centerleapBack to home

Data Processing Addendum

Version 1

Effective Date: May 3, 2026

centerleap — Data Processing Addendum

Effective date: May 3, 2026 Last updated: May 3, 2026

This Data Processing Addendum (the "DPA") forms part of the centerleap Terms of Service (the "Agreement") between GENERAL SOFTWARE COMPANY LLC, doing business as centerleap.com ("centerleap," "Processor," "we," or "us"), and the Customer ("Controller," "you," or "your"). It applies whenever centerleap processes Personal Data on your behalf as a Processor.

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to data processing.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
  • Processing — any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, and erasure.
  • Data Protection Laws — all applicable laws relating to data protection and privacy, including the EU GDPR, UK GDPR, CCPA / CPRA (California), and other relevant state or national laws.
  • Data Subject — the individual to whom Personal Data relates.
  • Subprocessor — any third party engaged by centerleap that Processes Personal Data on behalf of the Controller.
  • Security Incident — a confirmed or reasonably suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Other capitalized terms have the meanings given in the Agreement.

2. Scope and roles

  • You are the Controller (or Business under CCPA) and we are the Processor (or Service Provider).
  • This DPA applies to the Processing of Personal Data by centerleap when providing the Services — email, chat, phone, text, route, CRM, HR tools, document management, AI / RAG features, etc.
  • We will Process Personal Data only on your documented instructions (including as set out in the Agreement) and in compliance with Data Protection Laws.
  • We will not "sell" Personal Data (as defined under CCPA) or use it for our own purposes, except as necessary to provide the Services, improve security and performance, or comply with law.

AI processing. We do not use your Personal Data or Customer Content to train AI models. Third-party AI subprocessors (e.g., Anthropic, Google Gemini) are configured in zero-retention / no-training modes. You may exclude documents from AI and RAG processing at any time.

3. Our obligations as Processor

We will:

  • Process Personal Data only on your instructions, unless required by law (in which case we will inform you before Processing, unless prohibited).
  • Ensure that persons authorized to Process Personal Data are under appropriate confidentiality obligations.
  • Implement appropriate technical and organizational security measures, as described in our security overview and the Agreement.
  • Assist you (at your reasonable expense) in responding to Data Subject requests, provided the request is properly directed to us.
  • Notify you without undue delay, and in any event within 48 hours, of becoming aware of a Security Incident. The notification will include details required to assist you in complying with your notification obligations.
  • Make available the information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to confidentiality and reasonable notice (see §8).

4. Subprocessors

  • You authorize us to engage the Subprocessors listed at centerleap.com/legal/subprocessors. The current list includes Cloudflare, Vultr, RamNode, Supabase, Telnyx, Deepgram, ElevenLabs, Anthropic, Google Gemini, HERE, LocationIQ, and others.
  • We will enter into written agreements with each Subprocessor that impose data-protection obligations no less protective than those in this DPA.
  • We will notify you of any intended addition or replacement of a Subprocessor by updating the public list or by email. You may object on reasonable grounds within 14 days. If you object, we will work with you in good faith to find a resolution or, if no resolution is reached, allow you to terminate the affected Services.

5. Data Subject rights

We will assist you in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, and objection) by:

  • Providing tools within the Services, such as in-product account deletion and data export.
  • Making relevant data available to you upon request so you can respond directly to Data Subjects.

6. Return or deletion of data

Upon termination of the Agreement or your written request, we will delete or return all Personal Data — including copies — within a reasonable period, except where retention is required by law. End-to-end encrypted content may be purged immediately. We will certify deletion upon request.

7. International transfers

  • For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on the EU Standard Contractual Clauses (2021) and / or the UK International Data Transfer Addendum, each incorporated by reference into this DPA.
  • You authorize us to enter into the relevant SCC modules on your behalf where required.

8. Audits and inspections

You may request an audit once per year (or more frequently in the event of a Security Incident) on reasonable advance notice. We may satisfy this obligation by providing third-party audit reports (e.g., SOC 2) or by agreeing to a mutually acceptable remote audit.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except for breaches of data-protection obligations where mandatory law imposes higher liability.

10. General

  • This DPA survives termination of the Agreement for as long as we Process Personal Data on your behalf.
  • We may update this DPA with notice to reflect changes in Data Protection Laws or our practices. Continued use of the Services after the effective date constitutes acceptance.
  • If any provision is held invalid, the remainder of the DPA remains in effect.

11. Acceptance

By using the Services, you agree to this DPA. For a counter-signed version or custom negotiation (e.g., for enterprise customers), contact legal@generalsoftwarecompany.com.