Sign inStart Free Trial
Features
Smart Sequences
Automate multi-step outreach
Unified Inbox
Manage all conversations
Multi-Sender
Send from multiple accounts
Multichannel Outreach
LinkedIn + email combined
Account Safety
Stay within LinkedIn limits
Analytics
Track every metric
Email Finder
Find verified emails for leads
Integrations
Connect your CRM and tools
Competitor FollowersNew
Import competitor's followers
API & WebhooksNew
Build custom integrations

Last updated: March 2026

Data Processing Addendum

This Data Processing Addendum reflects the parties' agreement with regard to the processing of Personal Data under applicable data protection laws.

This Data Processing Addendum ("DPA" or "Addendum") is entered into by and between Cold Navigator ("Processor" or "Provider") and the Customer ("Controller") and forms part of the Terms of Service (the "Agreement").

This DPA reflects the parties' agreement with regard to the processing of Personal Data under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection legislation (collectively, "Applicable Data Protection Law").

1. Definitions

In addition to terms defined in the Agreement, the following definitions apply to this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") processed under the Agreement.
  • "Processing" (and its derivatives) means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Controller" (or "Controller") means the entity that determines the purposes and means of Processing of Personal Data.
  • "Data Processor" (or "Processor") means the entity that Processes Personal Data on behalf of the Data Controller.
  • "Sub-processor" means any third-party processor engaged by the Processor or its affiliates to process Personal Data on behalf of the Controller.
  • "Customer Personal Data" means Personal Data that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Account Data" means Personal Data relating to the Customer's relationship with the Provider, including account credentials, billing information, and usage data.
  • "Security Breach" means any unauthorized or unlawful access, disclosure, alteration, loss, or destruction of Personal Data. Unsuccessful attempts (such as unsuccessful login attempts, port scans, or denial-of-service attacks) do not constitute a Security Breach.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data approved by the European Commission (Implementing Decision 2021/914).
  • "Restricted Transfer" means a transfer of Personal Data to a country or territory outside the EEA, UK, or Turkiye that does not benefit from an adequacy decision.

2. Roles of the Parties

a. Customer Personal Data

The Customer is the Data Controller of Customer Personal Data submitted to or processed through the Service. Cold Navigator acts as a Data Processor, processing Customer Personal Data solely on behalf of and under the instructions of the Controller.

b. Account Data

Cold Navigator is an independent Data Controller (not a joint controller) with respect to Account Data. Cold Navigator processes Account Data for the following purposes:

  • Account management and authentication
  • Billing and payment processing
  • Security, fraud detection, and abuse prevention
  • Service improvement and analytics (in anonymized form)
  • Legal compliance and regulatory obligations

Account Data processing is governed by this DPA, the Agreement, and our Privacy Policy.

c. Email Features Clarification

With respect to the Email Finder and Email Sender features:

  • The Customer remains the sole Data Controller of any recipient data, email content, and communication activity.
  • Cold Navigator acts strictly as a Data Processor providing technical tools to enable email discovery and transmission on behalf of the Customer.
  • Cold Navigator does not determine the purposes or means of processing recipient Personal Data.

3. Scope and Purpose of Processing

a. Processing Activities

Cold Navigator will process Customer Personal Data solely for the purpose of providing the Service as described in the Agreement, including:

  • Account administration and user management
  • Platform operation, campaign execution, and lead management
  • Technical support and troubleshooting
  • Security monitoring, incident detection, and compliance
  • Analytics and reporting related to the Service
  • Email finding, sending, and delivery (where applicable)

b. Categories of Data Subjects

  • Customer's employees and authorized users (Permitted Users)
  • Customer's leads, prospects, and business contacts
  • Recipients of communications sent through the Service

c. Categories of Personal Data

  • Contact information (names, email addresses, phone numbers, job titles)
  • LinkedIn profile data (profile URLs, headlines, company information)
  • Communication content (messages, email content)
  • Campaign and interaction metadata (enrollment status, delivery status, engagement data)
  • Account credentials and authentication data (encrypted)

d. Sensitive Personal Data

The Service is not designed to process sensitive or special category Personal Data as defined by GDPR Article 9 or KVKK Article 6. The Customer shall not submit such data to the Service.

e. Duration of Processing

Processing will continue for the duration of the Agreement (Subscription Term) plus the data retention period specified in Section 10.

