IntelBee — Data Processing Addendum (DPA)
Last updated: October 2, 2025
This Data Processing Addendum ("DPA") forms part of, and is subject to, the agreement between Customer and IntelBee governing Customer's use of IntelBee's Services (the "Agreement"). Capitalised terms not defined in this DPA have the meanings given in the Agreement.
Effective date: October 2, 2025
PARTIES
- "Customer" means the entity identified in the Order or account that determines the purposes and means of processing Personal Data (as defined below).
- "IntelBee" means Artificial Intelligence Mars SRL, Dr Petre Herescu 12, Bucharest, Romania, acting as processor (or service provider/processor under applicable law).
1. DEFINITIONS
- "Applicable Data Protection Laws" means all laws and regulations relating to the processing of Personal Data under the Agreement, including the EU GDPR (2016/679), the UK GDPR and Data Protection Act 2018, the Swiss FADP, the ePrivacy/PECR rules, and U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA), each as amended.
- "Customer Personal Data" means Personal Data processed by IntelBee on behalf of Customer pursuant to the Agreement.
- "Personal Data," "Data Subject," "Process/Processing," "Controller," and "Processor" have the meanings in Applicable Data Protection Laws.
- "Sub-processor" means any processor engaged by IntelBee to assist in Processing Customer Personal Data.
- "EU SCCs" means the European Commission's 2021 Standard Contractual Clauses for data transfers to third countries, including the applicable modules.
- "UK Addendum/IDTA" means the UK Information Commissioner's addendum or international data transfer agreement for cross-border transfers from the UK.
- "Swiss Addendum" means the Swiss FDPIC addendum for transfers from Switzerland.
2. ROLES; SCOPE; INSTRUCTIONS
2.1 Roles. Customer is the Controller (or Business under CCPA/CPRA) of Customer Personal Data. IntelBee is the Processor (or Service Provider/Processor).
2.2 Scope. IntelBee will process Customer Personal Data solely to provide the Services described in the Agreement and as further detailed in Annexe 1 (Description of Processing).
2.3 Instructions. IntelBee will Process Customer Personal Data only on documented instructions from Customer, including with respect to transfers of Customer Personal Data to a third country or international organisation, unless required by law. IntelBee will promptly notify Customer if, in IntelBee's opinion, an instruction infringes Applicable Data Protection Laws.
3. CONFIDENTIALITY AND PERSONNEL
IntelBee will ensure persons authorised to Process Customer Personal Data are subject to confidentiality obligations and receive appropriate privacy and security training.
4. SECURITY
4.1 Measures. IntelBee will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access as described in Annexe 2 (Security Measures).
4.2 Reviews. IntelBee will regularly test, assess, and evaluate the effectiveness of such measures and improve them, considering industry practice and risk.
5. SUB-PROCESSORS
5.1 Authorisation. Customer grants IntelBee a general authorisation to engage Sub-processors. Current Sub-processors are listed at https://intelbee.com/subprocessors (the "Sub-processor List").
5.2 Changes. IntelBee will provide prior notice of new Sub-processors by updating the Sub-processor List or by email. The customer may reasonably object within 10 days of notice if a change materially increases the risk to Customer Personal Data. IntelBee may mitigate, propose an alternative, or allow the Customer to suspend the affected Service without penalty.
5.3 Flow-down. IntelBee will impose data protection obligations on Sub-processors that are no less protective than those in this DPA and will remain responsible for their performance.
6. DATA SUBJECT RIGHTS; ASSISTANCE
Taking into account the nature of Processing, IntelBee will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, objection). Where legally permitted, IntelBee may direct the requester to the Customer. IntelBee will also assist with the Customer's DPIAs and consultations with supervisory authorities relating to the Services.
7. SECURITY INCIDENTS
IntelBee will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer in meeting its breach reporting obligations. IntelBee will take reasonable steps to contain, investigate, and remediate the incident.
8. RETURN & DELETION
Upon termination or expiry of the Agreement, upon Customer's written request and within 30 days (unless a longer period is agreed or required by law), IntelBee will delete or return Customer Personal Data and delete existing copies, except where retention is required by law or permitted in anonymised/aggregated form.
9. AUDITS
Upon reasonable advance notice and subject to confidentiality and security restrictions, IntelBee will make available information necessary to demonstrate compliance with this DPA (e.g., third‑party audit reports) and allow audits by Customer or an independent auditor mandated by Customer once per 12-month period (or more frequently if required by law or after a material security incident). Audits will be conducted during business hours, not unreasonably interfere with operations, and Customer will bear its own costs and IntelBee's reasonable support costs.
10. INTERNATIONAL TRANSFERS
10.1 EU/EEA, UK, Switzerland. To the extent Customer Personal Data is transferred to a country without an adequacy decision, the Parties agree that the EU SCCs (Module 2: Controller-to-Processor and, where applicable, Module 3: Processor-to-Processor) are incorporated by reference and apply, with the specifics completed in Annexe 1 and Annexe 2. For UK transfers, the UK Addendum/IDTA applies; for Swiss transfers, the Swiss Addendum applies.
10.2 Conflicts. If there is a conflict between this DPA and the EU SCCs/UK Addendum/Swiss Addendum, the latter will prevail to the extent of the conflict.
