Legal

Data Processing Addendum

Last updated: April 18, 2026

This Data Processing Addendum (DPA) applies when AcquireOS processes personal data on your behalf about your end clients and prospects. It forms part of the Terms of Service between you (Controller) and AcquireOS (Processor).

1. Definitions

  • "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA/CPRA, and any successor laws.
  • "Personal Data" has the meaning given in the Applicable Data Protection Law.
  • "Sub-processor" means any third party engaged by AcquireOS to process Personal Data.

2. Scope & Roles

You are the Controller of the Personal Data of your end clients and prospects. AcquireOS is the Processor. AcquireOS processes Personal Data only on your documented instructions, which are the Terms of Service and your use of the platform.

3. Nature & Purpose of Processing

  • Categories of data subjects: your employees, your end clients, and prospects you enter into the platform.
  • Categories of Personal Data: contact identifiers (name, email, phone, business name), communications content, call recordings, attribution events, enrichment data pulled from Clay and other sources.
  • Purposes: running campaigns, scoring and routing leads, generating proposals, billing end clients (via Stripe Connect), attribution reporting, and AI-agent operations.

4. AcquireOS Obligations

  • Process Personal Data only on your instructions.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (encryption in transit and at rest, RBAC, audit logging, automated PII checks on every deploy).
  • Assist you in responding to data subject rights requests (access, deletion, portability) within 72 hours of your request.
  • Notify you of a personal data breach without undue delay, and in any case within 72 hours of becoming aware.
  • Delete or return all Personal Data at the end of the service, subject to legal retention requirements.

5. Sub-processors

You grant AcquireOS general authorization to engage sub-processors. The current list is published in our Privacy Policy and updated when changes occur. We will give you 30 days' notice of new sub-processors; you may object by terminating your subscription if you cannot accept the change.

6. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum, as applicable, which are incorporated by reference.

7. Data Subject Rights

You can exercise rights on behalf of your end clients directly from Settings → Export Data (portability) and via the GDPR deletion endpoint (erasure). For requests where you need our assistance, email privacy@getacquireos.com.

8. Audits

AcquireOS will provide, on reasonable written notice and not more than once per year (unless required by regulator), information reasonably necessary to demonstrate compliance with this DPA — including SOC 2 Type II reports once available, and written responses to security questionnaires.

9. Liability

Each party's liability under this DPA is subject to the limitation of liability clause in the Terms of Service.

10. Order of Precedence

In the event of a conflict between the Terms of Service and this DPA with respect to the processing of Personal Data, this DPA controls.

11. Contact

DPA questions: privacy@getacquireos.com.