AccountRadar only

Data Processing Addendum (AccountRadar)

Last updated [DATE TO INSERT BEFORE PUBLISHING]
Effective [DATE TO INSERT BEFORE PUBLISHING]

Version: 1.0

Why is this DPA AccountRadar-specific?

This DPA covers AccountRadar only because the two Legatum Group platforms operate under different legal data-protection models.

AccountRadar — Customer uploads their own data (target accounts, client contact lists, internal notes). The customer is the data controller for that data; Legatum is the processor acting on the customer's instructions. Under UK GDPR Article 28, this relationship requires a written DPA. That's the document you're reading.

VaultHire — Legatum sources hiring manager contact data ourselves from third-party providers, applies its own filtering, and presents it to customers. Legatum is the controller for that data; the customer is a separate controller for any outreach they choose to send. This is the controller-to-controller model also used by leading B2B contact intelligence platforms (Apollo, Lusha, ContactOut, LinkedIn Recruiter). UK GDPR does not require a DPA between two independent controllers — each is governed by their respective privacy policy.

If you need legal documentation for VaultHire data handling, see the VaultHire Privacy Policy and Terms of Service instead.

This Data Processing Addendum ("DPA") forms part of the agreement between Legatum Group Limited ("Legatum", "Processor") and the customer ("Customer", "Controller") for the use of AccountRadar.

This DPA applies to the processing of Customer Data uploaded by Customer (e.g. lists of target accounts, client contacts, internal notes) where Legatum acts as a data processor on Customer's instructions.

By accepting the AccountRadar Terms of Service, Customer accepts this DPA.

1. Definitions

  • "Customer Data" — personal data uploaded by Customer to AccountRadar, including target account lists, client contact lists, and any internal notes attached to those records.
  • "UK GDPR" — the UK General Data Protection Regulation (UK GDPR Act 2018).
  • "EU GDPR" — Regulation (EU) 2016/679.
  • "Sub-processor" — a third-party processor engaged by Legatum to process Customer Data.
  • "Standard Contractual Clauses" or "SCCs" — the European Commission's approved clauses for transfers of personal data outside the EEA, as adapted by the UK Information Commissioner's Office where applicable.

2. Roles and responsibilities

  • Customer is the data controller for Customer Data uploaded into AccountRadar.
  • Legatum is the data processor, processing Customer Data on Customer's documented instructions.
  • For data Legatum sources from public business signals (funding announcements, hiring data, news APIs), Legatum acts as a separate data controller. That processing is governed by the Privacy Policy, not this DPA.

3. Subject matter and duration

Subject matter: Provision of the AccountRadar platform to Customer.

Duration: This DPA applies for as long as Legatum holds Customer Data, ending 90 days after termination of the AccountRadar subscription unless Customer has requested earlier deletion.

Nature and purpose: Storing, processing, indexing, and analysing Customer Data to generate signals, briefings, and notifications for Customer's use.

Categories of personal data:

  • Names of target account contacts
  • Business email addresses and phone numbers
  • Job titles and employer names
  • Notes and tags Customer attaches to records

Categories of data subjects:

  • Customer's target account contacts
  • Customer's existing client contacts
  • Decision-makers at companies Customer is monitoring

4. Customer's instructions

Legatum will process Customer Data only on Customer's documented instructions, which are:

  • The provisions of the AccountRadar Terms of Service
  • The configuration choices Customer makes in the platform (target accounts, alert preferences, etc.)
  • Specific written instructions Customer sends to Legatum

If Legatum is required by law to process Customer Data otherwise than on Customer's instructions, Legatum will notify Customer before processing unless prohibited by law.

5. Confidentiality

Legatum ensures that personnel authorised to access Customer Data:

  • Are bound by written confidentiality obligations
  • Receive appropriate training on data protection
  • Access Customer Data only on a need-to-know basis
  • Are subject to role-based access control with least-privilege principles

6. Security measures

Legatum implements appropriate technical and organisational measures to protect Customer Data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control
  • Multi-factor authentication for administrative access
  • Daily automated backups in a separate region
  • Documented incident response plan with named incident lead
  • Regular security review

A current security overview is published at /legal/trust.

7. Sub-processors

Authorisation

Customer authorises Legatum to engage sub-processors as listed at /legal/sub-processors.

New sub-processors

Legatum will provide Customer at least 30 days' prior written notice of any new sub-processor. Customer may object to a new sub-processor by emailing privacy@legatumgroup.uk within the notice period. If Legatum cannot reasonably accommodate the objection, Customer may terminate the affected portion of the AccountRadar service without penalty for the relevant period.

Liability

Legatum remains fully liable to Customer for the acts and omissions of its sub-processors with respect to obligations under this DPA.

8. International transfers

Legatum stores production Customer Data within the UK or EU. Where any sub-processor processes Customer Data outside the UK/EU (see the sub-processor list at /legal/sub-processors for which provider is based where), Legatum relies on:

  • Standard Contractual Clauses (SCCs) with that sub-processor
  • Adequacy decisions where applicable
  • Technical measures (encryption, access controls, data minimisation) appropriate to the transfer

Customer authorises these transfers as currently configured.

9. Assistance to Customer

Legatum will provide reasonable assistance to Customer in:

  • Responding to data subject access requests within UK GDPR timeframes
  • Conducting data protection impact assessments where required
  • Notifying supervisory authorities of personal data breaches
  • Implementing security measures appropriate to the risk

For routine data subject requests (access, deletion, rectification), Customer can fulfil these directly using AccountRadar's account-management tools. For complex requests or those involving Customer Data Legatum holds, Customer may contact privacy@legatumgroup.uk for assistance.

10. Data subject rights

If Legatum receives a data subject request relating to Customer Data, Legatum will:

  • Promptly forward the request to Customer
  • Not respond to the data subject directly except to acknowledge receipt and refer them to Customer (unless Customer has authorised Legatum to respond)
  • Provide reasonable cooperation with Customer's response

11. Personal data breach

In the event of a personal data breach affecting Customer Data, Legatum will:

  • Notify Customer without undue delay (within 72 hours of becoming aware where feasible)
  • Provide all information reasonably necessary for Customer to fulfil its breach notification obligations
  • Cooperate with Customer's investigation and remediation
  • Document the breach and remediation in accordance with our internal incident response plan

12. Data deletion and return

On termination of the AccountRadar subscription:

  • Legatum will retain Customer Data for 90 days to allow Customer to recover or export it
  • After 90 days, Legatum will delete Customer Data from production systems
  • Customer Data may persist in encrypted backups for up to 30 additional days, after which it is fully purged
  • On Customer's written request, Legatum will provide written confirmation of deletion

Customer may export their data at any time during the subscription via the platform's export tools.

13. Audit rights

Standard audits

Legatum will, on reasonable written notice, provide Customer with:

  • The latest security overview document
  • Confirmation of current sub-processor list and security controls
  • Information necessary to demonstrate compliance with this DPA

Onsite audits

Onsite audits are available to enterprise customers under negotiated MSAs. For other tiers, the published Trust & Compliance information is the standard substitute.

Independent attestations

When Legatum holds independent attestations (e.g. SOC 2 Type 1/2), the audit reports will be available to customers under NDA. Status of these attestations is published at /legal/trust.

14. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the AccountRadar Terms of Service.

15. Conflict and precedence

If there is any conflict between this DPA and the Terms of Service, this DPA prevails on matters relating to processing of personal data.

16. Changes

Legatum may update this DPA from time to time. Material changes will be communicated by email at least 30 days before they take effect. Continued use of AccountRadar after the effective date constitutes acceptance.

17. Governing law

This DPA is governed by the laws of England and Wales.

18. Acceptance

By accepting the AccountRadar Terms of Service, Customer accepts this DPA.

For customers requiring a signed bespoke DPA (e.g. Customer's legal team requires changes), please contact legal@legatumgroup.uk.

Contact

Legatum Group Limited Company number: [PENDING — TO BE INSERTED] Registered office: [TO BE INSERTED] Privacy contact: privacy@legatumgroup.uk Legal: legal@legatumgroup.uk