coldio
Start free
Legal

Data Processing Agreement

GDPR Article 28 agreement between Coldvio (processor) and customers using leads features (controller). Last updated: June 2, 2026.

This DPA is incorporated into the Terms of Service. Accepting the Terms at signup constitutes acceptance of this DPA.

1. Scope and parties

This Data Processing Agreement ("DPA") is entered into between Coldvio [CVR: TBD], Tinbergens Allé 123, 9260 Gistrup, Denmark ("Processor"), and the customer who has accepted the Coldvio Terms of Service ("Controller").

This DPA applies when the Controller uses Coldvio's leads and contact enrichment features and uploads or enriches personal data of third-party contacts ("lead data"). In this context, the Controller is the data controller and Coldvio acts as the data processor under Article 28 of the GDPR.

For all other personal data (the Controller's own account data, voice profile, and usage data), Coldvio acts as an independent data controller — see the Privacy Policy.

This DPA is incorporated by reference into the Terms of Service. Accepting the Terms of Service constitutes acceptance of this DPA.

2. Subject matter and purpose

Coldvio processes lead data on the Controller's behalf solely to provide the leads, enrichment, and outreach campaign features of the Coldvio platform.

Coldvio will not process lead data for any other purpose, including its own marketing, analytics, or AI model training.

3. Duration

This DPA remains in force for the duration of the Controller's use of lead features. Upon account deletion or termination, Coldvio will delete lead data within 30 days, except where retention is required by law.

4. Nature of processing

  • StorageStoring contact data in the Coldvio database on behalf of the Controller.
  • EnrichmentPassing contact identifiers to People Data Labs (PDL) only when the Controller explicitly triggers enrichment for a specific contact.
  • OutreachUsing contact data to execute connection requests and messages on LinkedIn as configured by the Controller in campaigns.
  • DisplayPresenting contact data in the Coldvio CRM and leads interface to the Controller.

5. Categories of personal data

Lead data processed under this DPA may include: name, professional title, employer, LinkedIn profile URL, email address, telephone number, location, and professional history.

No special category data (Art. 9) is collected or processed under this DPA. Controllers must not upload special category data as lead data.

6. Controller's obligations

The Controller is responsible for:

  • Lawful basisEnsuring a valid legal basis exists under GDPR for processing the contact data — typically legitimate interest or consent.
  • Data accuracyEnsuring that lead data uploaded to Coldvio is accurate and relevant for the stated outreach purpose.
  • Data subject rightsResponding to data subject requests (access, erasure, etc.) received directly by the Controller. Coldvio will assist as described in Section 9.
  • GDPR complianceComplying with all applicable data protection obligations, including maintaining records of processing activities (Art. 30) where required.

7. Processor obligations (Art. 28(3))

  • InstructionsProcess lead data only on the Controller's documented instructions. This DPA and the Terms of Service constitute those instructions.
  • ConfidentialityEnsure that personnel with access to lead data are bound by confidentiality obligations.
  • SecurityImplement appropriate technical and organisational measures to protect lead data (see Section 10).
  • Sub-processorsOnly engage sub-processors listed in Section 8, or notify the Controller of additions as described there.
  • Assistance — rightsAssist the Controller in responding to data subject rights requests, taking into account the nature of processing.
  • Assistance — obligationsAssist the Controller in meeting obligations under Arts. 32–36 (security, breach notification, DPIA), taking into account the information available to Coldvio.
  • Deletion or returnAt the Controller's choice, delete or return all lead data at the end of the service relationship, and delete existing copies unless EU or Danish law requires retention.
  • AuditMake available to the Controller all information necessary to demonstrate compliance with this Article, and allow for and contribute to audits (see Section 12).

8. Sub-processors

Coldvio uses the following sub-processors for lead data processing. All are engaged under written data processing agreements.

  • SupabaseDatabase storage. EU region. supabase.com
  • People Data LabsContact enrichment, triggered on demand only. pdl.co — [VERIFY: DPA in place]
  • RailwayBackend hosting. EU region. railway.com
  • UpstashQueue for campaign scheduling. upstash.com — [VERIFY: confirm EU region or DPA]

9. Sub-processor changes

Coldvio will give Controllers at least 14 days' notice before adding or replacing a sub-processor that processes lead data. Notice will be provided via the Coldvio changelog or by email. Controllers who object to a change may terminate their subscription before the change takes effect.

10. Security measures

Coldvio implements the following technical and organisational measures to protect lead data:

  • Encryption in transitAll data transmitted between Coldvio and sub-processors uses TLS 1.2 or higher.
  • Encryption at restLead data stored in Supabase is encrypted at rest.
  • Access controlProduction database access is restricted to authorised personnel. Row-level security ensures customers can only access their own data.
  • AuthenticationAll API access requires authenticated sessions or API tokens. Tokens are scoped and can be revoked.
  • Incident responseColdvio maintains an internal incident response process to detect, investigate, and respond to security events.

11. Data breach notification

In the event of a personal data breach affecting lead data, Coldvio will notify the Controller without undue delay — and in any case within 72 hours of becoming aware — at the email address associated with the Controller's account.

Notification will include: a description of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

12. Data subject rights

Where a data subject exercises rights (access, erasure, portability, etc.) directly against Coldvio in relation to lead data, Coldvio will promptly forward the request to the Controller and provide reasonable assistance in responding.

The Controller is responsible for making final decisions on data subject requests regarding their lead data.

13. Audit rights

Upon written request, Coldvio will provide the Controller with documentation sufficient to demonstrate compliance with this DPA.

If the Controller requires an on-site audit, this may be arranged by written agreement at the Controller's expense, subject to reasonable notice and confidentiality obligations. Coldvio may satisfy the audit requirement by providing a current third-party security audit report (e.g. SOC 2) where available.

14. International transfers

Lead data is stored on Supabase in the EU. Enrichment via PDL may involve transfer to the US. Coldvio relies on Standard Contractual Clauses (SCCs) approved under Art. 46(2)(c) GDPR for such transfers.

15. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits liability for damages caused by infringement of GDPR obligations where liability cannot be excluded under applicable law.

16. Governing law

This DPA is governed by Danish law. Any dispute shall be subject to the jurisdiction of the Danish courts, with Aalborg as the venue of first instance.

17. Contact

DPA enquiries and data subject right requests: [email protected]
Coldvio [CVR: TBD]
Tinbergens Allé 123
9260 Gistrup, Denmark

Privacy PolicyTerms of ServiceBack to Coldvio