Sign In
breadcrumb image

DATA PROCESSING ADDENDUM (DPA)

Leap Hub Inc. (d/b/a Contentia)

1) Parties and Scope

1.1 This Data Processing Addendum (“DPA”) is entered into between:

(a) Leap Hub Inc., doing business as Contentia (“Processor”), 5900 Balcones Dr #13051, Austin, TX 78731, United States; and

(b) the customer that accepts the Terms of Service or uses the Services (“Customer” or “Controller”).

1.2 This DPA applies to the extent Processor processes Personal Data on behalf of Controller in connection with the Services.

2) Order of Precedence

2.1 In the event of a conflict between this DPA and the Terms of Service or any other agreement governing the Services (“Agreement”), this DPA controls with respect to data protection and processing terms.

2.2 If Standard Contractual Clauses or other transfer mechanisms apply under Section 9, those mechanisms control to the extent required for international transfers.

3) Definitions

3.1 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

3.2 “Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement, including as applicable: the EU GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection (as revised) and related ordinances.

3.3 “Process/Processing,” “Controller,” “Processor,” and “Supervisory Authority” have the meanings given in applicable Data Protection Laws.

3.4 “Customer Personal Data” means Personal Data processed by Processor on behalf of Controller under the Agreement.

3.5 “Subprocessor” means a Processor engaged by Processor to process Customer Personal Data.

4) Roles of the Parties

4.1 Controller is the Controller of Customer Personal Data. Processor is the Processor of Customer Personal Data.

4.2 Each party will comply with its obligations under applicable Data Protection Laws.

5) Processing Instructions, Purpose Limitation, and Details of Processing

5.1 Processor will process Customer Personal Data only:

(a) to provide, secure, maintain, and support the Services;

(b) in accordance with Controller’s documented instructions as reflected in the Agreement, this DPA, and Controller’s use and configuration of the Services; and

(c) as necessary to comply with applicable law, in which case Processor will (to the extent permitted) inform Controller of that legal requirement.

5.2 The subject matter, duration, nature, purposes, types of Personal Data, and categories of Data Subjects are described in Annex I.

5.3 Controller is responsible for ensuring it has a lawful basis for processing and for providing any notices/obtaining any consents required for its use of the Services.

6) Confidentiality

6.1 Processor will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7) Security Measures

7.1 Processor will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

7.2 A non-exhaustive description of Processor’s security measures is set out in Annex II. Processor may update the security measures from time to time, provided that overall security is not materially reduced.

8) Personal Data Breach Notification

8.1 Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably required for Controller to meet any breach-notification obligations under Data Protection Laws.

8.2 Processor will take reasonable steps to contain, investigate, and remediate the Personal Data Breach.

9) Subprocessing

9.1 Controller provides Processor a general authorization to engage Subprocessors to process Customer Personal Data for the Services.

9.2 Processor maintains a list of Subprocessors in Annex III.

9.3 Processor will provide at least thirty (30) days’ advance notice of any intended addition or replacement of a Subprocessor that may process Customer Personal Data (including by updating Annex III or by in-product notice). If Controller reasonably objects to the change on data protection grounds within that notice period, the parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Controller may discontinue the affected portion of the Services by providing notice, and this will be without prejudice to any fees already accrued for the then-current period (unless otherwise required by law).

9.4 Processor will impose data protection obligations on Subprocessors that are no less protective than those in this DPA, including appropriate security measures and confidentiality.

10) Assistance to Controller

10.1 Taking into account the nature of processing and the information available to Processor, Processor will provide reasonable assistance to Controller in:

(a) responding to Data Subject requests (access, deletion, rectification, portability, objection, restriction) relating to Customer Personal Data; and

(b) fulfilling Controller’s obligations regarding security, breach notifications, impact assessments, and prior consultations with Supervisory Authorities, where applicable.

10.2 Processor may charge a reasonable fee for assistance requests that are excessive, repetitive, or manifestly unfounded.

11) Data Subject Requests

11.1 If Processor receives a request from a Data Subject relating to Customer Personal Data, Processor will, where legally permitted, direct the Data Subject to Controller. Processor will not respond substantively except to confirm that the request has been forwarded or as required by law.

12) Audits and Compliance Information

12.1 Upon written request, Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA.

12.2 Controller may audit Processor’s compliance with this DPA no more than once per calendar year, unless:

(a) a Personal Data Breach occurs affecting Customer Personal Data; or

(b) an audit is required by a Supervisory Authority.

12.3 Audits will be conducted during normal business hours, with reasonable advance notice, and subject to confidentiality and security requirements. Processor may satisfy audit requests through existing reports, summaries, or third-party attestations where reasonable, and may limit audits to protect other customers’ data and Processor’s security.

13) Deletion and Return of Data

13.1 During the term of the Agreement, Customer may delete Customer Personal Data within the Services using available functionality.

13.2 Upon termination or expiration of the Services, Processor will, within a reasonable time, delete or return Customer Personal Data in Processor’s control, unless retention is required by applicable law. Where retention is required, Processor will continue to protect the data and limit processing to the legally required purpose.

