Data Processing Agreement (DPA)

Article 1 · Definitions

For the purposes of this DPA:

• "Customer" means the legal or natural person subscribing to Ooklo or using the Marketplace.
• "Ooklo" means VICMEDIA LTD, 126 Aldersgate Street, London EC1A 4JQ, United Kingdom, trading as "Ooklo".
• "Customer Data" means the Personal Data uploaded, imported or synced by the Customer into the platform (contacts, prospects, employees and the like).
• "Marketplace Data" means the B2B or B2C contacts made available to the Customer through the Ooklo Marketplace, sourced from databases produced by several independent qualified publishers.
• "Sub-processor" means any third party engaged by Ooklo to process data on behalf of the Customer.
• "Data Subjects" means the natural persons whose Personal Data is processed under this DPA.

The terms "Controller", "Processor", "Personal Data", "Processing", "Personal Data Breach", "Recipient" and "Data Subject" have the meaning given by Article 4 of the GDPR.

Article 2 · Subject matter and duration

This DPA sets out the conditions under which Ooklo processes Customer Data on behalf of the Customer and the conditions under which Ooklo makes the Marketplace Data available.

The DPA takes effect on the earliest of: (i) acceptance of the Ooklo Terms of Service, (ii) the first upload of a contact list into the platform, (iii) the first Marketplace order. It applies for the duration of the contractual relationship, plus the legal retention periods set out in Article 9.

Article 3 · Part A — Ooklo as processor of the Customer

For Customer Data, the Customer is sole Controller. Ooklo acts as Processor within the meaning of Article 28 GDPR and processes Personal Data only on the documented instructions of the Customer. The Customer's instructions result from (a) the configuration of its Ooklo account, (b) the use of the platform features and (c) where applicable, specific written instructions sent to dpo@ooklo.com.

3.1 Nature and purpose of the Processing

Ooklo processes Customer Data for the following purposes:

• Secure hosting and storage of the Customer's contact lists.
• Delivery of the marketing campaigns created by the Customer: email, SMS, social posts, Google Business Profile, WhatsApp, Hub modules.
• Deliverability measurement, performance reporting and dashboard analytics.
• Automatic handling of unsubscribes and complaints (suppression list shared at the Customer-account scope).
• Technical support upon request of the Customer, with audit logging.

3.2 Categories of Data Subjects

• Customers and prospects of the Customer.
• Members, subscribers and programme participants of the Customer.
• Employees of the Customer (only if uploaded by the Customer).
• Review authors and inbound contacts via connected channels.

3.3 Categories of Personal Data

• Identifiers: name, first name, salutation, internal ID.
• Contact details: email, fixed and mobile phone, postal address.
• Transactional data: purchase history, average basket, visit frequency (where provided by the Customer).
• Behavioural data: opens, clicks, conversions tied to Ooklo campaigns.
• Consent data: opt-in / opt-out status, consent date and source.
• Technical data tied to sends: IP address, user agent, delivery status.

Ooklo does not process, except on the Customer's express written instruction, any special categories of data within the meaning of Articles 9 and 10 GDPR.

3.4 Duration of the Processing

The Processing runs for the duration of the Customer's subscription, plus a 30-day grace period after account closure during which the Customer may reactivate the account or export its Data. After that period, Customer Data is deleted in accordance with Article 9.

Article 4 · Ooklo's obligations as Processor

Ooklo undertakes, in accordance with Article 28.3 GDPR, to:

• Process Customer Data only on the documented instructions of the Customer, including for transfers outside the EU. No transfer outside the EU/EEA takes place as at the date of this DPA.
• Ensure that the persons authorised to process Customer Data are subject to an appropriate duty of confidentiality, whether contractual or statutory.
• Implement the technical and organisational measures described in Annex 2.
• Comply with the conditions for engaging Sub-processors set out in Article 5 and Annex 1.
• Assist the Customer, by appropriate technical and organisational measures, in responding to Data Subject requests (access, rectification, erasure, objection, restriction, portability, withdrawal of consent).
• Assist the Customer in complying with its obligations under Articles 32 to 36 GDPR (security, breach notification, impact assessments, prior consultation).
• At the end of the service, delete or return all Customer Data at the Customer's option, save for legal retention obligations.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow audits in accordance with Article 10.
• Immediately inform the Customer if, in its opinion, an instruction breaches the GDPR or any other applicable rule.

Article 5 · Sub-processors

The Customer gives Ooklo a general authorisation to engage the Sub-processors listed in Annex 1 to deliver the service. All current Sub-processors are located within the European Union or the EEA.

Ooklo enters into a written agreement with every Sub-processor imposing data-protection obligations equivalent to those of this DPA, in particular the security requirements of Article 32 GDPR.

