FollowUP CRM - Data Processing Addendum (DPA)
Schedule C to the Master Subscription Agreement
Effective Date: 10 May 2026 Version: 2.0 Last Updated: 10 May 2026 Governing Language: English
📋 Quick Summary (TL;DR)
- What this is. This Data Processing Addendum (DPA) governs the situation where you, as our Customer, use the FollowUP CRM Platform to process personal data of your end users - your contacts, leads, customers, employees, message recipients, etc. For that processing, you are the Controller; we are the Processor.
- Why you need it. GDPR Article 28 (and equivalent laws in the UK, Georgia, California, and elsewhere) requires a written processor agreement covering specific topics. Without this DPA, you and we are technically in violation of those laws every time you upload an EU/UK/Georgian person's data into the Platform.
- When this DPA takes effect. Automatically - on the date you accept the Master Subscription Agreement, this DPA is incorporated by reference and effective. No separate signature is required, though you may countersign if your compliance team requires it.
- What it covers. Our security measures, sub-processor management, international data transfers (including EU Standard Contractual Clauses), data subject rights, breach notification, audit rights, and data deletion on termination.
- EU SCCs. Where you are an EU/EEA Controller, the EU Standard Contractual Clauses (Commission Decision 2021/914), Module Two (Controller-to-Processor), are incorporated and apply automatically.
1. Background and Application
1.1 Relationship to the MSA
This DPA is Schedule C to the Master Subscription Agreement ("MSA") between you ("Customer", "you") and Sales Consulting Group LLC (Georgian Company ID 405727254), operating as FollowUP CRM ("FollowUP CRM", "we", "us"). Capitalized terms not defined here have the meanings given in the MSA. In case of conflict between this DPA and the MSA on a data-protection matter, this DPA prevails.
1.2 When This DPA Applies
This DPA applies whenever:
(a) Customer uses the Platform to Process Personal Data subject to GDPR, UK GDPR, the Law of Georgia on Personal Data Protection, CCPA/CPRA, or other applicable Data Protection Laws; and
(b) in respect of that Processing, Customer acts as the Controller (or as a Processor on behalf of a third-party Controller, in which case this DPA flows through as a sub-processor arrangement).
This DPA does not apply to processing of Personal Data where FollowUP CRM acts as an independent Controller (e.g., billing data, account credentials, security logs, marketing of our own services). That processing is governed by the Privacy Policy.
1.3 Automatic Incorporation
By accepting the MSA, Customer is deemed to have entered into this DPA. No separate signature is required for this DPA to be legally binding, but Customer may execute a signed counterpart by emailing info@followup.agency with the request and Customer's signing details. We will provide a countersigned copy.
1.4 Order of Precedence
In case of conflict between provisions of:
(a) the EU SCCs (where applicable per Section 8 below); (b) this DPA body; (c) the MSA; (d) the Privacy Policy,
the order of precedence is: (a) > (b) > (c) > (d) - with the SCCs taking absolute precedence to the extent required by Article 5 of Commission Decision 2021/914.
2. Definitions
In this DPA, the following terms have the meanings set out below. Other capitalized terms have the meanings given in the MSA or in the applicable Data Protection Laws.
- "Customer Personal Data" means Personal Data Processed by FollowUP CRM (or its Sub-processors) on behalf of Customer in connection with the provision of the Platform under the MSA.
- "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including: (i) GDPR - Regulation (EU) 2016/679; (ii) UK GDPR and the UK Data Protection Act 2018; (iii) the Law of Georgia on Personal Data Protection (as amended in 2023); (iv) the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and other U.S. state privacy laws; (v) Canada's PIPEDA; (vi) the Swiss Federal Act on Data Protection (FADP); (vii) other applicable national or regional data protection laws.
- "Data Subject" has the meaning given in the GDPR (or equivalent under other Data Protection Laws): the natural person to whom Personal Data relates.
- "EU SCCs" means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in particular Module Two (Controller to Processor).
- "Personal Data Breach" has the meaning given in GDPR Article 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Processing" has the meaning given in GDPR Article 4(2): any operation performed on Personal Data, whether automated or not.