11. CCPA/CPRA AND U.S. STATE PRIVACY LAWS
11.1 Service Provider/Processor. IntelBee will not: (a) sell or share (as defined by CPRA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than to provide the Services (including maintaining or improving the Services), or as otherwise permitted by law; (c) combine Customer Personal Data with personal data received from other sources except as permitted to detect data security incidents or improve or enhance the Services.
11.2 Assistance. IntelBee will assist the Customer in responding to verifiable consumer requests and in meeting its privacy-by-design, security, and record‑keeping obligations under applicable U.S. state laws.
11.3 Certifications. IntelBee certifies it understands and will comply with the restrictions set forth in this Section.
12. CUSTOMER OBLIGATIONS
Customer is responsible for: (a) the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired such data; (b) providing any required notices and obtaining all necessary consents or other lawful bases; (c) configuring and using the Services in compliance with Applicable Data Protection Laws; and (d) not instructing IntelBee to Process special categories of data unless agreed in writing.
13. LIABILITY; ORDER OF PRECEDENCE
Each Party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict with respect to Processing of Customer Personal Data, and the EU/UK/Swiss transfer mechanisms control over this DPA where applicable.
14. MISCELLANEOUS
This DPA will remain in effect for the term of the Agreement. Nothing in this DPA prevents IntelBee from making reasonable changes to maintain compliance or reflect evolving practices.
ANNEX 1 — DESCRIPTION OF PROCESSING
- Data exporter: Customer (Controller/Business)
- Data importer: IntelBee (Processor/Service Provider)
- Subject matter: Provision of IntelBee Services (technology detection, enrichment, datasets, APIs, browser extensions, and support).
- Duration: Term of the Agreement and as otherwise required by law.
- Nature and purpose: Hosting, analysing, enriching, transmitting, storing, securing, and supporting Customer Personal Data to provide and improve the Services.
- Categories of data subjects: Customer's authorised users; Customer's prospects/leads/contacts; website/business contacts identified via Customer's inputs.
- Types of personal data: Names; business contact details (work email, work phone); job titles; employer/organisation; device and usage telemetry of Customer's users; any other personal data submitted by Customer.
- Sensitive data: Not intended to be processed. Customer will not submit sensitive or special category data.
- Frequency of transfer: Continuous as required for the Services.
- Retention: As set forth in Section 8 of this DPA.
- Competent supervisory authority: As determined by Customer's establishment in the EEA/UK/Switzerland (if applicable).
ANNEX 2 — TECHNICAL & ORGANIZATIONAL SECURITY MEASURES
IntelBee maintains, among others, the following measures proportionate to risk:
- Information security program overseen by designated personnel; policies reviewed at least annually.
- Access controls and least‑privilege: unique IDs, role‑based access, MFA for privileged access, and timely off‑boarding.
- Data encryption in transit (TLS) and at rest, where feasible; key management practices.
- Network security: segmentation, firewalls, restricted management access, vulnerability scanning, and patch management.
- Secure software development lifecycle (code review, dependency management, secrets management, change management).
- Logging and monitoring: centralised logging, alerting for anomalous activities, retention aligned to risk.
- Data minimisation and pseudonymization where appropriate; separation of environments.
- Backup and recovery: regular backups, restoration testing, and disaster recovery planning.
- Vendor risk management and Sub‑processor due diligence; contractual security commitments.
- Security awareness and privacy training for personnel; confidentiality agreements.
- Incident response plan with defined roles, playbooks, and post‑incident reviews.
- Physical and environmental security at hosting locations.
- Periodic penetration tests and remediation tracking.
ANNEX 3 — SUB‑PROCESSORS
IntelBee's current Sub‑processors are listed at https://intelbee.com/subprocessors (updated from time to time). The customer may subscribe to change notifications at [email protected].
Annexe 1 — Description of Processing (Summary Table)
Last updated: October 2, 2025
| Data exporter | Data importer |
|---|---|
| Data exporter | Customer (Controller/Business) |
| Data importer | IntelBee (Processor/Service Provider) |
| Subject matter | Provision of IntelBee Services (technology detection, enrichment, datasets, APIs, extensions, support) |
| Duration | Term of the Agreement (and as required by law) |
| Categories of data subjects | Customer users; Customer prospects/leads/contacts |
| Types of personal data | Business contact details; job title; employer; usage telemetry of Customer users; data provided by Customer |
| Sensitive data | Not intended; Customer will not submit special categories |
Annexe 2 — Security Measures (Detailed List)
Last updated: October 2, 2025
- Information security program; annual policy reviews
- Access controls; least privilege; MFA; off-boarding
- Encryption in transit and at rest; key management
- Network security; segmentation; firewalls; vulnerability scanning; patching
- Secure SDLC; code review; dependency and secrets management
- Logging and monitoring; alerting; retention aligned to risk
- Data minimisation, pseudonymization where appropriate; environment separation
- Backups, restoration testing, and disaster recovery
- Vendor risk management and Sub-processor due diligence
- Security awareness and privacy training; confidentiality agreements
- Incident response plan; post-incident reviews
- Physical/environmental security at hosting locations
- Periodic penetration testing; remediation tracking