All Campaignsalpha
ВъзможностиЦениДемоВходЗапочни→
All Campaigns

Контролен център за студени имейли за сериозни оператори. ЕС, бутстраpped, ползваме го сами.

Всички системи работят

Продукт

  • Възможности
  • Цени
  • Живо демо
  • Започни

Ресурси

  • История
  • Контакти
  • Статус

Компания

  • За нас
  • Свържи се

Правни

  • Условия
  • Поверителност
  • DPA

© 2026 All Campaigns. Всички права запазени.

X / TwitterLinkedInhello@leadora.bg

All Campaigns

Правни

Data Processing Agreement

This Data Processing Agreement (the “DPA”) supplements the All Campaigns Terms of Service and governs the processing of personal data by All Campaigns as processor on behalf of the Customer as controller, in accordance with Article 28 of the GDPR.

Последно обновено: 2026-05-12

На тази страница

1. Definitions

Capitalised terms not defined below have the meaning given in the Terms of Service. The following terms have the meaning given in Article 4 of Regulation (EU) 2016/679 (the "GDPR"): personal data, processing, data subject, controller, processor, sub-processor, personal-data breach and supervisory authority.

  • "Customer Personal Data" means personal data within Customer Data, as defined in the Terms, that All Campaigns processes on behalf of the Customer.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission under Implementing Decision (EU) 2021/914.

2. Subject-matter & duration of processing

The subject-matter of the processing is the provision of the All Campaigns Service as described in the Terms. The duration of the processing is for the period during which the Customer's subscription to the Service remains active, plus the post-termination period set out in section 14.

3. Nature & purpose of processing

All Campaigns processes Customer Personal Data for the sole purpose of providing, securing and supporting the Service, including:

  • Polling the Customer's Instantly account to import campaign analytics, lead records and message threads into the Customer's tenant.
  • Storing operator-created data such as reply notes, call logs, and tags attached to lead threads.
  • Rendering the dashboard to authenticated users associated with the Customer's account.
  • Generating aggregate, pseudonymised metrics that improve and secure the Service.

All Campaigns does not use Customer Personal Data for any other purpose, including direct marketing to end recipients or AI model training.

4. Types of personal data

The categories of personal data processed by All Campaigns on the Customer's behalf include:

  • Contact data of end recipients: name, email address, telephone number, company name, job title, and any custom fields the Customer chooses to push from Instantly.
  • Communication content: subject and body of inbound and outbound email messages within the Customer's Instantly Unibox, synced into All Campaigns.
  • Operator-created annotations: reply notes, call logs (date, duration, outcome, free-text), opportunity stage and owner.
  • User account data: email addresses and display names of users the Customer invites into its tenant.

All Campaigns does not knowingly process special categories of personal data (Article 9 GDPR). The Customer agrees not to upload special categories of data or data relating to criminal convictions (Article 10 GDPR) without first notifying All Campaigns and agreeing on appropriate safeguards.

5. Categories of data subjects

  • Recipients of the Customer's cold-email outreach campaigns (typically professional contacts at target businesses).
  • Authors of reply messages received in the Customer's Instantly Unibox.
  • The Customer's own users and team members.
  • Where the Customer is an agency operating on behalf of end clients, the end clients' designated representatives.

6. Customer instructions

All Campaigns processes Customer Personal Data only on documented instructions from the Customer, including (a) the instructions embedded in the Terms and this DPA, (b) the instructions issued through ordinary use of the Service's features (e.g. configuring a tenant, deleting a record, exporting data), and (c) additional written instructions agreed between the parties.

All Campaigns will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law, unless such notification is itself prohibited by law.

7. Confidentiality

All Campaigns ensures that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate data-protection training.

8. Technical & organisational measures

All Campaigns implements and maintains technical and organisational security measures appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. These measures include:

  • Encryption in transit: TLS 1.2 or higher on all HTTP traffic; HSTS enforced on production domains.
  • Encryption at rest: AES-256 native database encryption (Supabase Postgres).
  • Application-level encryption: Instantly API keys and other secrets encrypted with AES-256-GCM before storage.
  • Tenant isolation: Postgres Row Level Security (RLS) policies enforce tenant boundaries at the database layer; an additional denormalised tenant_id column on every multi-tenant table provides defence-in-depth. RLS policies are covered by automated tests in CI.
  • Access control: least-privilege principles for engineering access; multi-factor authentication enforced on all administrative accounts; magic-link authentication for end users.
  • Audit logging: production access and sensitive operations are logged and retained.
  • Backups: daily encrypted backups of the Postgres database with point-in-time recovery within the EU region.
  • Vulnerability management: automated dependency scanning, code review on every change, periodic penetration testing.
  • Incident response: documented runbook with defined roles, notification thresholds and 24/7 escalation.