- "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, Switzerland, Georgia, or another jurisdiction with international transfer restrictions, to a third country not the subject of an adequacy decision.
- "Sub-processor" means any third party engaged by us to Process Customer Personal Data on Customer's behalf, including HighLevel Inc. and the parties listed at our Sub-Processor Page (followup.agency/legal/sub-processors).
- "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner.
3. Roles of the Parties
3.1 Customer as Controller; FollowUP CRM as Processor
The parties acknowledge and agree that, with respect to the Processing of Customer Personal Data through the Platform:
(a) Customer is the Controller (or a Processor acting on behalf of one or more third-party Controllers). Customer determines the purposes and means of Processing.
(b) FollowUP CRM is the Processor acting on Customer's documented instructions.
(c) HighLevel Inc. and other Sub-processors listed on the Sub-Processor Page are Sub-processors of FollowUP CRM, with whom FollowUP CRM has entered into written agreements imposing obligations equivalent to those in this DPA.
3.2 California (CCPA/CPRA)
For California Personal Information, FollowUP CRM acts as a "Service Provider" (and not a "Third Party") within the meaning of CCPA/CPRA. FollowUP CRM:
(a) will Process California Personal Information only for the business purposes specified in the MSA and this DPA, and not for FollowUP CRM's own commercial purposes; (b) will not "sell" or "share" California Personal Information; (c) will not retain, use, or disclose California Personal Information outside the direct business relationship with Customer; (d) will not combine California Personal Information received from Customer with Personal Information from other sources, except as permitted by CCPA/CPRA Section 1798.140(ag)(3).
3.3 Customer's Responsibilities
Customer warrants and undertakes that, in respect of all Customer Personal Data:
(a) it has a valid lawful basis under Data Protection Laws for the Processing it instructs FollowUP CRM to perform; (b) it has provided all required notices to Data Subjects; (c) it has obtained all necessary consents (where consent is the lawful basis); (d) its instructions to FollowUP CRM comply with Data Protection Laws; (e) it has lawfully obtained Customer Personal Data and has the right to make it available to FollowUP CRM for Processing.
Customer indemnifies FollowUP CRM against any claim, fine, or loss arising from Customer's breach of this Section 3.3 (in addition to the indemnities under MSA Section 16).
4. Description of the Processing
Subject matter: Provision of the FollowUP CRM Platform (cloud-based CRM, marketing automation, communications, and AI features) to Customer pursuant to the MSA.
Duration: For the term of the MSA, plus retention periods for backups and legal compliance.
Nature of Processing: Hosting, storage, transmission, retrieval, organization, and (where Customer uses AI features) limited algorithmic processing.
Purposes: Enabling Customer to manage relationships with its end users, send communications, and operate its business through the Platform.
Categories of Data Subjects: Customer's leads, contacts, customers, employees, contractors, message recipients, and other persons whose Personal Data Customer chooses to upload to or generate within the Platform.
Categories of Personal Data:
- Identifiers (name, email, phone, address, customer numbers)
- Communications data (SMS/email/chat content, call recordings, message metadata)
- Behavioral data (website visits, form submissions, link clicks, pipeline status)
- Financial data (invoice/payment records - full card data is processed by Stripe/Flitt)
- Marketing data (consent records, opt-in/opt-out status, preferences)
- Operational data (appointment bookings, support tickets, custom fields)
5. Customer's Documented Instructions
FollowUP CRM will Process Customer Personal Data only on Customer's documented instructions, including with regard to Restricted Transfers, except where required by law.
Customer's documented instructions consist of: the MSA (including this DPA); Customer's configurations, settings, and uses of the Platform; any further written instructions provided.
If FollowUP CRM believes that an instruction from Customer infringes Data Protection Laws, FollowUP CRM will inform Customer immediately and may suspend that specific Processing pending clarification.
6. Confidentiality and Personnel
FollowUP CRM will ensure that all personnel authorized to Process Customer Personal Data:
(a) are bound by written confidentiality obligations (whether by employment contract, contractor agreement, or NDA); (b) receive appropriate training on data protection, security, and confidentiality, refreshed at least annually; (c) access Customer Personal Data only on a strict need-to-know basis; (d) are subject to background checks appropriate to their role.