4. Processing Instructions

The Processor will process Customer Personal Data only in accordance with the Controller's documented instructions, which include:

  • The terms of the Agreement and this DPA.
  • Instructions given through the Service (e.g., configuring campaigns, managing leads).
  • Additional written instructions agreed upon by the parties.

If the Processor believes an instruction from the Controller infringes Applicable Data Protection Law, the Processor will notify the Controller without undue delay and may suspend processing of the relevant instruction until the Controller confirms or modifies it.

5. Compliance with Laws

a. Processor Obligations

The Processor shall:

  • Process Customer Personal Data in compliance with Applicable Data Protection Law.
  • Implement appropriate technical and organizational measures as described in Section 8.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Assist the Controller in ensuring compliance with its obligations under Applicable Data Protection Law, including data protection impact assessments and prior consultations with supervisory authorities.

b. Controller Obligations

The Controller shall:

  • Ensure that it has a lawful basis for the collection and processing of Customer Personal Data.
  • Obtain all necessary consents, authorizations, and permissions required under Applicable Data Protection Law.
  • Comply with all applicable data protection, anti-spam, and marketing laws in connection with its use of the Service.
  • Ensure that its instructions to the Processor are lawful and do not cause the Processor to violate Applicable Data Protection Law.

6. International Data Transfers

a. Processing Locations

Customer Personal Data is primarily processed in:

  • Frankfurt, Germany (EU) — Primary database and application servers
  • Republic of Turkiye — Business operations and support
  • United States — Certain sub-processors (see Section 7)

b. Transfer Mechanisms

Where a Restricted Transfer occurs, the Processor shall ensure appropriate safeguards through:

  • EU Commission adequacy decisions, where applicable.
  • Standard Contractual Clauses (SCCs) adopted under GDPR (Commission Implementing Decision 2021/914):
    • Module Two (Controller to Processor): For transfers of Customer Personal Data.
    • Module One (Controller to Controller): For transfers of Account Data where applicable.
  • UK International Data Transfer Addendum (UK IDTA) to the EU SCCs, for transfers subject to UK GDPR.
  • Swiss Federal Act on Data Protection (FADP) addendum to the SCCs, where applicable.
  • Other appropriate safeguards recognized under KVKK and Applicable Data Protection Law.

c. SCC Terms

Where SCCs apply:

  • Clause 7 (Docking clause): Applies, allowing additional parties to accede.
  • Clause 9 (Sub-processors): Option 2 applies; the Processor provides general written authorization for sub-processor engagement with a notification mechanism per Section 7(d).
  • Clause 11 (Redress): Optional language is not included.
  • Clause 17 (Governing law): The laws of the Republic of Turkiye.
  • Clause 18 (Jurisdiction): Courts of Istanbul, Turkiye.
  • Annex I: As described in Schedule A of this DPA.
  • Annex II: As described in Section 8 (Security Measures).

d. Conflict

In the event of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to data transfers.

7. Sub-processors

a. General Authorization

The Controller grants the Processor general written authorization to engage sub-processors to assist with the provision of the Service, subject to the requirements of this Section 7.

b. Approved Sub-processors

CategoryPurposeLocation
Cloud infrastructure providerApplication hosting and infrastructureEU (Frankfurt, Germany)
Database and authentication providerDatabase hosting, user authentication, and real-time servicesEU (Frankfurt, Germany)
Dodo PaymentsPayment processing and subscription managementEU
Transactional email providerSystem notifications and transactional email deliveryUnited States
Website analytics providerWebsite traffic analysis and usage trackingUnited States
User experience analytics providerUser experience analysis and session insightsEU
Security and CDN providerContent delivery, DDoS protection, and bot preventionGlobal

c. Sub-processor Obligations

The Processor shall ensure that each sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

d. Notification of Changes

The Processor will provide the Controller with at least 14 days' advance notice before engaging a new sub-processor or replacing an existing sub-processor. Notice will be provided via email to the Controller's account email address or through a notification on our website.

