Data Processing Agreement (DPA)

Last updated: 24 April 2026

This Data Processing Agreement ("DPA") forms part of the Pharos Terms of Service between Leadlynk Limited, a company registered in England and Wales (company number 15137196) with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom ("Pharos", "Processor"), and the customer ("Customer", "Controller") whenever Pharos processes Personal Data on the Customer's behalf.

If you need a signed copy of this DPA for your records or compliance review, email privacy@heypharos.com and we'll send a signable PDF.

1. Definitions

Terms like "Personal Data," "Processing," "Data Subject," "Controller," and "Processor" have the meanings given to them in the EU General Data Protection Regulation (GDPR) and the UK GDPR.

"Sub-processor" means any third party engaged by Pharos to process Personal Data on the Customer's behalf, as listed on the Sub-processors page.

2. Scope and roles

Pharos processes Personal Data on behalf of the Customer in order to provide the Pharos service. The Customer is the Controller of that Personal Data and Pharos is the Processor.

Subject matter: provision of the Pharos service.

Duration: for as long as the Customer has an active Pharos subscription, plus retention periods set out in the Privacy Policy.

Nature and purpose of processing: hosting, analyzing, and displaying the brand-visibility data the Customer configures.

Categories of Data Subjects: the Customer's authorized users of Pharos.

Categories of Personal Data:

  • Account data (name, email, hashed password)
  • Usage data (pages visited, features used)
  • Optional profile data the Customer provides
  • Any Personal Data the Customer chooses to put into Pharos content

3. Pharos's obligations

Pharos will:

  • (a) Process Personal Data only on documented instructions from the Customer (including by using the Pharos product as intended), except where required by law.
  • (b) Ensure personnel authorized to process Personal Data have committed to confidentiality.
  • (c) Implement appropriate technical and organizational security measures (see Section 6 and Annex II).
  • (d) Assist the Customer in responding to Data Subject requests. Where Pharos receives a Data Subject request directly relating to the Customer's Personal Data, Pharos will not respond to the Data Subject (except to confirm receipt and refer them to the Customer) and will forward the request to the Customer without undue delay.
  • (e) Assist the Customer with data protection impact assessments and regulator consultations where required.
  • (f) Notify the Customer without undue delay after becoming aware of a Personal Data Breach.
  • (g) On termination, delete or return all Personal Data as set out in the Privacy Policy.

3a. Government and law enforcement requests

If Pharos receives a legally binding request from a public authority for access to the Customer's Personal Data, Pharos will:

  • (a) Notify the Customer of the request before disclosure, unless legally prohibited from doing so. Where notification is prohibited, Pharos will use reasonable efforts to obtain a waiver and will document the request internally.
  • (b) Challenge any request that appears unlawful, overbroad, or inconsistent with international human rights standards, including by seeking interim measures.
  • (c) Disclose only the minimum data required to comply with the request.
  • (d) On an annual basis, provide the Customer with summary transparency information about the volume and type of government requests received, to the extent legally permitted.

4. Sub-processors

The Customer authorizes Pharos to engage the Sub-processors listed at /subprocessors. Pharos will:

  • Impose written contract terms on each Sub-processor at least as protective as this DPA.
  • Remain fully liable to the Customer for each Sub-processor's performance.
  • Provide at least 30 days' notice of any new Sub-processor. The Customer may object on reasonable grounds, in which case the parties will work in good faith to resolve the objection; if unresolved, the Customer may terminate the affected service without penalty.

5. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not have an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor) with Pharos as "data importer" and the Customer as "data exporter," and, for UK transfers, the UK International Data Transfer Addendum.

By accepting this DPA, the parties are deemed to have signed the applicable SCCs.

6. Security

Pharos implements appropriate technical and organizational measures, including:

  • Encryption of Personal Data in transit (TLS) and at rest.
  • Row-level security on all customer-scoped database tables.
  • Role-based access controls; least-privilege access to production.
  • Audit logging of administrative access.
  • Regular patching of infrastructure.
  • Incident response procedures with defined roles and escalation.
  • Employee onboarding security training and confidentiality obligations.

