pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679
between
The Customer (hereinafter the "Controller")
and
Verbose OÜ (registry code 17089033), a private limited company incorporated in Estonia, with its registered address at Ahtri tn 12, 15551 Tallinn, Estonia, operating the Formidable platform (hereinafter the "Processor")
Version 1.0 — March 2026
This agreement incorporates the EU Standard Contractual Clauses (SCCs) for international data transfers.
In this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below, unless the context requires otherwise:
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
"Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data (the Customer).
"Processor" means the natural or legal person which processes Personal Data on behalf of the Controller (Verbose OÜ, operating as Formidable).
"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"SCCs" means the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Services" means the services provided by the Processor to the Controller under the main service agreement, including the Formidable platform dashboard, chatbot, and related AI-powered sales tools.
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in the context of providing the Services. The details of the Processing are set out in Annex I.
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject (Article 28(3)(a) GDPR).
Legal basis for processing: Legitimate interest of the business. All personal data processed originates from leads who have provided their data and accepted the processing thereof.
3.1 Confidentiality
The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
3.2 Security of Processing
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. The measures are described in Annex II to this DPA.
3.3 Subprocessors
The Controller hereby grants the Processor general written authorisation to engage the Subprocessors listed in Annex III (Article 28(2) GDPR). The Processor shall:
(a) inform the Controller of any intended changes concerning the addition or replacement of Subprocessors, giving the Controller the opportunity to object to such changes within 30 days;
(b) impose the same data protection obligations as set out in this DPA on any Subprocessor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (Article 28(4) GDPR);
(c) remain fully liable to the Controller for the performance of the Subprocessor's obligations.
3.4 Assistance to the Controller
Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights (Chapter III GDPR).
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of Processing and the information available to the Processor.
3.5 Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Article 33(2) GDPR). The notification shall include:
(a) a description of the nature of the personal data breach, including the categories and approximate number of Data Subjects and records concerned;
(b) the name and contact details of the data protection officer or other contact point;
(c) a description of the likely consequences of the breach;
(d) a description of the measures taken or proposed to be taken to address the breach.
3.6 Deletion and Return of Data
At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR).
3.7 Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR).
Where Personal Data is transferred to Subprocessors located outside the European Economic Area in countries without an adequacy decision by the European Commission, such transfers shall be governed by the EU Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Module applicable: Module 2 (Controller to Processor) of the SCCs shall apply to transfers from the Controller to the Processor's Subprocessors in third countries.
The SCCs are hereby incorporated by reference into this DPA. The parties agree that Annexes I, II, and III of this DPA shall serve as the annexes to the SCCs. The applicable governing law under Clause 17 of the SCCs shall be the law of the Republic of Estonia. The competent supervisory authority under Clause 13 of the SCCs shall be the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
Transfer Impact Assessment: The Processor has assessed that the technical and organisational measures described in Annex II, combined with the contractual protections of the SCCs, provide an essentially equivalent level of protection for Personal Data transferred to the United States. Key factors include: (a) data at rest is hosted in the EU (Frankfurt) for database and hosting services; (b) US-based subprocessors process data in transit only or for specific API calls; (c) encryption in transit (TLS 1.2+) is enforced for all transfers.
Where the Controller connects third-party services to the Processor's platform using the Controller's own credentials and accounts (e.g., HubSpot CRM integration via OAuth), such third-party services are not Subprocessors of the Processor. The Controller maintains an independent contractual relationship with those services, and the processing of Personal Data by those services is governed by the Controller's own agreements with them.
The Processor acts solely as a technical intermediary facilitating the data flow as instructed by the Controller and bears no responsibility for the data protection practices of such customer-initiated integrations.
This DPA shall be governed by and construed in accordance with the laws of the Republic of Estonia. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Tallinn, Estonia.
This DPA shall enter into force when the Customer accepts the Terms of Service that incorporate this DPA, and shall remain in effect for the duration of the main service agreement between the parties. The obligations of the Processor regarding confidentiality and data deletion shall survive termination of this DPA.
By using the Services and accepting the Terms of Service at formidable.work, the Customer agrees to be bound by this DPA. No separate signature is required. This DPA forms an integral part of the Terms of Service and is incorporated therein by reference.
