Legal
Data Processing Agreement
Last updated: May 12, 2026
This DPA reflects our standard processor terms and incorporates the EU Standard Contractual Clauses by reference. Enterprise customers may request a counter-signed PDF — get in touch via the contact page.
1.Scope and roles
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, the “Controller”) and Moksh Sethi (sole proprietor, d/b/a Pop the Lead) (“Pop the Lead”, the “Processor”) for the use of the Service. It applies where Pop the Lead processes Personal Data on the Customer’s behalf within the meaning of the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (“CCPA”).
2.Subject matter and duration
The Processor processes Personal Data to provide the Service described in the main agreement: building, hosting, and rendering popups; collecting submitted subscriber data on the Controller’s behalf; routing that data to the Controller’s configured destinations (ESPs, webhooks); and producing analytics. Processing continues for the duration of the main agreement plus any retention period set out in our Privacy Policy.
3.Categories of data and data subjects
Account data about Controller users: name, email, hashed password, role, plan, IP address at login. Subscriber data collected by Controller’s popups: typically email, optional phone, consent metadata, and visitor context (URL, referrer, device, viewport). Data subjects are the Controller’s end-users (website visitors and subscribers) and the Controller’s own team members.
4.Processor obligations
The Processor will: (a) process Personal Data only on documented instructions from the Controller (the main agreement, this DPA, and the Controller’s in-product configuration); (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational measures (see § 7); (d) assist the Controller with data subject requests, DPIAs, and notifications to authorities; (e) at the Controller’s choice, delete or return all Personal Data after the end of the service, save where retention is required by law.
5.Sub-processors
The Controller authorises the Processor to engage the sub-processors listed below. The Processor will give the Controller at least 30 days’ prior notice of any new sub-processor; the Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection or terminate the affected service.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | PostgreSQL database hosting | AWS, EU / US (customer-selectable region) |
| Vercel | Application and edge hosting | Global edge network, primary US |
| Dodo Payments | Merchant-of-record billing | US, with EU presence |
| Resend | Transactional email delivery | US |
| Upstash | Rate-limit and cache (Redis) | AWS, EU / US |
| Google (OAuth) | Sign-in (only when customer opts in) | US |
6.International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country that has not been deemed adequate, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated by reference. Customer-selectable EU regions are available on request for Supabase and Upstash.
7.Security measures
TLS 1.2+ in transit. AES-256-GCM at rest (database, secrets, integration API keys). Database access restricted to production roles behind 2FA. Daily backups with point-in-time recovery for 7 days. Strict CSP and CORS on the embed origin. Annual review of access lists and dependency audit. Incident response: customers notified without undue delay (within 72 hours of confirmation) of any Personal Data breach affecting them.
8.Audits
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including third-party reports from sub-processors (Vercel SOC 2, and other sub-processor compliance attestations where publicly available) on request. On-site audits may be conducted on reasonable notice, no more than once per year, subject to confidentiality.
9.Data subject requests
The Controller can self-serve export and deletion from the dashboard (Settings → Export / Delete) or via GET /api/account/export and DELETE /api/account/delete. For subscriber-level requests (the Controller’s end-users), the Controller is the primary recipient; the Processor will assist within 10 business days.
10.Liability and governing law
Liability under this DPA is subject to the limitations in the main agreement. This DPA is governed by the law of Uttar Pradesh, India except where mandatory data-protection laws of the data subject’s jurisdiction apply.
11.Contact
Send signed DPAs, sub-processor objections, and data-protection questions to popthelead@gmail.com, or via the contact form. A counter-signed copy is returned within 5 business days.
Postal address: Moksh Sethi (sole proprietor, d/b/a Pop the Lead), [address pending — contact us via the form], Bareilly, Uttar Pradesh, India.