e. Objection Right

The Controller may object to a new sub-processor within 30 days of receiving notice, on reasonable grounds related to data protection. If the Controller objects:

  • The parties will work together in good faith to find an alternative solution.
  • If no mutually acceptable solution is found within 30 days, the Controller may terminate the affected Service without penalty by providing written notice.

8. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures to protect Customer Personal Data against Security Breaches, including:

Technical Measures

  • Encryption at rest: Sensitive data (credentials, OAuth tokens, session data) encrypted using AES-256-GCM with authenticated encryption.
  • Encryption in transit: All data transmitted over public networks is protected using TLS 1.2 or higher.
  • Access controls: Role-based access control (RBAC) with five permission levels. Row-level security (RLS) policies enforce data isolation between customer workspaces at the database level.
  • Authentication: JWT-based authentication with secure token management. Support for multi-factor authentication.
  • Rate limiting: Multi-layered rate limiting to protect against brute-force and denial-of-service attacks.
  • Input validation: Server-side input validation and sanitization to prevent injection attacks.
  • Security headers: HSTS, CSP, X-Frame-Options, and other security headers enforced.
  • Network security: CORS restrictions, firewall rules, and reverse proxy configuration.

Organizational Measures

  • Personnel: Access to Personal Data limited to authorized personnel on a need-to-know basis. All personnel with access are bound by confidentiality obligations.
  • Monitoring: Centralized logging and monitoring for security incident detection.
  • Vulnerability management: Regular dependency updates and security patching.
  • Incident response: Documented incident response procedures for Security Breaches.

Security measures are regularly reviewed and updated in line with technical developments and evolving threats, without materially decreasing the overall level of protection.

9. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

The Service provides self-service features enabling the Controller to access, correct, export, and delete Customer Personal Data. Where additional assistance is required, the Processor will provide reasonable assistance at the Controller's expense.

If the Processor receives a request directly from a Data Subject, the Processor will promptly notify the Controller (where the Controller's identity can be determined) and will not respond to the request without the Controller's instructions, unless legally required to do so.

10. Data Retention and Deletion

a. During the Agreement

Customer Personal Data is retained for the duration of the Agreement and processed solely for the purposes described in this DPA.

b. Upon Termination

Following termination or expiration of the Agreement, the Processor will:

  • Retain Customer Personal Data for a maximum of 30 days to allow the Controller to export data.
  • Upon the Controller's written request, delete or return all Customer Personal Data within 30 days of the request.
  • After the 30-day retention period, delete all Customer Personal Data in the ordinary course of business.

c. Exceptions

The Processor may retain Personal Data beyond the periods stated above where:

  • Retention is required by applicable law, regulation, or legal process.
  • Data is contained in archived backup systems — such data will be securely isolated and protected from further processing until deletion is practicable.

d. Email Feature Data Minimization

Cold Navigator does not permanently store or retain email addresses discovered through the Email Finder, recipient lists, email message contents, or communication history generated through the Email Sender. All such data is processed temporarily for technical purposes only.

11. Security Breach Notification

a. Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Breach affecting Customer Personal Data.

b. Notification Content

The notification will include, to the extent available:

  • A description of the nature of the Security Breach, including the categories and approximate number of Data Subjects and records affected.
  • The name and contact details of the Processor's point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.

c. Cooperation

The Processor will cooperate with the Controller and provide reasonable assistance to enable the Controller to fulfill its own breach notification obligations under Applicable Data Protection Law.

d. Limitation

Notification of a Security Breach shall not be construed as an acknowledgment of fault or liability by the Processor.

