Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between you (“Customer,” the controller) and Dragonfly Inc. (“Dragonfly,” the processor) and forms part of, and is subject to, the Dragonfly Terms of Service. Capitalized terms not defined here have the meanings given in the Terms or in GDPR Article 4.

1. Scope and roles

Dragonfly will process personal data only on behalf of Customer and only as necessary to provide the Service. With respect to such data, Customer is the controller and Dragonfly is the processor. Where Dragonfly engages sub-processors, they act as sub-processors and Dragonfly remains responsible for their compliance with this DPA.

2. Subject matter, duration, nature, and purpose

• Subject matter: personal data submitted by Customer to the Service (e.g. contact records, lead signals, message content).
• Duration: for as long as Customer uses the Service, plus any post-termination retention period agreed in the Terms or required by law.
• Nature and purpose: hosting, processing, transmitting, analyzing, and otherwise operating on the data to provide the Service features (outreach, inbound, support, automation) Customer enables.
• Categories of data subjects: Customer's own end users, leads, prospects, customers, and employees, as applicable.
• Categories of personal data: contact details (name, email, phone, address), business and demographic data, communications content, behavioral signals, and any other data Customer chooses to submit.

3. Processing instructions

Dragonfly will process personal data only on documented instructions from Customer, including those set out in the Terms, this DPA, and Customer's ordinary use of the Service. Dragonfly will inform Customer if it believes an instruction violates applicable data protection law.

4. Confidentiality

Dragonfly will ensure that personnel authorized to process personal data are bound by appropriate obligations of confidentiality.

5. Security measures

Dragonfly maintains technical and organizational measures designed to protect personal data, including:

• TLS encryption in transit and encryption at rest for stored data.
• Role-based access controls and the principle of least privilege.
• Audit logging of access to production systems.
• Regular vulnerability scanning and dependency monitoring.
• Background checks and security training for personnel with production access.
• Documented incident response procedures.

A current list of measures is available on request.

6. Sub-processors

Customer authorizes Dragonfly to engage sub-processors to assist in providing the Service. Current sub-processors include our cloud infrastructure provider, Stripe (billing), Resend (email delivery), Cloudflare (CDN, captcha, and DNS), and OpenAI (language model inference). A current list is available on request to privacy@dragonfly.com. Dragonfly will notify Customer of any intended changes to sub-processors at least 30 days in advance via email or in-product notice, giving Customer the opportunity to object on reasonable grounds related to data protection.

7. Data-subject rights

Dragonfly will assist Customer, by appropriate technical and organizational measures and to the extent reasonably possible, in responding to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, restriction, portability, objection). Self-service tooling for most of these is available in the Dragonfly console.

8. Breach notification

Dragonfly will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer's personal data, and will provide information reasonably required for Customer to meet its own notification obligations.

9. Audits

Dragonfly will make available to Customer the information necessary to demonstrate compliance with this DPA. On reasonable written notice (and not more than once in any 12-month period unless required by a supervisory authority), Customer may audit Dragonfly's compliance through a mutually agreed independent third-party auditor, subject to confidentiality and at Customer's expense.

10. International transfers

Personal data may be transferred to and processed in the United States and other jurisdictions where Dragonfly or its sub-processors operate. Where applicable, Dragonfly relies on the Standard Contractual Clauses (Module Two: Controller to Processor) or, where available, an adequacy decision, to lawfully transfer personal data out of the EEA, UK, or Switzerland.

11. Return or deletion

At Customer's choice and on termination of the Service, Dragonfly will delete or return all personal data to Customer and delete existing copies, except to the extent retention is required by law. Backups that are routinely overwritten will be purged on their next cycle.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms.

13. Governing law

This DPA is governed by the law and jurisdiction specified in the Terms.

14. Contact

For data-protection matters, contact privacy@dragonfly.com.