Appendix No. 2 to the General Terms and Conditions
Updated: August 26, 2025
Contract enters into force as of September 12th, 2025
1. Detailed specification of exportable data categories and digital assets
Leadoo provides a comprehensive capability to export customers’ personal and non-personal data, covering the following categories: end-user, marketing, operational and analytical data. This data is stored in the Amazon Web Services (AWS) infrastructure.
The company offers a wide selection of standard export formats: CSV (default export format from the user interface), JSON (default API format), XLSX.
Personal data is processed in accordance with the data processing agreement. This includes, among others: first and last name, email, phone number, Contact ID, IP address (only network masked as /24, not unique address), location and online behavioral data, which can be classified as basic contact data, location data, purchasing preferences, and behavioral data.
Additionally, Leadoo offers the option to export data and resources beyond the standard scope available from the application. Such extended or custom exports are carried out based on individual pricing, tailored to the specific requirements of the client and the scope of the data.
2. Detailed specification of data categories specific to the internal functioning of the data processing service provider, which are excluded from the exportable data
As a provider of a comprehensive conversion platform, Leadoo understands the key importance of providing our clients with full control over their data and the freedom to choose a service provider. In accordance with the requirements of the Data Act, we make every effort to ensure the data export process is transparent, effective and uninterrupted.
At the same time, to protect our innovations and competitive advantage, it is necessary to precisely define those categories of data which, constituting the exclusive intellectual property and trade secret of Leadoo, are excluded from the export mechanism. Below, we present a detailed specification of these categories, while guaranteeing that their exclusion will in no way hinder or delay our clients’ process of switching providers and that all data necessary to continue their operations will remain fully exportable.
3. Procedures for switching data processing service providers
Leadoo enables the free migration of client data to other service providers through simple and effective export mechanisms. Users can export data and resources through both the application interface (UI) and via API, in popular formats such as CSV, JSON, and XLSX. Leadoo monitors technical export limits, such as single export file size restrictions and an API request limit of 500 requests per minute, to ensure optimal infrastructure performance.
4. Register of data structures, formats, and interoperability standards for exportable data
In accordance with interoperability requirements, Leadoo provides a public register of technical information for exportable data that can be transferred when switching a data processing service provider. The register contains detailed information about:
- data structures used for export (e.g.,leads, customer profiles, organization profiles),
- available formats (CSV, JSON, XLSX),
- open standards and technical specifications used to ensure interoperability,
- validation standards used in the Leadoo API (in accordance with v3/v2 documentation).
By using commonly accepted formats (RFC, ISO, JSON Schema, OpenAPI), the data can be reused in CRM, ERP, marketing automation or BI systems.
5. General description of technical, organizational, and contractual measures adopted by the data processing service provider to prevent international government access or transfer of non-personal data stored in the European Union
- General policy on the security of personal data and IT systems
- Procedures for reporting breaches
- Periodic reviews of internal procedures
- Procedure for handling abuse
- Data Protection Officer
- Issuance of authorizations for personal data processing
- Training in personal data protection
- Declarations of confidentiality regarding personal data
- Restricted access to IT systems and networks (using logins, passwords, separate networks for third parties).
- Procedure for granting and revoking access rights to IT systems
- Password policy
- Use of secure network connections, e.g., VPN
- High Availability Cluster
- Measures to ensure event logging, e.g., Microsoft Clarity, Internal logging system
- Anti-DDoS system, e.g., Cloudflare
- Conducting quarterly vulnerability tests of IT systems
- Conducting penetration tests of IT systems
- Antivirus software
- Cybersecurity training
- Procedure for verifying service providers for regulatory compliance and adequate security measures
- Cyclical risk analysis of the violation of rights and freedoms of individuals whose data is processed
- Security and privacy risk analysis carried out at least once a year
- Procedures for applying the privacy by design principle in software development
- Standard for maintaining the privacy by default principle in the design phase
- Use of cryptographic measures for personal data protection, e.g., SSL protocol [TLS 1.2 – 1.3 + SHA256]
- Securing data transmission with the HTTPS protocol
- Use of multi-factor user authentication in the ICT system
- User identification and authorization measures, e.g., oAuth 2.0
- Audit logs for mass data modification actions on the platform
- Individual login indicators
- Personal Data Processing Agreement, including a contractual prohibition on transferring personal data outside the European Economic Area without the controller’s consent
- Confidentiality Agreement
6. Information on services whose migration is particularly difficult or costly
The current architecture of the Leadoo system does not have significant technical or organizational limitations that would hinder migration to another service provider. All client data is fully exportable through the available UI and API mechanisms. There are no complex technological dependencies that could prevent or significantly hinder such a migration. The company uses open standards and popular export formats, thereby minimizing the risk of vendor lock-in.