12. Audit Rights

a. Documentation

The Processor will make available to the Controller, upon written request and at no additional cost, information and documentation reasonably necessary to demonstrate compliance with the Processor's obligations under this DPA and Article 28 of the GDPR.

b. Audits

The Controller (or a qualified, independent third-party auditor appointed by the Controller) may conduct an audit of the Processor's data processing activities, subject to the following:

  • Audits may be conducted no more than once per year, unless required by a supervisory authority or in response to a Security Breach.
  • The Controller must provide at least 30 days' written notice.
  • The parties will mutually agree on the scope, timing, and duration of the audit.
  • Audits will be conducted during normal business hours and will not unreasonably interfere with the Processor's operations.
  • The auditor must be bound by appropriate confidentiality obligations and must not be a direct competitor of the Processor.
  • Audit costs (including any costs incurred by the Processor) are borne by the Controller.

c. Standard Contractual Clauses

The audit rights set forth in this Section 12 also satisfy the audit requirements under the applicable Standard Contractual Clauses.

13. Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller (at the Controller's expense) in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Law (GDPR Articles 35-36).

14. No Sale or Sharing of Personal Data

To the extent required by the CCPA/CPRA or other applicable U.S. state privacy laws, the Processor:

  • Will not sell Customer Personal Data or provide it to third parties in exchange for monetary or other valuable consideration.
  • Will not share Customer Personal Data for cross-context behavioral advertising purposes.
  • Will not retain, use, or disclose Customer Personal Data for any purpose other than the specific business purposes set forth in the Agreement.
  • Will not combine Customer Personal Data with personal data received from other sources, except as permitted by Applicable Data Protection Law.

15. Limitation of Liability

The limitation of liability provisions in the Agreement apply equally to this DPA, except as expressly stated herein or as required by Applicable Data Protection Law.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Turkiye, without regard to conflict of law provisions. Any dispute arising out of or related to this DPA shall be subject to the exclusive jurisdiction of the courts of Istanbul, Turkiye.

Where Standard Contractual Clauses apply and specify a different governing law or jurisdiction, the SCCs shall prevail for matters relating to international data transfers.

17. Modifications

The Processor reserves the right to modify this DPA to comply with changes in Applicable Data Protection Law. Material changes will be communicated with at least 14 days' notice. The Controller's continued use of the Service after such notice constitutes acceptance of the modified DPA.

18. Entire Agreement

This DPA, together with the Terms of Service, Privacy Policy, and Cookie Policy, constitutes the entire agreement between the parties with respect to the processing of Personal Data. This DPA supersedes any prior data processing agreements or addenda between the parties.

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.

Schedule A: Description of Processing Activities

A.1. Parties

Data Exporter (Controller)The Customer, as identified in the Agreement
Data Importer (Processor)Cold Navigator

A.2. Description of Transfer

Categories of Data SubjectsCustomer's employees and authorized users; Customer's leads, prospects, and business contacts; recipients of communications sent through the Service.
Categories of Personal DataContact data (name, email, phone, job title, company); LinkedIn profile data (profile URL, headline, location); communication content (messages, email content); campaign metadata (status, engagement data); account credentials (encrypted).
Sensitive DataNone. The Service is not designed to process sensitive or special category data.
Frequency of TransferContinuous, for the duration of the Agreement.
Nature and Purpose of ProcessingProvision, operation, and maintenance of the Service, including: data storage and hosting; campaign execution and lead management; email finding and sending; analytics and reporting; technical support; security and compliance.
Retention PeriodDuration of the Agreement plus 30 days, unless otherwise required by law.

A.3. Competent Supervisory Authority

The competent supervisory authority is determined based on the Controller's establishment:

  • Turkiye: Turkish Personal Data Protection Authority (KVKK Kurulu)
  • EU: The supervisory authority of the EU Member State in which the Controller is established
  • UK: Information Commissioner's Office (ICO)

19. Contact

For any questions regarding this DPA or data protection practices, contact us at: support@coldnavigator.com