Data Processing Agreement
Effective: May 2026 — Last updated: 1 May 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "Customer") and Diego Simili, sole proprietor (P.IVA 04093101204), operating the Connecto service ("Processor"), with registered contact at info@connectodigital.com, and supplements the Terms of Service.
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller to provide the Connecto platform, including LinkedIn outreach automation, AI message generation, and campaign analytics.
3. Categories of Data Subjects
- Customer employees/representatives (account holders)
- LinkedIn users targeted by Customer campaigns ("Leads")
4. Types of Personal Data
- Account data: name, email, LinkedIn profile URL, CV text
- Lead data: name, headline, company, LinkedIn URL, location (publicly available on LinkedIn)
- Usage data: campaign configuration, message templates, analytics
5. Processing Duration
Processing continues for the duration of the Service Agreement. Upon termination, personal data is deleted within 30 days, except where retention is required by law.
6. Processor Obligations
- Process data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data at the end of the service
- Make available all information necessary to demonstrate compliance
7. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare | CDN, DNS, WAF, DDoS protection | USA (5 EU offices) | SCCs (Art. 46 GDPR) |
| Google OAuth | "Sign in with Google" authentication | Ireland (Google Ireland Ltd) | Within EU |
| Inngest | Background jobs & queue | San Francisco, USA | SCCs (Art. 46 GDPR) |
| iubenda | Cookie consent, privacy policy hosting | EU (Italy) | Within EU |
| OpenAI | AI message generation (GPT-4o-mini) | USA | SCCs (Art. 46 GDPR) |
| PostHog | Product analytics (consent-gated) | EU Cloud (eu.posthog.com) | Within EU (Iubenda preset shows USA — outdated) |
| Resend | Transactional email | USA | EU-US Data Privacy Framework + SCCs |
| Sentry | Error tracking | USA | SCCs (Art. 46 GDPR) |
| Stripe | Payments (Checkout, Portal, Connect) | USA | PCI DSS + SCCs (Art. 46 GDPR) |
| Supabase Auth | User authentication | EU Frankfurt | Within EU (Iubenda preset shows Singapore — outdated) |
| Supabase Database | PostgreSQL, RLS, Storage | EU Frankfurt (eu-central-1) | Within EU |
| Unipile | LinkedIn API (hosted auth, search, messaging) | Riorges, France (Scaleway DCs) | Within EU + SOC 2 Type II |
| Vercel | Hosting & serverless functions | Frankfurt (fra1), Germany | Within EU + SCCs (CDN edge global) |
8. International Transfers
Where personal data is transferred outside the EEA, the Processor ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
9. Security Measures
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Row-Level Security (RLS) on all database tables
- Role-based access control
- Regular security audits and penetration testing
- Automated backup and disaster recovery
- LinkedIn credentials never stored (Unipile hosted auth)
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, providing all information required under Art. 33 GDPR.
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations.
12. Contact
For DPA-related inquiries: info@connectodigital.com