Last updated: July 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the agreement between the Customer and Lioma governing the Customer's use of the Services (the "Terms", and together with this DPA, the "Agreement"). It reflects the parties' agreement with respect to the Processing of Personal Data by Lioma on the Customer's behalf in connection with the Services.
You accept this DPA when you accept the Terms; no separate signature is required.
Capitalised terms not defined in this DPA have the meaning given in the Terms. Where this DPA conflicts with the Terms on any matter of data protection, this DPA prevails (see Section 12).
1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including Regulation (EU) 2016/679 ("GDPR"), the GDPR as retained in the law of the United Kingdom, the Austrian Datenschutzgesetz (DSG), and any implementing or successor legislation.
1.2 "Customer Personal Data" means Personal Data that Lioma Processes on the Customer's behalf in the course of providing the Services, as described in Annex A.
1.3 "Data Subject Request" means a request from a Data Subject to exercise rights under Applicable Data Protection Law (e.g. access, rectification, erasure, restriction, objection, portability).
1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
1.5 "Services" means the outreach and prospecting product and related services provided by Lioma under the Terms, including prospect sourcing into the Customer's workspace, letter generation and postal delivery, LinkedIn and email outreach sequences, landing pages, and the management of experiment prospects and campaigns.
1.6 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries approved by European Commission Implementing Decision (EU) 2021/914, including (as applicable) Module Two (controller-to-processor) and Module Three (processor-to-processor); and, for UK transfers, the UK International Data Transfer Addendum issued by the Information Commissioner.
1.7 "Sub-processor" means any third party engaged by Lioma to Process Customer Personal Data.
1.8 The terms "Controller", "Processor", "Personal Data", "Data Subject", "Processing" and "Supervisory Authority" have the meanings given in the GDPR.
2.1 Lioma as Processor (this DPA). With respect to the execution of the Customer's outreach campaigns, including sourcing prospects into the Customer's workspace, generating and sending letters, running LinkedIn and email sequences, hosting landing pages, and processing prospect records, message content, replies and landing-page interactions on the Customer's behalf, the Customer is the Controller and Lioma is the Processor. This DPA governs that Processing.
2.2 Lioma as independent Controller (not this DPA). Lioma separately acts as an independent Controller in respect of (a) its own shared prospect-research database and enrichment sources, and (b) the operation, security, analytics, billing, fraud prevention and improvement of the Services. Such Processing is not governed by this DPA; it is governed by Lioma's Privacy Policy and Applicable Data Protection Law. Each party is an independent Controller for that Processing and is individually responsible for compliance.
2.3 Each party will comply with its respective obligations under Applicable Data Protection Law in connection with the Services and the Customer Personal Data.
3.1 The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex A.
3.2 The Processing will continue for the duration of the Agreement, subject to Section 10 (Return and Deletion).
4.1 Lioma will Process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by Union or Member State law to which Lioma is subject (in which case Lioma will, where legally permitted, inform the Customer of that requirement before Processing).
4.2 The Customer's documented instructions are constituted by this DPA, the Terms, and the Customer's use and configuration of the Services (including the campaigns, targeting criteria, prospect lists, connected accounts, and content the Customer creates or approves). Additional instructions outside the scope of the Services require agreement between the parties, including on any resulting costs.
4.3 Lioma will promptly inform the Customer if, in Lioma's opinion, an instruction infringes Applicable Data Protection Law. Lioma is not obliged to carry out such an instruction.
4.4 The Customer is responsible for ensuring it has a lawful basis for the Processing it instructs (including for outreach to prospects) and for the accuracy and lawfulness of the prospect data and content it uploads to, or instructs Lioma to source through, the Services.
4.5 Connected accounts. Where the Customer connects and authorises Lioma to act through the Customer's own accounts or channels (including the Customer's own LinkedIn account), Lioma will act only within the scope of that authorisation and the Customer's instructions, and solely to deliver the Services. The Customer is responsible for maintaining any consents, authorisations and account permissions required for Lioma to operate through those connected accounts, and for compliance with the applicable platform's terms.
5.1 Lioma will ensure that persons authorised to Process Customer Personal Data are bound by an appropriate obligation of confidentiality (whether contractual or statutory) and are made aware of the confidential nature of the data.