7. Data breach notification

Pharos will notify the Customer at the Customer's designated contact email without undue delay — and in any event within 72 hours of confirmation — after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notice will include the information required by GDPR Article 33(3) to the extent available.

8. Audits

The Customer may, once per year and with 30 days' written notice, request reasonable information to verify Pharos's compliance with this DPA. Pharos will respond with (a) current security documentation and (b) relevant third-party audit reports where available. On-site audits may be arranged by mutual agreement for enterprise customers.

9. Return or deletion of data

On termination of the Pharos service, Pharos will delete Personal Data within 30 days, except where retention is required by law (e.g., invoices). The Customer may export its data at any time before that deadline.

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

11. Changes

Pharos may update this DPA to reflect legal changes. Material updates will be announced by email to the Customer's billing contact at least 30 days before taking effect.

Annex I — Description of processing

A. List of parties

  • Data exporter / Controller: the Customer (identified in the Customer's Pharos account and/or signed order form).
  • Data importer / Processor: Leadlynk Limited, 128 City Road, London, EC1V 2NX, United Kingdom. Contact: privacy@heypharos.com.

B. Description of transfer

  • Categories of data subjects: the Customer's authorized users of Pharos.
  • Categories of Personal Data: account identifiers (name, email, hashed password), usage data, brand/prompt/competitor configurations, OAuth tokens for connected integrations, and any Personal Data the Customer chooses to submit through the service.
  • Special categories of data: none intended. The Customer agrees not to submit special-category data (health, biometrics, etc.).
  • Frequency of transfer: continuous, for the duration of the subscription.
  • Nature and purpose: hosting, analyzing, and displaying brand visibility data; providing the Pharos service.
  • Retention: as set out in the Privacy Policy.

C. Competent supervisory authority

For transfers from the UK: the Information Commissioner's Office (ICO). For transfers from the EEA: the supervisory authority of the Member State in which the data exporter is established.

Annex II — Technical and organizational measures

Leadlynk Limited maintains the following measures to protect Personal Data. These measures may evolve over time to reflect advances in technology; any change will maintain an equivalent or greater level of protection.

1. Access control

  • Role-based access controls with least-privilege defaults.
  • Multi-factor authentication enforced for all production systems and admin consoles.
  • Row-Level Security (RLS) applied on all customer-scoped database tables so data is segregated per customer / brand.
  • Production access is logged and reviewed.

2. Encryption

  • Personal Data encrypted in transit using TLS 1.2 or higher.
  • Personal Data encrypted at rest using provider-managed encryption (Supabase, Stripe).
  • Secrets and API keys stored in secure vaults, never in source control.

3. Network and application security

  • Web application and APIs hosted behind CDN with DDoS protection.
  • HTTPS enforced across all customer-facing endpoints.
  • Input validation, parameterized queries, and other standard defenses against OWASP Top 10 vulnerabilities.
  • Regular dependency updates and vulnerability monitoring.

4. Operational security

  • Changes to production infrastructure go through code review and automated CI/CD pipelines.
  • Incident response procedures with defined roles, escalation paths, and post-mortem review.
  • Logging and alerting on security-relevant events.

5. Personnel

  • All personnel with access to Personal Data are bound by written confidentiality obligations that survive termination.
  • Onboarding includes data-protection and security awareness training.
  • Access is promptly revoked on role change or departure.

6. Sub-processor management

  • Written contracts with each sub-processor containing data protection obligations at least as strict as this DPA.
  • Sub-processor list is published and kept current at /subprocessors.

7. Business continuity and backups

  • Database backups performed at least daily, retained in accordance with provider defaults.
  • Failover and recovery procedures tested periodically.

8. Data subject rights support

  • Tools available to the Customer to export or delete workspace data.
  • Email-based intake for Data Subject requests at privacy@heypharos.com, with documented response procedures within the GDPR-mandated timelines.

9. Data minimization and retention

  • Retention periods as documented in the Privacy Policy.
  • Deletion within 30 days of account termination, except where retention is legally required.

10. Breach response

  • Defined incident response plan with notification within 72 hours of confirmation, covering the information required under GDPR Art. 33(3).

Adapted from Basecamp's open-source policies (CC BY 4.0).