All Campaigns may update these measures from time to time, provided that the updates do not materially diminish the level of protection.

9. Sub-processors

The Customer provides a general authorisation to engage sub-processors. The current list of sub-processors is published in the Privacy Policy and forms an integral part of this DPA.

All Campaigns will:

  • Impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, in writing.
  • Remain liable to the Customer for the acts and omissions of its sub-processors as if performed by All Campaigns itself.
  • Give the Customer at least 30 days' advance notice (by email or in-app banner) of any intended change concerning the addition or replacement of sub-processors, giving the Customer an opportunity to object on reasonable grounds related to data protection. If the parties cannot resolve a reasonable objection, the Customer may terminate the affected portion of the Service.

10. Data-subject requests

Taking into account the nature of the processing, All Campaigns will assist the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.

If All Campaigns receives a request directly from a data subject relating to Customer Personal Data, All Campaigns will not respond to the substance of the request but will, without undue delay (and in any event within 7 days), forward the request to the Customer.

11. Audits & inspections

All Campaigns makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

On reasonable prior written notice (and no more than once per calendar year, unless required by a supervisory authority), the Customer or an independent third-party auditor mandated by the Customer (subject to confidentiality obligations) may conduct an audit of All Campaigns's compliance with this DPA. Audits are performed at the Customer's cost, scheduled to avoid material disruption to the Service, and may be satisfied in the first instance by All Campaigns providing a recent SOC 2 or ISO 27001 report, or equivalent third-party attestation, where available.

12. Personal-data breach notification

All Campaigns will notify the Customer without undue delay, and in any event within 72 hours after becoming aware, of a personal-data breach affecting Customer Personal Data. The notification will, at minimum, describe:

  • The nature of the personal-data breach, the categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to be taken by All Campaigns to address the breach and mitigate its effects.
  • The name and contact details of All Campaigns's point of contact for further information.

All Campaigns will cooperate with the Customer in good faith to support the Customer's obligation to notify supervisory authorities and, where applicable, affected data subjects under Articles 33 and 34 GDPR.

13. International data transfers

All Campaigns processes Customer Personal Data within the European Union. To the extent that All Campaigns or any of its sub-processors transfers Customer Personal Data outside the EEA to a country not benefiting from an adequacy decision under Article 45 GDPR, such transfer will be made on the basis of the Standard Contractual Clauses, incorporated by reference into this DPA, together with any supplementary measures required by the European Data Protection Board's Recommendations 01/2020.

The parties agree that for the purposes of the SCCs:

  • The Customer is the data exporter.
  • All Campaigns is the data importer.
  • Module Two (controller to processor) or Module Three (processor to processor) applies as appropriate.
  • The governing law is the law of Bulgaria.
  • The supervisory authority is the Bulgarian CPDP.

14. Return & deletion of data

On termination of the Customer's subscription, at the Customer's choice All Campaigns will either return Customer Personal Data to the Customer in a structured, machine-readable format (CSV or JSON) or delete it from production systems within 30 days, and from encrypted backups within 90 days, unless retention is required by Union or Member-State law (e.g. accounting records). On request All Campaigns will issue a written confirmation of deletion.

The Customer may export or delete its own data at any time via the dashboard.

15. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in section 13 of the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including liability under Article 82 GDPR.

16. Order of precedence

In the event of any conflict or inconsistency between (a) the body of the Terms, (b) this DPA, and (c) the Standard Contractual Clauses (where they apply), the following order of precedence applies, with the higher-ranked document prevailing for matters concerning processing of personal data:

  1. The Standard Contractual Clauses (where applicable).
  2. This DPA.
  3. The Terms of Service.

17. Execution

This DPA is entered into and becomes legally binding between the Customer and All Campaigns when the Customer agrees to the Terms of Service (or upon execution of a separate signed instrument referencing this DPA). No additional signature is required.

If your procurement process requires a signed, counter-signed PDF version of this DPA — for example to attach to a vendor file — email privacy@leadora.bg or use the contact form and we will return one within two business days at no cost.