Graphly Data Processing Addendum

Last Updated: June 2026

Controller to Processor

This Graphly Data Processing Addendum (the “Addendum”) is entered into by and between Marketing Mavens, LLC d/b/a Graphly (“Graphly”) and you, the customer or client agreeing to this Addendum (the “Client”) (each, a “Party” and collectively, the “Parties”).

If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to Graphly that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this Addendum.

This Addendum is effective as of the date on which you agree to it, execute it, or otherwise accept it in connection with your use of Graphly’s services (the “Addendum Date”).

WHEREAS, the Parties have entered into an agreement for the provision of services by Graphly to Client (the “Service Agreement”);

WHEREAS, the Parties wish to ensure that Personal Data transferred between the Parties is Processed in compliance with applicable data protection laws; and

WHEREAS, the Parties agree that in the event of any conflict between the Service Agreement and this Addendum, the provisions of this Addendum shall control with respect to the Processing of Client Personal Data.

NOW, THEREFORE, in consideration of the mutual agreements set forth herein, the Parties agree as follows:

1. Definitions

The definitions used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meanings given to them in the Service Agreement.

For purposes of this Addendum:

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Client Personal Data, including, where applicable, the GDPR, UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), and any other applicable privacy or data protection laws.

“Client” means the party that has entered into the Service Agreement with Graphly, including any affiliates of that party that are bound by the Service Agreement.

“Client Personal Data” means any Personal Data Processed by Graphly or a Subprocessor on behalf of Client in connection with the Service Agreement.

“Contracted Processor” means Graphly, a Subprocessor, or both collectively.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

“Restricted Transfer” means any transfer of Client Personal Data that would be prohibited under Applicable Data Protection Laws without use of an approved transfer mechanism.

“Services” means the Graphly services provided under the Service Agreement.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of June 4, 2021, as amended, replaced, or superseded from time to time.

“Subprocessor” means any third party appointed by or on behalf of Graphly to Process Client Personal Data on behalf of Client in connection with the Services, excluding employees of Graphly.

The terms “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Supervisory Authority,” and “Third Country” shall have the meanings given to them under the GDPR or other Applicable Data Protection Laws.

2. Applicability

This Addendum applies to the Processing of Client Personal Data by Graphly on behalf of Client in connection with the Services, to the extent such Processing is subject to Applicable Data Protection Laws.

This Addendum forms part of and supplements the Service Agreement. Except as expressly modified by this Addendum, all terms of the Service Agreement remain in full force and effect.

The terms of this Addendum shall take effect on the Addendum Date and shall continue for the duration of the Service Agreement unless otherwise terminated in accordance with its terms.

This Addendum supersedes and replaces any prior data processing addendum between the Parties relating to the Processing of Client Personal Data.

3. Processing of Client Personal Data

The Parties acknowledge and agree that, with respect to Client Personal Data, Client acts as Controller and Graphly acts as Processor, unless otherwise required by Applicable Data Protection Laws.

Graphly shall:

  1. Process Client Personal Data only on documented instructions from Client, including with regard to transfers of Client Personal Data to a Third Country or international organization, unless required to do so by applicable law;
  2. Inform Client if, in Graphly’s reasonable opinion, an instruction infringes Applicable Data Protection Laws;
  3. Ensure that persons authorized to Process Client Personal Data are subject to appropriate confidentiality obligations;
  4. Implement appropriate technical and organizational measures designed to protect Client Personal Data;
  5. Assist Client, taking into account the nature of Processing and information available to Graphly, in fulfilling Client’s obligations under Applicable Data Protection Laws;
  6. Delete or return Client Personal Data as described in this Addendum; and
  7. Make available information reasonably necessary to demonstrate compliance with this Addendum.

Client instructs Graphly to Process Client Personal Data as reasonably necessary to provide the Services, comply with the Service Agreement, support the operation and security of the Services, and comply with applicable law.

4. Client Responsibilities

Client is responsible for:

  1. Ensuring it has a lawful basis for the Processing of Client Personal Data;
  2. Providing all required notices to Data Subjects;
  3. Obtaining all necessary rights, permissions, and consents where required;
  4. Ensuring its Processing instructions comply with Applicable Data Protection Laws;
  5. Maintaining accurate information regarding the categories of Personal Data and Data Subjects involved in the Services; and
  6. Responding to Data Subject requests except to the extent Graphly is required to assist under this Addendum.

5. Graphly Personnel

Graphly shall take reasonable steps to ensure that employees, agents, contractors, and other personnel who may access Client Personal Data are subject to appropriate confidentiality obligations and access Client Personal Data only as necessary to provide the Services or comply with applicable law.