5.2 Lioma will limit access to Customer Personal Data to personnel who need it to provide the Services.
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, Lioma will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B. These include, at a minimum, encryption in transit (TLS 1.3), encryption at rest, role-based access control (RBAC), and EU-region hosting on Amazon Web Services (eu-central-1, Frankfurt).
6.2 Lioma may update the measures in Annex B from time to time provided the updates do not materially reduce the overall level of security of the Services.
7.1 General authorisation. The Customer grants Lioma general written authorisation to engage Sub-processors to Process Customer Personal Data. The Sub-processors engaged as at the date of this DPA are listed in Annex C.
7.2 Flow-down. Lioma will impose on each Sub-processor, by written contract, data protection obligations that are, in substance, equivalent to those set out in this DPA and appropriate to the nature of the Sub-processor's services. Lioma remains liable to the Customer for the performance of each Sub-processor's obligations, consistent with the limitation of liability in the Terms.
7.3 Notice and objection. Lioma will give the Customer advance notice of the addition or replacement of a Sub-processor (by updating Annex C and/or notifying a subscribed email address) so as to give the Customer an opportunity to object. The Customer may object on reasonable data-protection grounds within thirty (30) days of the notice. The parties will work together in good faith to resolve the objection; if no resolution is reached, the Customer may terminate the affected part of the Services as its exclusive remedy.
8.1 Data Subject Requests. Taking into account the nature of the Processing, Lioma will (a) promptly forward to the Customer any Data Subject Request it receives relating to Customer Personal Data, and (b) provide reasonable assistance, by appropriate technical and organisational measures, to enable the Customer to respond to Data Subject Requests. Where a Data Subject contacts Lioma directly, Lioma may advise them to address the Customer.
8.2 Objection / suppression. The Services include a mechanism enabling the Customer to record a prospect's objection and to suppress further outreach to that prospect (supporting the Customer's obligations under Art. 21(2) GDPR in respect of direct marketing). Lioma will honour suppression instructions applied through the Services.
8.3 DPIAs and consultation. Lioma will provide the Customer with reasonable assistance for data protection impact assessments and prior consultations with Supervisory Authorities that the Customer reasonably considers required by Applicable Data Protection Law and that relate to Lioma's Processing under this DPA.
8.4 Breach notification. Lioma will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to Lioma to assist the Customer in meeting its own notification obligations, including (where known) the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. Lioma's notification is not an admission of fault or liability.
9.1 Lioma primarily hosts and Processes Customer Personal Data in the EU (AWS eu-central-1, Frankfurt).
9.2 Where Lioma or a Sub-processor Processes Customer Personal Data outside the EEA in a country without an adequacy decision, such transfer will be subject to an appropriate transfer mechanism under Applicable Data Protection Law, being (as applicable) the Standard Contractual Clauses, the UK Addendum, or, for certified recipients in the United States, the EU–US Data Privacy Framework (DPF). Annex C indicates the relevant location and transfer basis for each Sub-processor.
9.3 To the extent required by Applicable Data Protection Law, the SCCs (Module Two and/or Module Three, as applicable) are incorporated into this DPA by reference and deemed executed by the parties, completed with the information in Annexes A–C, and the Customer authorises Lioma to enter into SCCs with Sub-processors on the Customer's behalf. Lioma will, on request, provide information reasonably necessary for the Customer to complete a transfer impact assessment.
10.1 On termination or expiry of the Agreement, Lioma will, at the Customer's choice and within thirty (30) days, delete or return the Customer Personal Data in its possession, and delete existing copies, unless retention is required by Union or Member State law.
10.2 The Customer may export its Customer Personal Data through available self-service functionality prior to deletion. Data held in routine backups will be deleted in the ordinary course of Lioma's backup rotation.
10.3 This Section 10 does not apply to Personal Data that Lioma holds as an independent Controller under Section 2.2 (e.g. the shared prospect-research database), which is governed by Lioma's Privacy Policy.
11.1 Lioma will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR. Lioma will satisfy audit requests in the first instance by providing relevant documentation and, where available, third-party audit reports or certifications applicable to the Services (e.g. its Sub-processors' SOC 2 or ISO 27001 reports).
11.2 Where the information under 11.1 is insufficient to satisfy a mandatory audit requirement under Applicable Data Protection Law, the Customer (or an independent third-party auditor bound by confidentiality, not a Lioma competitor) may, on reasonable prior written notice and no more than once in any 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), audit Lioma's compliance with this DPA. Audits will be conducted during business hours, in a manner that does not disrupt Lioma's operations or compromise other customers' data, and at the Customer's expense.
