DPA clauses 1 through 12.
§1. Definitions.
Terms used in this Addendum (Controller, Processor, Personal Data, Processing, Data Subject, Special Categories, Supervisory Authority) take their meaning from GDPR Article 4. Where a term is defined in the parent Service Agreement at /legal/terms/ that definition controls for the parent agreement; for personal-data processing GDPR Article 4 controls.
§2. Subject-matter and duration of processing.
Subject-matter: LinkedIn-account management for the Buyer's account by a named TTPA operator. Duration: coterminous with the Service Agreement at /legal/terms/, plus the retention windows at /legal/privacy/ §7.
§3. Nature and purpose of processing.
Nature: human-operated LinkedIn account access; voice-matched content authoring; weekly CSV-of-actions deliverable; calendar-coordinated outbound. Purpose: Buyer-led pipeline operation. No automated decision-making with legal or similarly significant effect (GDPR Article 22).
§4. Categories of data subjects.
Buyer's 1st-degree LinkedIn network plus Buyer-named target connections; Buyer's internal staff where they appear in coordination correspondence; recipients of Buyer-approved outbound messages.
§5. Categories of personal data.
Name, professional title, current and previous employer, professional email (where exposed by the data subject), business-related correspondence content, calendar availability windows, LinkedIn profile metadata. NO special-category data is intentionally processed.
§6. Processor obligations — GDPR Article 28(3)(a)-(h).
Toptronic shall: (a) process only on documented Controller instructions; (b) ensure named operators are bound by confidentiality; (c) maintain the security measures listed at /security/ Controls C1-C13; (d) only engage a sub-processor with prior written consent (see §7); (e) assist Controller in responding to data-subject rights requests; (f) assist with security, breach-notification, and DPIA obligations; (g) delete or return Personal Data on termination; (h) make available all information necessary to demonstrate compliance.
§7. Sub-processors — 30-day notice + 1-business-day veto.
Toptronic's current sub-processors are listed at /legal/subprocessors/. Toptronic shall give Controller at least 30 days' prior written notice (newsletter or in-app) of any addition or replacement. Controller may object within 1 business day of notice. If the parties cannot agree on an alternative, Controller may terminate the affected service for pro-rata refund per /legal/refund/ §4.
§8. International transfers — multi-jurisdiction.
For EU/EEA Controllers: Standard Contractual Clauses 2021/914 Module 2 (Controller-to-Processor) are incorporated by reference and constitute Annex I.A, Annex I.B, Annex II to this DPA. For UK Controllers: the UK International Data Transfer Addendum is incorporated. For Australian Controllers: this DPA is read consistently with the Australian Privacy Principles. For Hong Kong Controllers: this DPA is read consistently with the Hong Kong Personal Data (Privacy) Ordinance.
§9. Audit rights.
Annual remote audit at no charge: Controller may submit a written questionnaire (max 50 questions) once per calendar year; Toptronic responds within 30 days. On-site audit: Controller may request once every 24 months at Controller's reasonable cost with 30 days' prior written notice; co-ordinated to minimise operational disruption to other Buyers.
§10. Term and termination.
This DPA is coterminous with the Service Agreement at /legal/terms/. Termination of the Service Agreement automatically terminates this DPA. The deletion / return obligation at clause 6(g) survives termination for 90 days, after which Toptronic may certify deletion.
§11. Liability — capped.
Toptronic's aggregate liability under this DPA is capped at twelve (12) months of Service-Agreement fees paid by the Controller in the 12 months preceding the event giving rise to the claim. The cap does not apply to (a) wilful misconduct, (b) gross negligence, (c) breach of confidentiality obligations, (d) liabilities that cannot be capped by applicable mandatory law.
§12. Governing law (parent) and applicable data-protection law (claims).
The parent Service Agreement is governed by Hong Kong law (HKIAC arbitration). For data-protection claims by data subjects, the law of the data subject's habitual residence applies and the supervisory authority of that residence has jurisdiction (GDPR Article 79).