6. Security of Processing

Taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons, Graphly shall implement and maintain appropriate technical and organizational measures designed to protect Client Personal Data.

Such measures may include, as applicable:

  • Access controls
  • Secure authentication mechanisms
  • Encryption of data in transit
  • Backup and recovery procedures
  • Infrastructure monitoring
  • Vendor risk management
  • Security review and maintenance processes
  • Incident response procedures

Additional information regarding Graphly’s security measures is available in Graphly’s Data Security Statement:

https://graphly.io/data-security-statement

7. Subprocessing

Client authorizes Graphly to appoint Subprocessors to assist in providing the Services.

Graphly maintains a current list of Subprocessors at:

Graphly Subprocessors

Graphly shall provide notice of material changes to its Subprocessors by updating the Subprocessor list or otherwise making such information available to Client.

Client may object to a new Subprocessor on reasonable data protection grounds by providing written notice to Graphly within thirty (30) days after Graphly makes notice of the new Subprocessor available.

If Client reasonably objects to a new Subprocessor, Graphly will use commercially reasonable efforts to resolve the objection. If the Parties cannot reasonably resolve the objection, Client may terminate the affected Services to the extent required by Applicable Data Protection Laws.

Graphly shall ensure that each Subprocessor is bound by a written agreement requiring data protection obligations that are substantially similar to those imposed on Graphly under this Addendum.

Graphly remains responsible for the performance of its Subprocessors’ obligations to the extent required by Applicable Data Protection Laws.

8. Data Subject Rights

Taking into account the nature of the Processing, Graphly shall assist Client by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling Client’s obligations to respond to Data Subject requests under Applicable Data Protection Laws.

If Graphly receives a request directly from a Data Subject relating to Client Personal Data, Graphly shall, where legally permitted, either:

  1. Notify Client of the request; or
  2. Direct the Data Subject to contact Client.

Graphly shall not respond substantively to such requests except on documented instructions from Client or as required by applicable law.

9. Personal Data Breach

Graphly shall notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data.

Such notice shall include, to the extent known and reasonably available:

  1. The nature of the Personal Data Breach;
  2. The categories and approximate number of affected Data Subjects, where known;
  3. The categories and approximate number of affected records, where known;
  4. The likely consequences of the Personal Data Breach, where known; and
  5. Measures taken or proposed to address the Personal Data Breach.

Graphly shall take commercially reasonable steps to assist Client in investigating, mitigating, and remediating such Personal Data Breach.

Graphly’s notification of or response to a Personal Data Breach shall not be construed as an admission of fault or liability.

10. Data Protection Impact Assessments and Prior Consultation

Taking into account the nature of the Processing and information available to Graphly, Graphly shall provide reasonable assistance to Client with data protection impact assessments and prior consultations with Supervisory Authorities where required by Applicable Data Protection Laws and where such assistance relates to Graphly’s Processing of Client Personal Data.

Graphly may satisfy such requests by providing relevant documentation, security information, audit reports, or other materials reasonably demonstrating Graphly’s compliance.

11. Deletion or Return of Client Personal Data

Upon termination or expiration of the Services, Graphly shall, at Client’s choice and to the extent technically feasible, delete or return Client Personal Data, unless applicable law requires or permits retention.

Graphly may retain Client Personal Data as necessary to comply with legal obligations, resolve disputes, enforce agreements, maintain backups, or as otherwise permitted by applicable law, provided such data remains protected in accordance with this Addendum.

12. Audit Rights

Graphly shall make available information reasonably necessary to demonstrate compliance with this Addendum.

Graphly may satisfy audit requests by providing security reports, certifications, penetration testing summaries, data protection documentation, or other materials reasonably demonstrating compliance.

If Client reasonably determines that additional information is required, Graphly shall cooperate with Client’s reasonable requests, provided that any audit or inspection:

  1. Is subject to reasonable advance written notice;
  2. Occurs during normal business hours;
  3. Does not unreasonably interfere with Graphly’s business operations;
  4. Does not require Graphly to disclose confidential information of other customers or third parties;
  5. Is conducted no more than once annually unless required by Applicable Data Protection Laws or following a confirmed Personal Data Breach; and
  6. Is subject to appropriate confidentiality obligations.

Client shall reimburse Graphly for reasonable costs incurred in connection with audits or assistance requested under this Section.

13. Restricted Transfers

Client authorizes Graphly to transfer Client Personal Data to the United States and other jurisdictions as reasonably necessary to provide the Services, subject to appropriate safeguards required by Applicable Data Protection Laws.

