Data Processing Agreement
Last updated: April 9, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller," "you") and Sales Blitz AI LLC ("Processor," "we," "us") for the provision of Sales Blitz services. This DPA governs the processing of personal data by Sales Blitz on your behalf, in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
To execute this DPA for your organization, contact security@salesblitz.ai with your company name, signatory name and title, and billing email. We will return a countersigned copy within 2 business days.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Service. "Processing" means any operation performed on Personal Data, including collection, storage, use, retrieval, transmission, and deletion. "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller. "Data Subject" means the identified or identifiable person to whom Personal Data relates.
2. Scope of Processing
2.1 Subject Matter
The Processor processes Personal Data to provide the Sales Blitz platform, including account management, AI-powered research and asset generation, meeting transcription and coaching via Recall.ai meeting bot, post-call intelligence generation, practice mode simulations with live voice via Gemini Flash Live, Sage meeting participation (discovery, follow-up, demo, closing) with configurable modes (Sage-led, AI assist, record-only) powered by LangGraph state graphs, AI-powered email outreach via Instantly, proposal and insertion order generation, document signing via built-in, DocuSign, or PandaDoc, and email delivery of generated assets.
2.2 Duration
Processing begins on the date the Controller creates an account and continues until the Controller deletes their account or the service agreement terminates, plus 30 days for final data deletion.
2.3 Nature and Purpose
The Processor processes Personal Data for the purpose of providing AI-powered sales enablement services as described in the Sales Blitz Terms of Service. Processing activities include storing user profiles, generating research about target companies and contacts using publicly available data, transcribing meeting audio, producing AI-generated coaching analysis, conducting AI discovery calls, generating proposals and insertion orders from call data, facilitating document signing, and delivering generated assets via email.
2.4 Types of Personal Data
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email, authentication credentials | User-provided at registration |
| Profile Data | Job title, company, LinkedIn URL, career history, methodology preferences | User-provided during onboarding |
| Target Data | Prospect names, titles, company names, email addresses | User-provided; enriched via Apollo.io |
| Research Data | Publicly available company information, news, financials | Web research (Brave Search, public sources) |
| Meeting Data | Transcripts, coaching scores, post-call intelligence (follow-up drafts, deal qualification, competitor analysis), Sage discovery call transcripts and scores | User-initiated recording via Recall.ai meeting bot; Sage discovery calls |
| Proposal & IO Data | AI-generated proposals, insertion orders, cover emails, pricing tables, ROI projections, approval records, delivery records, signing data (typed name, IP, timestamp, user agent) | Auto-generated from call data and Company Settings; user-approved before sending |
| Usage Data | Tool runs, feature usage, timestamps | Automatically collected |
| Payment Data | Billing address, payment method (handled by Stripe) | User-provided via Stripe |
2.5 Categories of Data Subjects
The Controller's employees and authorized users of the Service; the Controller's prospective customers and contacts (as entered by authorized users); participants in meetings recorded via the Recall.ai meeting bot.
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, unless required by applicable law. The Controller's instructions are defined by the functionality of the Service as described in the Terms of Service and this DPA.
3.2 Confidentiality
The Processor ensures that persons authorized to process Personal Data are bound by confidentiality obligations.
3.3 Security Measures
The Processor implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Authentication via Clerk with multi-factor authentication support
- Rate limiting and spend controls on all API endpoints
- Content Security Policy (CSP) and security headers
- Access controls limiting production system access to authorized personnel
- Automated database backups with point-in-time recovery
- Application logging and monitoring for security events
- Incident response procedures with defined notification timelines
A detailed description of security measures is available at salesblitz.ai/security.
3.4 Sub-Processors
The Controller provides general written authorization for the Processor to engage Sub-Processors. The current list of Sub-Processors is in Annex A below. The Processor will notify the Controller at least 14 days before adding or replacing a Sub-Processor, via email to the address on file. If the Controller objects, the parties will work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the affected service component.
3.5 Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. The Processor provides self-service data deletion within the application and processes manual requests within 30 days.