7. Security Measures
FollowUP CRM implements technical and organizational measures (TOMs) appropriate to the risk. These reflect the security controls inherited from HighLevel's certified security program:
- ISO/IEC 27001:2022 information security management
- SOC 2 Type II annual attestation
- AES-256 encryption for sensitive data at rest
- TLS 1.2+ for data in transit
- Role-Based Access Control (RBAC) with least-privilege principle
- Multi-Factor Authentication (MFA) required for administrative access
- Web Application Firewall (WAF) and DDoS mitigation
- Continuous network and security monitoring
- Quarterly vulnerability scanning and annual third-party penetration testing
- Defined Secure Software Development Lifecycle (SDLC)
- Incident response plan with 48-hour Customer notification
- Regular backups with annual restoration testing
- Logical isolation of Customer environments (multi-tenancy)
8. International Data Transfers
8.1 Where Customer Personal Data Is Processed
Customer Personal Data is Processed primarily in:
- the United States (HighLevel infrastructure on Google Cloud Platform; Twilio; AI Sub-processors);
- EU regions of cloud platforms (where available);
- Georgia (FollowUP CRM administrative operations).
8.2 Restricted Transfer Safeguards
(a) EU/EEA-Origin Data: The EU SCCs (Module Two: Controller-to-Processor) are incorporated by reference and apply automatically. We also rely on HighLevel's EU-U.S. Data Privacy Framework certification as a complementary lawful transfer mechanism.
(b) UK-Origin Data: The UK Addendum (or, at Customer's election, the UK IDTA) is incorporated by reference.
(c) Swiss-Origin Data: The EU SCCs apply with modifications required by the Swiss FDPIC.
(d) Georgian-Origin Data: Transfers are made in accordance with the Law of Georgia on Personal Data Protection Articles 41-42.
8.3 Transfer Impact Assessment
FollowUP CRM has conducted a Transfer Impact Assessment (TIA) considering the legal regime of destination countries, categories of data, technical safeguards (encryption, MFA, RBAC, segregation), and practical likelihood of government access. Based on the TIA, the contractual and technical safeguards in place provide a level of protection essentially equivalent to that provided under EU/UK law.
9. Sub-processors
9.1 General Authorization
Customer provides general written authorization for FollowUP CRM to engage Sub-processors to Process Customer Personal Data.
9.2 Current Sub-processors
The current list is published at followup.agency/legal/sub-processors, including: HighLevel Inc. (USA), Google Cloud Platform, Twilio/LeadConnector, Mailgun/SendGrid, Stripe, Flitt (TBC Bank), Cloudflare, AI providers (OpenAI, Anthropic, ElevenLabs, Google AI), and others as updated.
9.3 Notice of Changes
FollowUP CRM will provide Customer with notice of any addition or replacement of Sub-processors at least fourteen (14) days before that Sub-processor begins Processing Customer Personal Data.
9.4 Customer's Right to Object
Customer may object to a new Sub-processor on reasonable data protection grounds by sending written objection to info@followup.agency within fourteen (14) days. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected portion of the MSA.
9.5 Sub-processor Obligations
FollowUP CRM will impose on each Sub-processor, by written contract, data protection obligations substantially equivalent to those in this DPA, in compliance with GDPR Article 28(4). FollowUP CRM remains liable to Customer for the acts and omissions of its Sub-processors.
10. Data Subject Rights
Customer is primarily responsible for responding to Data Subject requests. FollowUP CRM provides assistance through:
(a) Platform functionality enabling Customer to access, correct, delete, restrict, and export Customer Personal Data; (b) Written assistance for requests beyond standard Platform self-service, responded to at info@followup.agency within a commercially reasonable time; (c) Not responding directly to Data Subjects unless authorized in writing by Customer or legally compelled.
11. Personal Data Breach Notification
11.1 Notification to Customer
FollowUP CRM will notify Customer without undue delay, and in any event within forty-eight (48) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
11.2 Information Provided
The notification will include, to the extent then known:
(a) the nature of the Personal Data Breach; (b) the likely consequences; (c) the measures taken or proposed to address the breach; (d) the contact point at FollowUP CRM for further information.