A. List of Parties
Data Exporter (Controller): The Customer, as identified in the main service agreement
Data Importer (Processor): Verbose OÜ (registry code 17089033), Ahtri tn 12, 15551 Tallinn, Estonia
Contact: manu@manuraivio.com
B. Description of Processing
Subject Matter: Provision of AI-powered sales engagement platform, including chatbot, dashboard, lead enrichment, and workflow automation services
Duration: For the term of the main service agreement
Nature of Processing: Collection, storage, retrieval, use, organisation, structuring, transmission, and erasure of Personal Data
Purpose: To provide the Services: AI-powered chat, lead management, contact enrichment, analytics, email notifications, and workflow automation on behalf of the Controller
Categories of Data Subjects: Website visitors, leads, prospects, and contacts of the Controller
Categories of Personal Data: Names, email addresses, phone numbers, job titles, company information, LinkedIn URLs, IP addresses, browser metadata, chat messages, conversation histories, OAuth tokens, enriched profile data (education, work history, skills)
Sensitive Data: None. The Processor does not intentionally process special categories of data as defined in Article 9 GDPR.
The Processor implements the following measures pursuant to Article 32 GDPR:
Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- Database connections use SSL/TLS encryption.
- Passwords are stored using industry-standard hashing algorithms (bcrypt).
Access Control
- Role-based access control for all internal systems.
- OAuth 2.0 for user authentication with secure token management.
- API keys and secrets stored in encrypted environment variables, never in source code.
Data Minimisation
- Personal Data is collected only as necessary for the provision of the Services.
- Enrichment data is cached for performance but can be purged on request.
Infrastructure Security
- Primary database hosted in EU (AWS Frankfurt, eu-central-1).
- Application hosting in EU regions via Vercel.
- Serverless architecture with automatic scaling and isolation.
- Regular security updates applied to all dependencies.
Incident Response
- Dedicated incident response process with notification within 72 hours.
- Logging and monitoring of all data access operations.
- Regular review of access logs and security events.
Business Continuity
- Automated database backups with point-in-time recovery.
- Multi-region failover capability for hosting infrastructure.
The Controller has authorised the use of the following Subprocessors. Where a Subprocessor is based in a country without an EU adequacy decision, the transfer mechanism is the EU Standard Contractual Clauses (Module 2: Controller to Processor).
OpenAI, Inc. — LLM provider for AI chat, content generation, intent classification, lead briefing generation, FAQ analysis. Personal Data: Chat messages, conversation history, user queries, website content, lead/company information. Location: European Union.
Neon, Inc. — Managed serverless PostgreSQL database for user accounts, chat history, customer configs, lead data. Personal Data: User accounts (email, password hashes), chat messages, OAuth tokens, lead briefing data (names, emails, company info). Location: EU (AWS Frankfurt) — Entity: United States.
Vercel, Inc. — Application hosting, serverless functions, blob storage, web analytics, AI gateway. Personal Data: All application data in transit/at rest, server logs, uploaded files, web analytics, geolocation from IP. Location: EU hosting — Entity: United States.
Google LLC — OAuth 2.0 authentication; reCAPTCHA v3 bot protection. Personal Data: Google account ID, email, name, profile picture, OAuth tokens; IP addresses, browser fingerprinting data. Location: United States.
Resend, Inc. — Transactional email delivery (password resets, lead briefing reports, notifications). Personal Data: Recipient emails, email content incl. lead briefing reports, password reset tokens, conversation summaries. Location: United States.
People Data Labs, Inc. — B2B contact/company data enrichment API for lead intelligence. Personal Data: Full names, emails, phone numbers, LinkedIn URLs, job titles, company info, education/job history. Location: United States.
n8n GmbH — Workflow automation for form submission processing, lead research, enrichment. Personal Data: Form submission data (names, emails, company info, job titles, phone numbers, website URLs). Location: Germany (n8n Cloud, EU).
Transfer mechanisms for US-based entities: EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor). Where data is hosted in the EU (e.g., Neon on AWS Frankfurt, Vercel EU regions, OpenAI EU data processing), the SCCs serve as a supplementary safeguard.
Note on n8n GmbH: n8n is a German entity with EU-hosted cloud infrastructure. No international transfer mechanism is required.
The parties hereby incorporate by reference the Standard Contractual Clauses adopted pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor).
The full text of the SCCs is available from the European Commission at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
The following selections apply to the SCCs as incorporated:
Module: Module 2: Controller to Processor
Clause 7 (Docking clause): Not applicable
Clause 9(a) (Subprocessors): Option 2: General written authorisation. The Processor shall inform the Controller of any changes with a notice period of 30 days.
Clause 11(a) (Redress): The optional language is not included.
Clause 13(a) (Supervision): The supervisory authority of the Member State in which the data exporter is established shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) shall act as competent supervisory authority.
Clause 17 (Governing law): The laws of the Republic of Estonia.
Clause 18(b) (Jurisdiction): The courts of Tallinn, Estonia.
The Annexes I, II, and III of this DPA shall serve as the corresponding annexes to the SCCs. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
— End of Data Processing Agreement —