12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.
12.2 Order of precedence. In the event of conflict, the following order governs data-protection matters: (i) the SCCs (where they apply); (ii) this DPA; (iii) the Terms. On all matters that are not data protection matters, the Terms prevail.
12.3 This DPA takes effect on the effective date of the Terms and remains in force for as long as Lioma Processes Customer Personal Data under the Agreement.
12.4 Governing law and jurisdiction. This DPA is governed by the laws of Austria, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods, and is subject to the jurisdiction agreed in the Terms, except where Applicable Data Protection Law or the SCCs require otherwise.
Roles. Customer = Controller; Lioma e.U. = Processor.
Subject-matter. Provision of Lioma's outreach and prospecting Services to the Customer, involving Processing of Personal Data of the Customer's prospects and business contacts on the Customer's behalf.
Duration. For the term of the Agreement and until return/deletion under Section 10.
Nature and purpose of Processing. Collection, organisation, storage, structuring, enrichment, use, and transmission of business-contact data to source prospects into the Customer's workspace; generate and deliver outreach (postal letters via Pingen, email, and LinkedIn sequences sent through the Customer's own connected LinkedIn account); host and operate landing pages; and record and manage replies, engagement and suppression, all as configured and instructed by the Customer through the Services.
Types of Personal Data. Business-contact data of prospects and business contacts, including: full name; business email address; employer / company name; job title; city and country; postal address (for letter delivery); LinkedIn profile URL; outbound message content; prospect replies and correspondence; and landing-page interaction data.
Categories of Data Subjects. The Customer's prospects and business contacts (natural persons in a professional/business capacity), and the individuals who send replies or interact with the Customer's outreach or landing pages.
Special categories of Personal Data. None intended or required. The Customer must not instruct the Processing of special-category data through the Services.
Frequency. Continuous, for the duration of the Agreement.
Competent Supervisory Authority. Austrian Data Protection Authority (Österreichische Datenschutzbehörde), or as otherwise determined under Clause 13 of the SCCs where they apply.
The following summarises the measures Lioma maintains. Lioma may update them provided the overall level of security is not materially reduced.
The Sub-processors below Process Customer Personal Data (prospect/outreach data) in providing the Services. Vendors that Lioma uses only for its own independent-Controller Processing under Section 2.2 (e.g. billing, subscription management), and tools that process the Customer user's own account/channel data rather than prospect/outreach data, are not listed here.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, storage, and Bedrock LLM inference (generates outreach copy) | EU (Frankfurt) primary; US (us-east-1) failover | EU-primary; SCCs / DPF for the US failover |
| Cloudflare | DNS, CDN, network security | Global edge | SCCs / DPF |
| Apollo | B2B prospect data sourcing | US | SCCs |
| Pingen | Postal letter delivery | EU / Switzerland | Adequacy (CH) / EU |
| Loqate | Postal address validation | UK / global | SCCs / UK Addendum |
| Google (Places / Maps) | Business address resolution | US / global | DPF + SCCs |
| Tavily | Web research to prepare outreach | US | SCCs |
| Brave | Web research to prepare outreach | US | SCCs |
| Jina | Web research to prepare outreach | EU / US | SCCs where outside the EEA |
| Composio | Connecting third-party tools the Customer authorises | US | SCCs |
| Brevo | Email delivery to prospects | EU (France) | EU-based |
| Sentry | Error tracking (may incidentally process personal data in logs) | US (EU data residency where configured) | DPF / SCCs |
| Better Stack (Logtail) | Log management (may incidentally process personal data) | EU-based | SCCs |
Locations reflect our current understanding and may be updated. Where a sub-processor processes personal data outside the EEA, we rely on Standard Contractual Clauses and/or the EU–US Data Privacy Framework. The current list is available on this page or on request at privacy@lioma.eu.
Note on LinkedIn. Outreach on LinkedIn is sent from the Customer's own connected LinkedIn account, which the Customer authorises Lioma to act through (see Section 4.5). LinkedIn is not engaged by Lioma as a Sub-processor for that channel; the Customer's use of LinkedIn is governed by the Customer's own relationship with, and the terms of, LinkedIn.
Lioma
Just a moment...