DATA PROCESSING AGREEMENT (DPA / AVV)

pursuant to Article 28 GDPR

Last Updated: 31 December 2025

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Controller:
The customer using the Services (“Customer”)

and

Processor:
FinSuites, LLC
30 North Gould St Ste R
Sheridan, WY 82801
United States

This DPA forms an integral part of the Terms and Conditions governing the use of the Services.

2. Subject Matter and Duration of Processing

2.1 Subject Matter

The subject matter of processing is the provision of a software-as-a-service platform operated as a white-label implementation of the GoHighLevel / LeadConnector platform, enabling the Customer to manage contacts, communications, marketing, sales and related business processes.

2.2 Duration

Processing shall continue for the duration of the Customer’s use of the Services and shall end upon termination of the contractual relationship, subject to Section 14 (Deletion and Return of Data).

3. Nature and Purpose of Processing

3.1 Nature of Processing

Processing activities may include, without limitation:

collection

storage

organization

structuring

transmission

retrieval

use

deletion

3.2 Purpose of Processing

Processing is strictly limited to the provision, operation, maintenance and support of the Services, including system security, troubleshooting, abuse prevention and customer support, in accordance with the Customer’s documented instructions.

FinSuites does not determine the purposes or means of processing Customer Data.

4. Categories of Data and Data Subjects

4.1 Categories of Personal Data

names

email addresses

telephone numbers

postal addresses

communication metadata

IP addresses

transactional and interaction data

4.2 Categories of Data Subjects

customers, clients and prospects of the Customer

website visitors and leads processed through the Services

employees, contractors or representatives of the Customer

other individuals whose data is uploaded or processed by the Customer

Special categories of personal data pursuant to Article 9 GDPR are not intended to be processed.

5. Roles and Responsibilities

5.1 Customer (Controller)

The Customer:

determines the purposes and means of processing,

ensures a valid legal basis for all processing activities,

fulfills transparency and information obligations,

ensures compliance with applicable data protection, marketing and telecommunications laws.

5.2 FinSuites (Processor)

FinSuites:

processes personal data only on documented instructions of the Customer,

does not use Customer Data for its own purposes,

does not sell or disclose Customer Data except as permitted under this DPA or required by law.

6. Instructions

Processing shall be carried out in accordance with:

this DPA,

the Terms and Conditions, and

documented instructions given by the Customer through use and configuration of the Services.

This includes processing required to comply with applicable Union or Member State law, in which case FinSuites shall inform the Customer of such legal requirement unless prohibited by law.

If FinSuites considers an instruction to be in violation of applicable data protection law, FinSuites shall inform the Customer without undue delay.

7. Confidentiality

FinSuites ensures that persons authorized to process personal data are subject to appropriate statutory or contractual confidentiality obligations.

8. Technical and Organizational Measures (TOMs)

FinSuites implements appropriate technical and organizational measures pursuant to Article 32 GDPR, including, but not limited to:

access controls and authentication mechanisms,

role-based access restrictions,

encryption of data in transit where appropriate,

network and infrastructure security measures,

monitoring and logging for security purposes.

Measures are implemented taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing.

FinSuites maintains documentation of its technical and organizational measures and will make relevant information available to the Customer upon reasonable request.

Absolute security cannot be guaranteed.

9. Subprocessors

9.1 General Authorization

The Customer grants FinSuites general authorization to engage subprocessors.

9.2 Subprocessor Obligations

FinSuites ensures that subprocessors are bound by data protection obligations no less protective than those set forth in this DPA.

9.3 Changes and Objections

A current list of subprocessors is made available here: Subprocessor List
Material changes to subprocessors will be communicated where required by applicable law.

The Customer may object to a new subprocessor only on documented and substantiated data protection grounds.
Any objection must be raised within fourteen (14) days of notification of the new subprocessor.

If no commercially reasonable alternative exists, the Customer’s sole remedy shall be termination of the Services in accordance with the Terms.

10. International Data Transfers

Personal data may be processed in countries outside the European Economic Area, including the United States.

Where required, FinSuites relies on appropriate safeguards, including:

the EU-U.S. Data Privacy Framework, where applicable, and/or

Standard Contractual Clauses (SCCs) adopted by the European Commission.

Where personal data is transferred onward by subprocessors, equivalent safeguards are contractually required.

11. Assistance with Data Subject Requests

Taking into account the nature of the processing, FinSuites shall reasonably assist the Customer in responding to requests for:

access,

rectification,

erasure,

restriction of processing,

data portability,

objection to processing,

to the extent required by applicable law.

FinSuites is not responsible for responding directly to data subject requests unless required by law.
Any assistance beyond standard functionality may be subject to reasonable fees.

12. Assistance with Security and Impact Assessments

FinSuites shall provide reasonable assistance to the Customer with:

data protection impact assessments (DPIAs),

consultations with supervisory authorities,

to the extent required under Articles 35 and 36 GDPR and taking into account the nature of the processing.

Any assistance beyond standard functionality may be subject to reasonable fees.

13. Personal Data Breach Notification

FinSuites shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.

Where feasible, FinSuites will use reasonable efforts to provide such notification within 72 hours, together with available information necessary for the Customer to comply with its legal obligations.

14. Deletion and Return of Data

Upon termination of the Services, at the Customer’s choice, Customer Data shall be:

returned, or

deleted or anonymized,

unless retention is required by applicable law or for the establishment, exercise or defense of legal claims.

Residual backup copies may persist temporarily in accordance with security procedures.

FinSuites may, but is not obligated to, provide a reasonable opportunity for data export prior to deletion.

15. Audits

The Customer may audit FinSuites’ compliance with this DPA only where required by applicable law and subject to:

reasonable prior written notice,

audits limited to once per calendar year,

audits conducted during normal business hours,

strict confidentiality obligations.

Audits shall be limited to information reasonably necessary to verify compliance with this DPA.

On-site audits require FinSuites’ prior written consent and shall be conducted at the Customer’s expense.

FinSuites may satisfy audit obligations through third-party certifications, audit reports or comparable documentation.

All audit-related costs shall be borne by the Customer, unless required otherwise by applicable law.

16. Liability

Liability arising under this DPA is subject to the limitation of liability provisions set forth in the Terms and Conditions.

17. Governing Law

This DPA is governed by the laws governing the Terms and Conditions.

18. Order of Precedence

In the event of a conflict between this DPA and the Terms and Conditions:

this DPA shall prevail with respect to data protection matters,

the Terms and Conditions shall prevail in all other respects.

19. Contact

FinSuites, LLC
Email: [email protected]