Data Processing Addendum (DPA)

1. Definitions

2. Scope of Processing

Acquirely Processes Personal Data solely for:

• providing the Service,
• enabling GHL-related customizations,
• authentication,
• analytics and performance,
• security,
• customer support,
• subscription and billing workflows.

Acquirely does not:

• sell Personal Data,
• process Personal Data for advertising,
• use Personal Data for purposes other than those defined in this DPA.

3. Roles of the Parties

The parties acknowledge:

• Customer is the Controller.
• Acquirely is the Processor.
• Acquirely will only process Personal Data according to Customer's documented instructions.

4. Customer Instructions

Acquirely will Process Personal Data only:

• as necessary to provide the Services,
• as documented in the Privacy Policy and Terms,
• as requested by Customer in writing,
• to comply with legal obligations.

Acquirely will promptly notify Customer if an instruction violates applicable privacy law.

5. Sub-Processors

Customer agrees that Acquirely may use Sub-Processors, including:

All Sub-Processors are subject to written data protection obligations equivalent to this DPA.

Acquirely will:

• maintain an up-to-date list of Sub-Processors,
• notify Customer of material updates,
• remain responsible for Sub-Processor actions.

6. Security Measures

Acquirely implements industry-standard security, including:

• encryption at rest and in transit,
• zero-trust authentication,
• secure credential hashing,
• access control and role-based permissions,
• monitoring & logging,
• annual security reviews,
• vulnerability patching and maintenance.

Acquirely will maintain administrative, technical, and physical safeguards appropriate to industry standards.

7. Data Subject Rights

Acquirely will assist Customer in handling:

• access requests,
• deletion requests,
• correction requests,
• data export requests,
• opt-out or limitation requests,
• GPC (Global Privacy Control) signals (California requirement).

Acquirely will not respond to requests from individuals without Customer's authorization.

8. Data Breach Notification

If Acquirely becomes aware of a Personal Data Breach, Acquirely will:

• Notify Customer without undue delay,
• Provide details of the breach,
• Assist with mitigation,
• Cooperate with investigations,
• Provide necessary documentation for regulatory compliance.

A breach does not include unsuccessful attempts to compromise infrastructure (e.g., failed logins, port scans).

9. Data Deletion & Return

Upon termination of Customer's account:

• Acquirely will delete or return all Personal Data,
• unless retention is required by law,
• deletion occurs within 30–90 days depending on system backups.

Backup data will be securely overwritten in accordance with standard lifecycle policies.

10. International Transfers

Acquirely may Process data in the United States or other jurisdictions.

All international transfers will follow:

• GDPR Standard Contractual Clauses (SCCs),
• UK Addendum (if applicable),
• CPRA-compliant contractual obligations,
• Appropriate technical & organizational safeguards.

11. California-Specific Requirements (CPRA)

For California residents, Acquirely agrees:

• not to sell or share Personal Data,
• not to use Personal Data for cross-context behavioral advertising,
• not to combine Customer data with other customers' data except as allowed by CPRA,
• to comply with all CPRA Processor obligations,
• to support Customer in responding to deletion, correction, and access requests.

12. Audit Rights

Customer may request a summary of security audits or certifications.

Due to security reasons, on-site audits are not permitted, but Acquirely will provide:

• security documentation,
• summaries of external audits,
• compliance reports (if available).

13. Liability

Each party's liability under this DPA is subject to the exclusions and limitations in the Terms & Conditions.

14. Term

This DPA remains in effect as long as Acquirely processes Personal Data on behalf of Customer.

15. Contact Information

For questions about this DPA: