Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the service agreement between Leadva (the "Processor") and the Client (the "Controller") under which Leadva processes personal data on behalf of the Client.

This DPA is designed to comply with Article 28 of the EU General Data Protection Regulation (GDPR) and the Mauritius Data Protection Act 2017.

1. Definitions

• Controller: the Client, who determines the purposes and means of processing personal data.
• Processor: Leadva, who processes personal data on behalf of the Controller.
• Personal Data: any information relating to an identified or identifiable natural person, as defined in the GDPR.
• Sub-processor: any third party engaged by Leadva to process personal data on the Controller's behalf.

2. Scope of Processing

A. Subject matter

Lead and patient communication automation.

B. Duration

For the duration of the service agreement.

C. Nature and purpose

• Sending automated follow-up messages to leads.
• Sending reactivation campaigns to dormant patients.
• Sending review request messages to recent patients.
• Logging communication status in the Client's CRM.

D. Types of personal data

• Name, email address, phone number
• Lead/patient enquiry details
• Appointment dates and treatment types
• Communication history (sent messages, replies)

E. Categories of data subjects

The Client's prospective and existing patients.

3. Processor Obligations

Leadva shall:

1. Process personal data only on documented instructions from the Controller, unless required by law.
2. Ensure that personnel authorised to process the personal data have committed to confidentiality.
3. Implement appropriate technical and organisational security measures (see Section 6).
4. Assist the Controller in responding to data subject requests.
5. Notify the Controller without undue delay (and in any case within 72 hours) upon becoming aware of a personal data breach.
6. Make available to the Controller all information necessary to demonstrate compliance with this DPA.
7. Upon termination, delete or return all personal data, unless retention is required by law.

4. Sub-processors

The Controller hereby grants general authorisation for the use of the following sub-processors:

• Hetzner Online GmbH (Germany) — server hosting
• Anthropic, PBC (USA) — AI message generation
• n8n GmbH (Germany) — workflow orchestration
• Cal.com, Inc. (USA) — booking widget
• Airtable, Inc. (USA) — CRM (per client setup)
• Namecheap, Inc. (USA) — email infrastructure

Leadva will notify the Controller of any intended changes to this list at least 30 days in advance. The Controller may object to such changes in writing; if Leadva cannot accommodate the objection, the Controller may terminate the service agreement with prorated refund of unused prepaid amounts.

5. International Transfers

Where personal data of EU residents is transferred outside the European Economic Area (e.g. to sub-processors in the USA), such transfers shall be governed by the EU Standard Contractual Clauses (SCCs) or other appropriate safeguards under Article 46 GDPR.

6. Security Measures

Leadva implements:

• Encryption in transit (TLS 1.2 or higher).
• Encryption at rest on all storage.
• Access controls, least-privilege principles, and individual user accounts for personnel.
• Regular backups and tested recovery procedures.
• Security patching of underlying server infrastructure.
• Audit logging of administrative actions.
• Physical security via tier-3+ data centres (Hetzner).

7. Data Subject Rights

Leadva shall provide reasonable assistance to enable the Controller to respond to requests from data subjects exercising their rights under GDPR, including access, rectification, erasure, restriction, portability, and objection.

8. Audit

The Controller may, no more than once per 12-month period and at its own cost, request an audit of Leadva's processing activities. Such audit must be agreed in advance and conducted in a manner that does not unreasonably disrupt Leadva's operations.

9. Liability

Each party shall be liable for any damages arising out of its breach of this DPA, subject to the limitations of liability set out in the overarching service agreement.

10. Termination

This DPA terminates automatically when the underlying service agreement ends. Upon termination, Leadva will, at the Controller's choice, return or delete all personal data within 30 days, except where retention is required by law.

11. Governing Law

This DPA is governed by the laws of the Republic of Mauritius.

Execution

This Data Processing Agreement is executed in writing between Leadva and each client at the start of the service engagement. A signed copy is provided to every client during onboarding.

To request a copy of this DPA for review before signing up, please contact: