Updated: 6/9/2026
This Data Processing Addendum (“DPA”) sets forth the terms relating to the processing of Personal Information associated with services rendered by Tribe Prospecting LLC (dba Titan X, as amended from time to time) a Tennessee limited liability company having offices at 4546 Chapman Hwy #1026, Knoxville, TN 37920 (“TitanX”) to the customer entity executed on the applicable Order Form (“Customer”) pursuant to the TitanX Terms of Service accepted by the Customer and made available at titanx.io/terms (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. In the event of any dispute or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall control as it relates to the processing of Personal Information (defined below).
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set forth below shall be added as an addendum to the Agreement. Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as amended by, and including, this DPA. Terms not defined in this DPA shall have the meanings set forth in the Agreement.
- Definitions.
- “Aggregated Data” means any data or information derived from or generated using Customer Personal Information, Submitted Data, TitanX Data, or Customer’s use of the Services, in each case in aggregated, anonymized, de-identified, or other form that does not identify, and is not reasonably capable of identifying, Customer or any individual, household, or device. Aggregated Data is not Personal Information for purposes of this DPA.
- “Customer Personal Information” means Submitted Data that contains Personal Information.
- “Data Protection Laws” means all applicable data protection, data privacy and data security laws, amendments, implementing laws, and regulations, of any jurisdiction, to the extent applicable to the processing, privacy, integrity, security, or confidentiality of Personal Information by the parties, including, but not limited to: the EU/UK Data Protection Laws and the US Data Protection Laws, in each case, as the same may be amended, supplemented, replaced or superseded from time to time.
- “EU GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “EU/UK Data Protection Laws” means all applicable data protection, data privacy and data security laws in force from time to time in the European Union (EU) and/or United Kingdom (UK) (as applicable) including the EU GDPR and the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426); any EU or UK legislation relating to Personal Information;
- “Personal Information” means (i) any information identifying, relating to, describing, reasonably capable of being associated with, or that could reasonably be linked, directly or indirectly, with an identified or identifiable person or household; or (ii) as defined by Data Protection Laws. Personal Information does not include anonymized or de-identified data, or (where US Data Protection Laws so provide) publicly available information.
- “Personal Information Breach" means any (i) unauthorized processing, such as loss or unauthorized use, alteration, disclosure, acquisition of, or access to, or accidental or unlawful destruction of such information of Personal Information; or (ii) an occurrence in which Personal Information has been compromised by any means, including by a data breach (and equivalent terms) as defined by Data Protection Laws.
- “Standard Contractual Clauses” or “SCCs” means in respect of any transfers of Personal Information from: (i) the European Economic Area to third countries, the standard contractual clauses annexed to the EU Commission decision EU 2021/914 of 4 June 2021 as regards the introduction of an alternative set of standard contractual clauses for the transfer of Personal Information to third countries (and as updated from time to time); or
(ii) the UK to third countries, the EU clauses described in clause 1.8(i) as amended by the UK Addendum issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 or, if none of the foregoing apply, any standard contractual clauses or international data transfer agreements approved by the UK Information Commissioner’s Office for the transfer of Personal Information to third countries (and as updated from time to time).
- “TitanX Personal Information” means TitanX Data that contains Personal Information.
- “UK GDPR” means the EU GDPR as incorporated into United Kingdom law by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018.
- “US Data Protection Laws” means any applicable U.S. state, federal, or other data privacy and security laws, amendments, implementing laws, and regulations, to the extent applicable to the processing, privacy, integrity, security, or confidentiality of Personal Information by the parties, including, but not limited to: the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (the “CCPA”), the Oregon Act Relating to Protections for Personal Data of Consumers (Or. Rev. Stat. Ann. § 646A.570 et seq.) (the “Oregon Privacy law”), etc.
- “Collect,” “consumer,” “contractor,” “controller,” “personal data,” “process,” “processor,” “sell,” “share,” “sensitive data,” “service provider,” “sub-processor,” and their cognate terms, shall be interpreted as defined by that term or the similar and reasonably equivalent terms under applicable Data Protection Laws.
- TitanX's Obligations as a Processor. The following terms apply where TitanX processes Customer Personal Information on behalf of Customer in the capacity of a processor pursuant to the Agreement:
- Processing of Personal Information. Subject always to Section 2.7:
- TitanX shall only process Customer Personal Information on documented instructions from Customer for the limited and specified purpose, including as set forth in Schedule 1 of this DPA.
- As between the parties, Customer is the controller of the Customer Personal Information shared between the parties for the purposes of delivering the Services pursuant to the Agreement and TitanX is the processor or service provider, as applicable and as defined by Data Protection Laws.
- Schedule 1 to this Addendum sets out certain information regarding the processing of Personal Information by TitanX including the categories of Personal Information, business purpose, and duration of the processing.
- Without limiting the generality of the foregoing Sections 2.1.1, 2.1.2, and 2.1.3, TitanX shall not:
- Sell or share Customer Personal Information.
- Retain, use, or disclose Customer Personal Information for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by the applicable Data Protection Laws.
- Retain, use, or disclose Customer Personal Information outside of the direct business relationship between TitanX and the Customer.
- Combine Customer Personal Information that TitanX receives from, or on behalf of, the Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.
- Utilize Customer Personal Information for purposes of profiling or targeted advertising.
- Compliance with Data Protection Laws.
- The parties represent and warrant that each has complied with, and undertakes to continue to comply with, the Data Protection Laws in the performance of its obligations under the Agreement. Customer represents and warrants that any Personal Information provided to TitanX has been collected and processed in accordance with the Data Protection Laws.
- TitanX will notify Customer promptly if it makes a determination that it can no longer fulfill its obligations under the DPA or any Data Protection Laws.
- Customer will immediately notify TitanX if there is any complaint or demand from a legal, regulatory or supervisory authority that relate to or would impact the provision of the Services (as defined in the Agreement).
- The parties acknowledge that any disclosure of Customer Personal Information pursuant to the Agreement does not confer any value under the Agreement.
- International Transfers.
- To the extent that either party transfers Personal Information to the other party under or pursuant to the Agreement and this constitutes a transfer of personal data outside of the European Economic Area and/or the UK (as applicable) to a third country, the parties agree that the applicable SCCs shall apply and be incorporated by reference as if fully set forth in this DPA, and shall form an integral part of the Agreement, unless and only then to the extent that such transfer is otherwise permitted under Data Protection Laws. The information and details set out in Schedule 3 shall apply in respect of such SCCs.
- The optional docking clause set out in Clause 7 of the SCCs shall apply, thereby permitting additional parties to accede to the SCCs in accordance with the procedure specified therein.
- For the purposes of Clause 13 of the SCCs, the competent supervisory authority shall be (i) the supervisory authority of the EU member state in which the data exporter is established or, where the data exporter is not established in the EU, the supervisory authority of the EU member state in which the data exporter's representative within the meaning of Article 27(1) of the GDPR is established, or, in the absence of such a representative, the supervisory authority of the EU member state in which the data subjects whose personal data is transferred are located, or (ii) the supervisory authority of the UK, where the data exporter is established in the UK.
- In addition to clause 2.3.1, each party (“first party”) agrees to oblige its affiliates, processors and sub-processors and/or any other relevant third parties that are in each case located in any third country to which the Personal Information is being transferred, to (i) verify, prior to any such transfer to the importing entity, whether the minimum level of protection, as provided for in the SCCs, is respected in the third country concerned and (ii) inform the other party promptly in writing of any inability by the third country to comply with the SCCs. If the third country to which Personal Information is being transferred is not able to comply with the SCCs, the first party shall notify the other party immediately in writing of that fact and suspend the transfer of Personal Information to the relevant affiliates, processors or sub-processors and/or other third parties located in the specified third country, until it receives confirmation from the other party that it is authorized to continue with the processing of Personal Information.
- In the event of any inconsistency between the terms of the SCCs and the terms of the Agreement or this DPA, the terms of the SCCs shall prevail.
- Sub-processors.
- Customer provides TitanX with a general authorization to engage sub-processors in the processing of Personal Information in connection with the provision of the Services under the Agreement. At least thirty (30) days prior to the date on which any new sub-processor shall start processing Customer Personal Information, TitanX will notify Customer via email, via posting on its website, or through other reasonable means of any update to authorized sub-processors. Customer may object to TitanX’s appointment of a new sub-processor on reasonable grounds related to data protection by notifying TitanX via email within ten (10) calendar days of being notified of such new sub-processor via the means described above. In such event, TitanX shall either: (i) work with Customer to address Customer’s objections to its reasonable satisfaction; (ii) instruct the sub-processor not to process Customer Personal Information; or (iii) notify Customer of its option to terminate this DPA, the applicable Services, and/or the Agreement within fourteen (14) calendar days.
- TitanX shall be responsible for the acts, omissions and defaults of any sub-processor as if they were TitanX’s acts, omissions or defaults.
- Audits and Assessments. On Customer’s written request, and no more than once every twelve (12) months, TitanX will make available to Customer for Customer’s review those of TitanX's records pertaining to its processing of Customer Personal Information.
- Deletion and Return of Personal Information. After conclusion of the provision of Services under the Agreement, or at the earlier request of Customer, TitanX, including all sub-processors and subcontractors, shall, either securely delete in a manner compliant with Data Protection Laws or return to Customer, the Customer Personal Information, unless applicable law or TitanX’s internal backup or data retention policies requires further storage of the Personal Information.
- Aggregated Data. Customer acknowledges that TitanX shall be entitled to aggregate and de-identify Customer Personal Information to create Aggregated Data and that TitanX shall be a controller of such Customer Personal Information for this limited purpose. Customer further acknowledges that TitanX shall be entitled to process the Aggregated Data in its absolute discretion for any legitimate business purposes including, without limitation, for the purposes of product improvement, delivery or development.
- Processing of Personal Information. Subject always to Section 2.7:
- Parties' Obligations as Independent Controllers. This Section 3 applies to each Party’s collection, use and processing of the other Party’s Personal Information. The restrictions in this Section 3 are in addition to all other restrictions on TitanX Personal Information set forth in the Agreement, including with respect to its use of TitanX Personal Information.
- Role of the Parties. The Parties acknowledge and agree that Customer and TitanX will each act as independent controllers to process TitanX Personal Information solely in connection with the Services being performed under the Agreement.
- Processing Obligations. With respect to TitanX Personal Information:
- Customer shall comply with all Data Protection Laws and provide no less than the level of privacy protection required under the Data Protection Laws.
- Customer shall process TitanX Personal Information only for the limited and specified purposes set out in the Agreement and Schedule 2 of this DPA.
- Customer shall process TitanX Personal Information only as permitted by, and in accordance with the restrictions set forth in, the Agreement.
- Customer shall promptly notify TitanX if it makes a determination that it can no longer meet its obligations under the Data Protection Laws applicable to the processing of TitanX Personal Information.
- Grant of Rights.
- Customer grants TitanX rights to take reasonable and appropriate steps to ensure that it uses TitanX Personal Information in a manner consistent with its obligations under the Data Protection Laws applicable to the processing of Personal Information.
- Customer grants TitanX rights to, upon notice, take reasonable steps to stop and remediate the unauthorized processing of TitanX Personal Information.
- Information Security and Confidentiality.
- TitanX undertakes to maintain appropriate technical and organizational security measures required by applicable Data Protection Laws to protect Customer Personal Information. Customer undertakes to maintain appropriate technical and organizational security measures required by applicable Data Protection Laws to protect TitanX Personal Information. The measures shall provide data security and a protection level commensurate to the level of risk concerning confidentiality, integrity, availability, and resilience of the systems. The measures shall at least result in a level of security that is appropriate taking into consideration: whether or not the measures can be reasonably considered to be state-of-the-art, the implementation costs, the nature, scope and purposes of processing as well as the likelihood of data breaches and the severity of risks to the rights and freedoms of natural persons.
- TitanX shall ensure only its personnel who are bound by confidentiality obligations shall have access to Customer Personal Information. Customer shall ensure only its personnel who are bound by confidentiality obligations shall have access to TitanX Personal Information.
- Data Breach and Cooperation.
- TitanX shall notify Customer as soon as feasible and without undue delay if there is a Personal Information Breach involving Customer Personal Information. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.
- TitanX shall provide reasonable assistance to Customer in responding to data subjects' requests for the exercising of their rights pertaining to Customer Personal Information. TitanX shall promptly notify Customer of any request received by TitanX from data subjects concerning the exercising of their rights pertaining to Customer Personal Information and shall not directly respond to any such data subject access request without the express written consent of Customer.