3.6 Data Breach Notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach. Notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
3.7 Data Protection Impact Assessment
The Processor will provide reasonable assistance to the Controller for data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable law.
3.8 Deletion and Return
Upon termination of the service agreement or upon the Controller's request, the Processor will delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a data export before deletion.
4. Obligations of the Controller
The Controller warrants that it has a lawful basis for processing Personal Data submitted to the Service; that it has provided appropriate notice to Data Subjects regarding the processing; that instructions to the Processor comply with applicable data protection law; and that it will promptly notify the Processor of any Data Subject requests or complaints related to the processing.
5. International Data Transfers
Sales Blitz processes data primarily in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland to the US, the parties rely on the EU-US Data Privacy Framework (DPF) where applicable, and Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) where DPF coverage does not apply. The SCCs are incorporated by reference and available upon request.
6. Audit Rights
The Controller may audit the Processor's compliance with this DPA once per year, with 30 days' written notice. Audits shall be conducted during business hours and shall not unreasonably interfere with the Processor's operations. The Processor may satisfy audit requests by providing its SOC 2 report, penetration test summary, or other third-party audit documentation.
7. Liability
Each party's liability under this DPA is subject to the limitations set forth in the underlying service agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.
8. Term
This DPA takes effect when the Controller begins using the Service and remains in effect until all Personal Data is deleted or returned per Section 3.8.
Annex A: Sub-Processor List
| Sub-Processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting, vector storage, file storage | All application data | United States (AWS us-east-1) |
| Anthropic, PBC | AI language model (research, generation, coaching) | Company/contact info, user prompts, profile context | United States |
| OpenAI, LLC | Audio transcription (Whisper), text-to-speech | Meeting audio, text for speech synthesis | United States |
| Google LLC | Text embeddings (Gemini), web research | Research text for semantic indexing | United States |
| Clerk, Inc. | User authentication and identity | Name, email, auth credentials, session data | United States |
| Stripe, Inc. | Payment processing | Billing info, payment methods | United States (PCI DSS Level 1) |
| Vercel, Inc. | Application hosting, edge functions | HTTP requests, session cookies | United States (multi-region edge) |
| Railway Corp. | Worker service hosting | Processing queue data, API calls | United States (US-West) |
| Resend, Inc. | Transactional email delivery | Recipient email, notification content | United States |
| HeyGen, Inc. (LiveAvatar) | AI avatar video for Practice Blitz & Sage | Text prompts for lip-sync & voice (no PII) | United States |
| Cloudflare, Inc. | DNS & DDoS protection | Domain routing, traffic metrics | United States |
| Apollo.io, Inc. | Contact and company data enrichment | Company/contact lookup queries | United States |
| Brave Software, Inc. | Web search for research | Search queries (company/industry terms) | United States |
| Langfuse GmbH | AI observability and cost tracking | LLM call metadata (tokens, latency, model, cost) | European Union (Germany) |
| Recall.ai, Inc. | Meeting bot infrastructure for recording, transcription & Sage Discovery | Meeting URL, meeting audio (processed server-side, not retained), transcript data, Sage avatar video feed | United States (US-West-2) |
| AssemblyAI, Inc. | Audio transcription & intelligence for meeting bot | Meeting audio (processed server-side), transcript data, speaker labels, entity detection | United States |
| Instantly.ai, Inc. | Multi-tenant email sending & warm-up for Sage campaigns | Prospect emails, prospect metadata, campaign data, delivery events | United States |
| Cal.com International B.V. | Meeting booking links for Sage campaigns | Prospect email, booking confirmation, meeting metadata | United States |
| DocuSign, Inc. | E-signature (proposal & IO delivery) | Document content, signer names and email addresses, signing events | United States |
| PandaDoc, Inc. | Document creation & e-signature | Document content, signer names and email addresses, company information, signing events | United States |
Annex B: Standard Contractual Clauses
For international transfers requiring SCCs, the EU Commission Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference. A copy is available upon request at security@salesblitz.ai.
Execution
To execute this DPA, email security@salesblitz.ai with your company name, signatory name and title, and billing email address. We will return a countersigned PDF copy within 2 business days.