Where Sub-processors change (addition or replacement), Ooklo notifies the Customer at least thirty (30) days in advance by email to the account contact address or by publication on the /dpa page. The Customer has a right to object on reasonable grounds within that period. If the objection is legitimate, the Parties will look in good faith for an alternative solution; failing that, the Customer may terminate the affected service without penalty.

Article 6 · Security

Ooklo implements the technical and organisational measures described in Annex 2 to ensure a level of security appropriate to the risk, in particular:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
• Multi-factor authentication for all administrative accounts.
• Role-based access controls and least-privilege principle.
• Logging and monitoring of sensitive accesses.
• Encrypted backups, restored and tested regularly.
• Annual penetration tests and vulnerability reviews.

Article 7 · Personal Data Breach

If a Personal Data Breach affects Customer Data, Ooklo notifies the Customer without undue delay and at the latest within seventy-two (72) hours of becoming aware. The notification will describe:

• The nature of the Breach, the categories and approximate volume of Data Subjects and Data records affected.
• The likely consequences.
• The measures taken or proposed to address the Breach and mitigate its effects.
• Ooklo's point of contact.

Ooklo assists the Customer in notifying the competent supervisory authority and, where required, the Data Subjects.

Article 8 · Data Subject rights

Where a Data Subject sends Ooklo a request to exercise their rights (access, rectification, erasure, objection, restriction, portability), Ooklo forwards the request to the Customer within five (5) business days and, unless instructed otherwise by the Customer, does not respond directly.

Ooklo provides the Customer with export and deletion features within the platform so that the Customer can respond to Data Subjects within the one-month deadline set by the GDPR.

Article 9 · Retention, return and deletion

Retention periods are as follows:

• Active account: for the duration of the subscription.
• Post-closure grace period: 30 days during which the Customer may reactivate or export its Data.
• Customer Data after the grace period: deleted from active systems; encrypted backups are purged within 60 days at most.
• Data subject to legal retention (billing, accounting, anti-fraud): archived for the period required by the applicable law, then deleted.
• Marketplace Data consumed by the Customer: see Article 12.

Article 10 · Audit

The Customer may, at its own expense, audit Ooklo's compliance with this DPA, at most once every twelve (12) months and on reasonable notice of at least thirty (30) days. The audit is conducted by the Customer or by an independent third-party auditor under a confidentiality undertaking. The audit must not cover other Ooklo customers' data or systems.

Ooklo may discharge this obligation by providing recent audit reports (SOC 2, ISO 27001 or equivalent) where available.

Article 11 · Part B — Prospect-data Marketplace

11.1 Origin of the Data

Marketplace Data is aggregated from several qualified sources, for an indicative volume of approximately 3 million B2B and 8 million B2C contacts, located in France.

11.2 Lawful basis

• B2B contacts: legitimate interest of the sender (Article 6.1.f GDPR and Recital 47), combined with a simple, free right to object for Data Subjects. Solicitations are strictly professional and relate to the recipient's job function.
• B2C contacts: freely given, specific, informed and unambiguous consent (Article 6.1.a and Article 7 GDPR), collected by the database producers at the moment of collection, with timestamp and source documented. Marketing and SMS opt-ins are distinct.

11.3 Data freshness and quality

• Full monthly refresh of the databases by the producers ("cancel and replace" mode between the 1st and the 10th of every month).
• Weekly refresh of unsubscribes, complaints, NPAI, spamtraps and hardbounces. These signals are added immediately to the Marketplace suppression list.
• B2B email addresses and B2B mobile numbers are made available in SHA-256 hashed form for routing; B2C Data is delivered in clear form to enable routing by Ooklo or by accredited routing providers.

11.4 Licence agreement

Ooklo holds commercialisation licences with the producers of the qualified databases listed in §11.1. These licences govern: the producers' intellectual property rights over the databases (Article L341-1 of the French Intellectual Property Code), security obligations, monthly volume-reporting, the handling of Data Subject requests, destruction of Data on contract termination, and chapter III GDPR obligations.

Article 12 · Customer obligations when using the Marketplace

When the Customer places a Marketplace order, it undertakes to:

• Send the rented contacts only within the activity sector and geographic area declared to Ooklo at the time of the order.
• For B2B/B2C email and SMS rentals: not to extract the email addresses or mobile numbers, and not to share them with third parties. Routing is performed exclusively by Ooklo or an accredited router within the meaning of the applicable licence.
• For data sale or enrichment services: comply with the retention periods set out in the order form, never resell the Data, and return or destroy any Marketplace Data at the end of the service in accordance with Article 9.
• Immediately honour any objection, rectification or erasure request received from a Data Subject, and forward it to Ooklo within five (5) business days at dpo@ooklo.com so that Ooklo and the database producers can suppress the contact at source.
• Include a working unsubscribe link in every communication, together with a clear notice identifying the controller (the Customer) and the source of the Data ("Source: Ooklo Marketplace").
• Observe the legal sending windows and rules (in France: CNIL Decree 2023-1085 on telephone prospecting, Bloctel opposition list for B2C telephone contacts) and the exclusion list communicated by the database producers.