- At Customer’s request, TitanX shall provide reasonable assistance to Customer, taking into account the nature of the processing and information available to TitanX, in furtherance of Customer’s obligations under applicable Data Protection Laws related to: data breach notification, data protection impact assessments, and supervisory authority and/or regulator consultation in connection to Customer Personal Information.
- Customer shall notify TitanX as soon as feasible and without undue delay if there is a Personal Information Breach involving TitanX Personal Information. TitanX may take reasonable and appropriate steps to stop and remediate unauthorized use of TitanX Personal Information.
- At TitanX’s request, Customer shall provide reasonable assistance to TitanX, taking into account the nature of the processing and information available to Customer, in furtherance of TitanX’s obligations under applicable Data Protection Laws related to: data breach notification, data protection impact assessments, and supervisory authority and/or regulator consultation in connection to TitanX Personal Information.
Schedule 1: Details of TitanX Processing
TitanX will use Customer Personal Information only in accordance with the instructions provided below. Customer instructs and authorizes TitanX to process the Customer Personal Information as follows:
- Purpose: TitanX will process Customer Personal Information for the following purposes:
- Generating scores and derived data fields assessing the reachability of the contact by phone;
- Appending additional data to the contact record;
- Executing outbound calls via the integrated dialing platform;
- Capturing and reporting call outcomes and dispositions;
- Synchronizing contact records and call activity data with Customer's CRM and other systems and tools that Customer authorizes for integration with the platform;
- Providing authenticated platform access and managing Customer's authorized end users of the platform; and
- Type of Personal Information: TitanX will process the following categories of Customer Personal Information:
- Identifiers: name, business email address, and phone numbers
- Professional data: job title, employer name, seniority, department, and professional profile URLs (e.g., LinkedIn);
- Scores and derived data fields generated by TitanX assessing the reachability of the contact by phone;
- Call activity metadata: call dispositions, outcomes, timestamps, durations, and attempt counts;
- CRM identifiers and synced fields: lead and contact identifiers and related record metadata from Customer's CRM (e.g., Salesforce, HubSpot); and
- End-user account data: authentication identifiers (e.g., username/email), role and permission settings, and activity and audit logs associated with Customer's authorized end users of the platform.
- Data Subjects: Customer Personal Information relates to the following categories of data subjects:
- Business contacts at Customer's prospect and target accounts whom Customer is engaging via outbound communications using the platform; and
- End users authorized by Customer to access and use the platform.
- Duration: The duration of the Agreement.
TitanX will not use Customer Personal Information for any other purpose without the express written consent of Customer, unless TitanX is required or permitted to do so by applicable Data Protection Laws. In that case, TitanX shall inform Customer in writing of that legal requirement before processing, unless that law prohibits such notice.
Schedule 2: Details of Customer Processing
Customer will use TitanX Personal Information only in accordance with the instructions provided below:
- Purpose:
- Prioritizing contacts and executing outbound calls via the platform;
- Importing TitanX Personal Information into Customer's CRM and other authorized systems for ongoing sales operations; and
- Conducting internal sales reporting and analytics relating to Customer's outbound activity.
- Type of Personal Information:
- Scores and derived data fields generated by TitanX assessing the reachability of the contact by phone;
- Additional data appended by TitanX to the contact record from sources other than Customer; and
- Other personal data obtained or collected by TitanX or its Affiliates from sources other than Customer in connection with the provision of the Services.
- Data Subjects: TitanX Personal Information relates to the following categories of data subjects:
- Business contacts at Customer's prospect and target accounts to whom the TitanX Personal Information relates.
- Duration: The duration of the Agreement.
Customer will not use TitanX Personal Information for any other purpose without the express written consent of TitanX, unless Customer is required to do so by applicable Data Protection Laws. In that case, Customer shall inform TitanX in writing of that legal requirement before processing, unless that law prohibits such notice.
Schedule 3: Standard Contractual Clauses Information
- DETAILS OF PROCESSING
CATEGORIES OF DATA SUBJECTS
(a) Business contacts at Customer's prospect and target accounts whom Customer is engaging via outbound communications using the Services; and
(b) individuals authorized by Customer to access and use the Services as end users.
CATEGORIES OF PERSONAL DATA
Identifiers (name, business email address, business phone numbers); professional data (job title, employer name, seniority, department, and professional profile URLs such as LinkedIn); scores and derived data fields generated by TitanX assessing reachability by phone; additional data appended by TitanX to contact records from sources other than Customer; call activity metadata (dispositions, outcomes, timestamps, durations, and attempt counts); CRM identifiers and synced fields (lead and contact identifiers and related record metadata from Customer's CRM, e.g., Salesforce, HubSpot); and end-user account data (authentication identifiers, role and permission settings, and activity and audit logs).
SPECIAL CATEGORIES OF DATA (IF APPLICABLE)
None. The Services are not designed to process special category personal data.
DURATION OF PROCESSING
For the term of the Agreement.
SUBJECT MATTER, NATURE AND PURPOSE OF THE PROCESSING
The provision of the Services under the Agreement, including: generating scores and derived data fields assessing the reachability of contacts by phone; appending additional data to contact records; executing outbound calls via the integrated dialing platform; capturing and reporting call outcomes and dispositions; synchronizing contact records and call activity data with Customer's CRM and other authorized systems; and providing authenticated platform access for Customer's authorized end users.
- TRANSFERS
To the extent that the parties enter into Standard Contractual Clauses pursuant to clause 2.3, the following additional information shall apply in addition to that set out in A above.
MODULE
Module 1 (controller-to-controller) shall apply to transfers of TitanX Personal Information from TitanX to Customer as described in Section 3 of this DPA.
Module 2 (controller-to-processor) shall apply to transfers of Customer Personal Information from Customer to TitanX for processing on Customer's behalf as described in Section 2 of this DPA.
PARTIES AND ROLES
For Module 1 transfers (TitanX to Customer): TitanX is the data exporter and an independent controller; Customer is the data importer and an independent controller.
For Module 2 transfers (Customer to TitanX): Customer is the data exporter and the controller; TitanX is the data importer and the processor. Each party's full legal name, address, and contact details are as set out in the Agreement. TitanX's EU Article 27 representative is established in Ireland and its UK representative is established in the United Kingdom; current contact details are available at https://trust.titanx.io.
FREQUENCY OF THE TRANSFER
Continuous during the provision of the Services.
COMPETENT SUPERVISORY AUTHORITY
For Module 1 transfers (TitanX as exporter): Ireland's Data Protection Commission, by virtue of TitanX's EU Article 27 representative being established in Ireland.
For Module 2 transfers (Customer as exporter): the supervisory authority of the EU member state in which Customer or its EU Article 27 representative is established. For transfers of UK-origin Personal Information under the UK Addendum: the UK Information Commissioner's Office.
GOVERNING LAW AND CHOICE OF FORUM
For Module 1 transfers: Irish law and the courts of Ireland.
For Module 2 transfers: the law and courts of the EU member state of the competent supervisory authority identified above. For UK Addendum transfers: as specified in the UK Addendum.
RETENTION/DELETION PERIOD
The parties Personal Information shall be deleted/returned on termination of the Agreement.
SPECIFIC RESTRICTIONS
Either party shall not reverse engineer or combine anonymized/pseudonymized data with other data in order to create personal data.
SECURITY MEASURES
TitanX maintains technical and organisational security measures appropriate to the risks of the processing, including access control, encryption in transit and at rest, network and infrastructure security, security monitoring, vulnerability and patch management, vendor risk management, business continuity and disaster recovery, personnel security, and incident response.
Current measures and applicable certifications are described at https://trust.titanx.io. Customer shall maintain technical and organisational measures that meet or exceed industry standards appropriate to the nature of the Personal Information processed and the risks of the processing.
SUB-PROCESSORS
For Module 2 transfers: TitanX's current sub-processors engaged in the processing of Customer Personal Information are listed at https://trust.titanx.io/subprocessors. Updates to the sub-processor list are communicated in accordance with Section 2.4 of this DPA. Annex III to the Standard Contractual Clauses is not applicable to Module 1 transfers, as those transfers are between independent controllers.
OTHER
Any optional redress clauses shall not apply. In relation to sub-processors, the party engaging such sub-processor shall require consent in accordance with the Agreement.