Where a transfer of Client Personal Data is a Restricted Transfer, the Parties agree that such transfer shall be governed by one or more of the following lawful transfer mechanisms, as applicable:

  1. Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914;
  2. The UK International Data Transfer Addendum or other applicable UK transfer mechanism;
  3. Swiss transfer requirements, including applicable adaptations to the SCCs where required;
  4. Adequacy decisions recognized under Applicable Data Protection Laws; or
  5. Any other lawful transfer mechanism permitted by Applicable Data Protection Laws.

Where the SCCs apply, the Parties agree that the applicable module shall be Module Two: Controller to Processor, unless another module is required by the circumstances.

For purposes of the SCCs:

  • Client is the data exporter.
  • Graphly is the data importer.
  • The details of Processing are set forth in Exhibit A.
  • The technical and organizational measures are described in Graphly’s Data Security Statement.
  • The list of Subprocessors is maintained at https://graphly.io/legal/subprocessors.

In the event of a conflict between this Addendum and the SCCs, the SCCs shall control with respect to the Restricted Transfer.

14. Artificial Intelligence and Machine Learning

Graphly shall not use Client Personal Data to train publicly available artificial intelligence or machine learning models without Client’s prior written authorization.

Graphly may use aggregated, anonymized, or de-identified data that does not identify Client, Client’s customers, or any individual Data Subject for analytics, security, service improvement, and operational purposes, provided such use is permitted under the Service Agreement and Applicable Data Protection Laws.

15. General Terms

All provisions of the Service Agreement not expressly amended or supplemented by this Addendum remain in full force and effect.

Graphly may update this Addendum to reflect changes in applicable law, regulatory guidance, security practices, or service offerings, provided such updates do not materially reduce Client’s rights or Graphly’s obligations with respect to Client Personal Data.

If any provision of this Addendum is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.

If Graphly determines that it can no longer meet its obligations under this Addendum, Graphly shall promptly notify Client and take reasonable and appropriate steps to remediate.

Exhibit A: Details of Processing

Subject Matter of Processing

The subject matter of Processing is the provision of the Services by Graphly to Client under the Service Agreement.

Duration of Processing

The duration of Processing is the term of the Service Agreement, unless otherwise required or permitted by applicable law.

Nature and Purpose of Processing

Graphly Processes Client Personal Data for the purpose of providing, maintaining, supporting, securing, and improving the Services.

Processing activities may include collection, storage, retrieval, organization, transmission, analysis, aggregation, deletion, and other operations necessary to provide the Services.

Categories of Data Subjects

Categories of Data Subjects may include, depending on Client’s use of the Services:

  • Client’s customers
  • Client’s leads or prospects
  • Client’s employees, contractors, or users
  • Individuals whose data is stored in systems connected to Graphly
  • Other individuals whose Personal Data is submitted to or accessed through the Services

Categories of Personal Data

Categories of Personal Data may include, depending on Client’s use of the Services:

  • Names
  • Email addresses
  • Phone numbers
  • Company names
  • Contact information
  • CRM records
  • Appointment or activity data
  • Transactional or account-related data
  • Marketing and sales activity data
  • Custom fields or other data submitted by Client through connected systems

Sensitive Data

Graphly does not intentionally require Processing of special categories of Personal Data. Client is responsible for ensuring that it does not submit special categories of Personal Data unless permitted under the Service Agreement and Applicable Data Protection Laws.

Obligations and Rights of Client

The obligations and rights of Client are set forth in the Service Agreement and this Addendum.

Exhibit B: Subprocessors

Graphly maintains a current list of Subprocessors at:

Graphly Subprocessors

Exhibit C: Standard Contractual Clauses

Where required for Restricted Transfers, the Parties agree that the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 are incorporated into this Addendum by reference.

The applicable module shall be Module Two: Controller to Processor, unless another module is required by the circumstances.

For purposes of the SCCs:

  • Client shall be deemed the data exporter.
  • Graphly shall be deemed the data importer.
  • Exhibit A of this Addendum shall describe the relevant transfer details.
  • Graphly’s Data Security Statement shall describe the applicable technical and organizational measures.
  • Graphly’s Subprocessor page shall identify authorized subprocessors.

If required by UK data protection law, the Parties agree that the applicable UK International Data Transfer Addendum or other approved UK transfer mechanism shall apply.

If required by Swiss data protection law, the SCCs shall be interpreted and supplemented as necessary to comply with the Swiss Federal Act on Data Protection.

Start a 14-Day Trial of Graphly for $1

Start Trial

One of the several

solutions.

© 2026 LEAP. All Rights Reserved.