In case of a breach, Ooklo may suspend the Customer's access to the Marketplace and seek any other remedy available at law.

Article 13 · International transfers

As at the date of this DPA, all the Processing operations under Parts A and B are hosted and performed within the European Union or the European Economic Area. No transfer outside the EU/EEA takes place.

Should a Sub-processor, in the future, need to process Data from a third country, Ooklo will put in place the appropriate safeguards required by Chapter V GDPR (Standard Contractual Clauses of the European Commission, adequacy decision, or any other recognised mechanism) and notify the Customer beforehand.

Article 14 · Liability

Each Party's liability under this DPA is governed by the limitation and exclusion clauses set out in the Ooklo Terms of Service, subject to mandatory rules, and in particular Article 82 GDPR.

The limitation of liability does not apply to gross negligence, wilful misconduct or breaches of Personal Data protection and information-security obligations.

Article 15 · Governing law and jurisdiction

This DPA is governed by English law and submitted to the jurisdiction of the courts of London, without prejudice to mandatory rules and to the competence of the supervisory authorities and courts of the European Union Member States in matters of Personal Data protection.

Article 16 · Updates to the DPA

Ooklo may update this DPA to reflect changes in regulation, in its Sub-processor ecosystem or in the Ooklo products. Any material update is notified to the Customer at least thirty (30) days before it takes effect, by email or by publication on the /dpa page. Continued use of the service constitutes acceptance of the updated version.

For any question relating to this DPA, contact dpo@ooklo.com.

Annex 1 · List of Sub-processors

All Sub-processors are located within the European Union or the European Economic Area. No transfer outside the EU/EEA takes place.

The current list is published on this page. Customers who wish to receive active change notifications may request them at dpo@ooklo.com.

Annex 2 · Technical and organisational measures (TOMs)

Confidentiality

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
• Mandatory multi-factor authentication on all administrative and technical accounts.
• Role-based access controls, least-privilege principle, quarterly access reviews.
• Pseudonymisation of direct identifiers in support and debugging environments.

Integrity

• Immutable logging of sensitive operations, 12-month retention.
• Application-level integrity checks on contact-list imports and exports.
• Mandatory code review and automated tests on every deployment.

Availability

• Encrypted daily backups, 30-day retention, tested monthly.
• Multi-zone replication on the primary hosting infrastructure.
• Documented business-continuity plan, RPO 24h, RTO 8h.

Governance and organisation

• Internal DPO reachable at dpo@ooklo.com.
• Processing register maintained in accordance with Article 30 GDPR.
• Data Protection Impact Assessments (DPIA) for high-risk processing.
• Annual staff awareness and training programme on Data protection and information security.
• Documented breach-management procedure with annual exercises.

Sub-processor security

• Pre-onboarding GDPR-compliance assessment of every Sub-processor.
• Contractual clauses imposing obligations equivalent to this DPA.
• Annual review of the Sub-processing chain.

Annex 3 · Marketplace — Source disclosure

Database producers

The Marketplace draws on databases produced by several independent qualified publishers, each acting as producer within the meaning of Article L341-1 of the French Intellectual Property Code and original Controller of its respective source. Indicative composition is listed in §11.1.

Licensee and Marketplace operator

Ooklo holds commercialisation licences with the producers of the qualified databases listed in §11.1. These licences cover the producers' intellectual property rights, security obligations, monthly volume-reporting, the handling of Data Subject requests, destruction of Data on contract termination, and all chapter III GDPR obligations.

Operating entity

The Ooklo service is operated by Vicmedia Ltd, a company incorporated in England and Wales, registered office 126 Aldersgate Street, London, England, EC1A 4JQ. All Customer communications, billing and support are conducted under the Ooklo brand.

Indicative volumes

• About 3 million B2B contacts (France).
• About 8 million B2C contacts (France).

Available fields

B2B: email, salutation, last name, first name, fixed and mobile phone, marketing and SMS opt-ins with collection date, company name, brand, SIREN/SIRET, function code and label, email-address type (nominative or generic), full postal address with geocoding, website URL, last observed action and its date.

B2C: email, salutation, last name, first name, date and year of birth, fixed and mobile phone, marketing and SMS opt-ins with collection date, full postal address with geocoding, last observed action and its date.

Technical delivery format

• B2B: email, fixed and mobile delivered in SHA-256 hashed form; remaining fields in clear.
• B2C: all fields delivered in clear.
• Monthly "cancel and replace" refresh between the 1st and 10th of each month. Weekly refresh of unsubscribes and complaints.

Suppression and complaints handling

Any objection or complaint received by Ooklo or the database producers is propagated back to the source within seven (7) days at most and prevents any further use of the affected contact across the entire chain. Hardbounces, spamtraps and NPAI detected by Ooklo are reported to the database producers within the same window.