14) International Data Transfers

14.1 Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection under applicable Data Protection Laws, the parties agree that such transfers will be governed by an appropriate transfer mechanism, which may include:

(a) the EU Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 (“EU SCCs”), Module Two (Controller-to-Processor) and/or Module Three (Processor-to-Processor), as applicable; and

(b) for transfers subject to UK GDPR, the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA), as applicable; and

(c) for transfers subject to Swiss law, an appropriate Swiss addendum to the EU SCCs.

14.2 For purposes of the EU SCCs, the parties agree:

(a) Controller is the “data exporter” and Processor is the “data importer” (and where Processor engages a Subprocessor outside an adequate jurisdiction, Processor may act as “data exporter” for Module Three);

(b) the Annexes to this DPA are incorporated by reference into the Annexes of the EU SCCs; and

(c) audits and assistance will be handled in accordance with Sections 10 and 12 of this DPA to the extent permitted by the EU SCCs.

14.3 If any transfer mechanism in this Section 14 is replaced or updated by a competent authority, the parties will cooperate in good faith to implement a replacement mechanism that achieves substantially similar protection.

14.4 Processor will maintain appropriate safeguards for international transfers and will, where required, perform transfer risk assessments and implement supplementary measures.

15) AI Processing and Model Training

15.1 Controller acknowledges that the Services may process Customer Personal Data (including text and URLs submitted for analysis) using third-party AI service providers to generate analysis and recommendations.

15.2 Processor does not permit its AI Subprocessors to use Customer Personal Data to train or improve their general-purpose models, except where Controller expressly opts in through a documented agreement or configuration (if such option is made available).

15.3 Controller is responsible for deciding what content to submit to the Services and should avoid submitting special category/sensitive data unless necessary and lawful.

16) Liability

16.1 Liability allocation, limitations, and disclaimers are governed by the Agreement, except to the extent prohibited by applicable Data Protection Laws.

17) Contact

17.1 All inquiries regarding this DPA should be directed to: support@contentia.co.

ANNEX I — DETAILS OF PROCESSING

A. Subject Matter

Provision of the Contentia Services, including account access, content analysis, reporting, security, support, and platform operations.

B. Duration

For the term of the Agreement plus any period necessary for deletion/return under Section 13, subject to legally required retention.

C. Nature and Purpose of Processing

– Account provisioning and authentication via Leap Hub identity system

– Processing content URLs and user-submitted text for automated analysis and recommendations

– Generating reports, scores, insights, and exports

– Customer support, billing administration, fraud prevention, and security monitoring

– Analytics to improve platform reliability and user experience

D. Categories of Data Subjects

– Customer’s authorized users (employees, contractors, or individual account holders)

– End users whose data Controller uploads or inputs to the Services (if any)

E. Types of Personal Data

Depending on Controller’s use of the Services:

– Identifiers and contact information (name, email, account identifiers)

– Account and authentication data (login/session metadata)

– Billing metadata (invoices/transaction IDs; payment details are processed by payment processors)

– Technical and usage data (IP address, device/browser information, logs, timestamps)

– Content submitted for analysis (which may contain Personal Data if Controller includes it)

F. Special Categories of Data

Not intended. Controller should not submit special category data unless strictly necessary and lawful. Processor does not require special categories of data to provide the Services.

G. Processing Locations

Primary hosting/processing may occur in the European Union (including Germany) and in other locations where Processor and its Subprocessors operate, subject to the safeguards in Section 14.

ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Processor maintains security measures designed to protect Customer Personal Data, including:

1) Access Controls

– Role-based access control (least privilege)

– Strong authentication for administrative access

– Access logging and periodic access review

2) Encryption

– Encryption in transit using industry-standard TLS

– Encryption at rest where supported by underlying infrastructure and storage layers

– Secure key management practices where applicable

3) Security Monitoring and Logging

– Monitoring for suspicious activity and abuse

– Centralized logging of security-relevant events

– Rate limiting and abuse prevention controls

4) Availability and Resilience

– Backups and recovery procedures

– Infrastructure protections and redundancy as supported by hosting providers

– Change management practices to reduce service disruption risk

5) Vulnerability Management

– Timely application of security patches and updates

– Reasonable vulnerability scanning and remediation practices

6) Incident Response

– Incident response process for triage, containment, remediation, and post-incident review

– Breach notification in accordance with Section 8

7) Organizational Measures

– Confidentiality commitments for personnel

– Security awareness practices for staff with access to systems

– Subprocessor due diligence and contractual controls

ANNEX III — SUBPROCESSORS

Processor may use the following Subprocessors to provide the Services (subject to change per Section 9):

– Cloudways (hosting/infrastructure; may host in the EU, including Germany)

– Cloudflare (CDN, DDoS protection, security)

– Stripe (payment processing)

– PayPal (payment processing)

– MailerLite / MailerSend (transactional and service communications)

– Google Analytics and Google Tag Manager (analytics/measurement)

– Hotjar (user experience analytics)

– OpenAI (AI processing for content analysis)

– Anthropic (AI processing for content analysis)

– Perplexity AI (AI processing for content analysis)

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare