BeReach
NewThe AI Agent runs LinkedIn outreach 24/7.See plans
legal

Data Processing Agreement

Article 28 GDPR terms governing personal data BeReach processes on your behalf

PublishedJune 5, 2026UpdatedJune 5, 2026

Summarize with AI

Ask Claude

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between you ("Customer", "Controller") and [LEGAL ENTITY NAME], a société par actions simplifiée (SAS) organized under the laws of France ("BeReach", "Processor"). It applies whenever BeReach processes personal data on your behalf in the course of providing the Services — in particular the data you collect, store, enrich, score, or message about third parties ("Prospect Data"). It reflects Article 28 of the EU General Data Protection Regulation (GDPR).

In plain terms: for Prospect Data you are the controller and BeReach is your processor. BeReach processes that data only on your documented instructions and only to provide the Services to you. Where there is a conflict, this DPA governs the processing of Prospect Data and the Terms of Service govern everything else.

1. Definitions

Terms such as "controller", "processor", "data subject", "personal data", "processing", "personal data breach", and "supervisory authority" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by BeReach to process Prospect Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of personal data to third countries.

2. Roles and scope

You are the controller of Prospect Data and determine the purposes and means of its processing. BeReach is your processor and processes Prospect Data only to provide the Services and only on your documented instructions, including those given through your configuration and use of the Services. BeReach is not responsible for determining whether your instructions comply with law; if BeReach considers an instruction infringes the GDPR or other data protection law, it will inform you.

3. Your instructions and responsibilities

You are solely responsible for: establishing a valid legal basis for processing Prospect Data (for most B2B prospecting in the EU this is typically legitimate interests, subject to a balancing test); providing the information notices required by Articles 13 and 14 GDPR to data subjects; honoring data subject rights and opt-outs; complying with applicable anti-spam and e-privacy rules; and not processing special category data (Article 9 GDPR) through the Services. You will not instruct BeReach to process Prospect Data in a way that infringes applicable law.

4. Confidentiality

BeReach ensures that persons authorized to process Prospect Data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide the Services.

5. Security

Taking into account the state of the art and the nature of the processing, BeReach implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2. These include encryption in transit, encryption of sensitive data (including connected-account session credentials) at rest, access controls, and monitoring.

6. Sub-processors

You provide a general authorization for BeReach to engage sub-processors to process Prospect Data. The current list of sub-processors is published on our sub-processors page. BeReach imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors' performance. BeReach will give you reasonable prior notice (at least 30 days where practicable) before adding or replacing a sub-processor that processes Prospect Data, and you may object on reasonable data protection grounds; if the parties cannot resolve the objection, you may terminate the affected Services.

7. Assistance with data subject rights

Taking into account the nature of the processing, BeReach will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If a data subject contacts BeReach directly about Prospect Data, BeReach will, where lawful, refer them to you as the controller or promptly forward the request.

8. Personal data breach

BeReach will notify you without undue delay after becoming aware of a personal data breach affecting Prospect Data, and will provide information reasonably available to it to help you meet your notification obligations under Articles 33 and 34 GDPR.

9. Data protection impact assessments

BeReach will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to BeReach.

10. International transfers

Where BeReach or its sub-processors process Prospect Data outside the EEA, UK, or Switzerland in a country without an adequacy decision, the transfer is governed by appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with supplementary measures where needed. You may request information on the safeguards used.

11. Return or deletion

On termination of the Services, and at your choice, BeReach will delete or return Prospect Data and delete existing copies, unless retention is required by applicable law. Deletion of your workspace data follows the retention practices described in our Privacy Policy.

12. Audits

BeReach will make available to you the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and security conditions and, where appropriate, satisfied by up-to-date certifications or reports.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

14. Term and precedence

This DPA takes effect when you accept the Terms of Service and remains in force while BeReach processes Prospect Data on your behalf. In case of conflict regarding the processing of Prospect Data, this DPA prevails over the Terms of Service.

Annex 1 — Details of processing

  • Subject matter: provision of the BeReach Services (outreach and lead generation) to the Customer.
  • Duration: for the term of the Customer's use of the Services, plus any legally required retention.
  • Nature and purpose: searching, collecting, enriching, storing, scoring, scheduling, and sending outreach in relation to the Customer's prospects, at the Customer's initiative and under its control.
  • Types of personal data: business contact and professional profile data such as name, headline, role, employer, public profile URL, public posts and engagement, and the content of messages the Customer configures.
  • Categories of data subjects: the Customer's prospects and business contacts. Special category data must not be processed through the Services.

Annex 2 — Security measures

Encryption of data in transit (TLS); encryption of sensitive data, including connected-account session credentials, at rest; role-based access controls and least-privilege access for authorized personnel; logging and monitoring; secure software development and dependency management; segregation of customer workspaces; and prompt revocation and deletion of connected-account credentials on disconnection.

Annex 3 — Sub-processors

The current list of sub-processors, with their purpose and location, is maintained on our sub-processors page.

To request a countersigned copy of this DPA, or for any question about it, contact us via the details in our Privacy Policy.