Standard Contractual Clauses with completed Module 2 and Module 3 selections, the UK International Data Transfer Addendum, and the adaptations recognized for Swiss transfers. It also provides factual transfer-assessment information covering locations, access, retention, security, and onward processing. For transfers from Türkiye, the DPA requires CompanyEnrich to use the applicable KVKK transfer mechanism. Processing locations are listed in the current provider register.

What security measures does the DPA cover?

Confirmed measures include TLS/HTTPS for data in transit, encryption at rest, multi-factor authentication for production and infrastructure accounts, job-based access, secrets management, security and application logging, dependency and security updates, tested restoration procedures, code review, personnel confidentiality obligations, documented incident-response steps, and periodic provider-access review. These are described in Schedule 2. CompanyEnrich does not claim a security certification on this Trust Center unless and until that certification has been independently obtained and can be verified.

What happens if there is a security incident?

Under the DPA, CompanyEnrich will notify the Customer without undue delay after becoming aware of a confirmed security incident affecting Customer Personal Data. Available information may be provided in phases, and CompanyEnrich will take reasonable steps to contain, investigate, mitigate, and remediate the incident and assist with legally required notifications. See Section 6.

Can customers review or audit CompanyEnrich's processing?

The DPA uses a documentation-first process. If the information provided is insufficient, a Customer may conduct a proportionate audit under the confidentiality, notice, frequency, and non-disruption conditions in Section 11, with appropriate exceptions for regulators, security incidents, or a reasonable suspicion of material non-compliance.

How is Customer Personal Data returned or deleted?

Cancelling a paid subscription does not automatically close the CompanyEnrich Account. Account Data is retained while the Account remains open so the customer may use available unpaid functionality or reactivate. When an Account is closed, ordinary Account Data is deleted or anonymized within 90 days, subject to limited legal, tax, fraud-prevention, security, and dispute-retention exceptions.

The DPA provides for minimized API and MCP request inputs, application and security logs, and support messages to be deleted within 90 days under the applicable rule. API response content is not stored. Before deletion begins, a customer may request return of its Customer Personal Data through a manual support export. Customer Personal Data in backups may remain for up to 12 months before being overwritten, while remaining protected and isolated from ordinary use. See Section 10.

How can an individual access, correct, delete, or opt out?

Use the privacy request page to request access or deletion, or to opt out of the sale or sharing of personal information where applicable. You can also email legal@companyenrich.com. We may need to verify the request, and available rights depend on the applicable law.

The Services are not intended for special-category or sensitive data, children's data, government identification numbers, financial-account credentials, payment-card data, protected health information, biometric identifiers, or precise geolocation unless CompanyEnrich expressly agrees otherwise in writing.

Have a trust or privacy question?

Contact our team if you need clarification about our policies, data practices, or a privacy request.

legal@companyenrich.com