11.3 Customer's Obligations
Customer is responsible for: notifying the relevant supervisory authority within applicable timeframes (typically 72 hours under GDPR Article 33); notifying affected Data Subjects where required; maintaining an internal breach register; bearing the costs of notifications and remediation, except where FollowUP CRM's act or omission was the proximate cause.
12. DPIAs and Prior Consultation
FollowUP CRM will provide reasonable assistance with: Data Protection Impact Assessments (DPIAs) required by GDPR Article 35; Prior consultations with supervisory authorities required by GDPR Article 36. Standard documentation includes the descriptions in this DPA's Annexes, our security certifications, and our Sub-Processor Page.
13. Return and Deletion of Customer Personal Data
13.1 During the Term
During the term of the MSA, Customer may export Customer Personal Data at any time using the export functionality available within the Platform.
13.2 On Termination
On termination, FollowUP CRM will, at Customer's choice (made within thirty (30) days):
(a) Return: make Customer Personal Data available for export in commonly used machine-readable formats; and/or (b) Delete: delete or irreversibly anonymize all Customer Personal Data in production systems within sixty (60) days of termination.
13.3 Retained Data
FollowUP CRM may retain Customer Personal Data:
(a) in routine encrypted backups until overwritten in the normal course (typically within 90 days); (b) in system logs and security records for fraud prevention, security, dispute resolution, and legal compliance (typically up to 12 months); (c) in archives required by law (tax records, AML compliance) for the required period; (d) anonymized data that no longer identifies any Data Subject.
14. Audit Rights
14.1 Information Made Available
FollowUP CRM will make available, on reasonable written request to info@followup.agency, information necessary to demonstrate compliance with GDPR Article 28 obligations:
(a) copies of relevant policies and procedures; (b) HighLevel's then-current ISO/IEC 27001:2022 Certificate and SOC 2 Type II Attestation Report (subject to NDA); (c) summary of penetration test results; (d) Sub-Processor list and contractual safeguards description; (e) completed industry-standard questionnaires (SIG Lite, CAIQ); (f) other documentation reasonably necessary.
14.2 On-Site Audits
On at least sixty (60) days' prior written notice, no more than once per twelve (12) months, during normal business hours, in a manner that does not unreasonably interfere with FollowUP CRM's operations or compromise the confidentiality of other customers' data.
15. Liability
Liability arising out of or related to this DPA is subject to the limitations and exclusions in MSA Section 15 (Limitation of Liability), with the additional provisions of GDPR Article 82 for Data Subject claims. As between Controller and Processor, liability is allocated according to each party's degree of fault.
16. Term and Termination
This DPA takes effect on the Effective Date and remains in force for as long as FollowUP CRM Processes Customer Personal Data on Customer's behalf. Provisions relating to retention, deletion, audit, liability, and the EU SCCs survive termination.
Annex 1 - Details of Processing
Cross-references Section 4 of this DPA.
Annex 2 - Technical and Organizational Measures (TOMs)
Cross-references Section 7 of this DPA and HighLevel's full information security program documentation, available on request under NDA.
Annex 3 - Sub-Processors
The current list is published at followup.agency/legal/sub-processors and is incorporated by reference, in compliance with GDPR Article 28(2).
Annex 4 - EU Standard Contractual Clauses Information
Data Exporter (Controller): as set out in Customer's Platform Account. Data Importer (Processor): Sales Consulting Group LLC, operating as FollowUP CRM, Bakhtrioni 11, Tbilisi, Georgia, info@followup.agency. Competent Supervisory Authority: determined under EU SCCs Clause 13 based on Customer's establishment. Governing Law for SCCs: the law of Ireland (default for EU Customers). Forum for SCCs: the courts of Ireland (default).
Annex 5 - UK and Swiss Adaptations
UK Addendum modifies the EU SCCs as set out in the UK Addendum (Tables 1-4 as described in this DPA).
Swiss Adaptations: references to GDPR are read as references to FADP; the competent supervisory authority is the Swiss FDPIC; the law of Switzerland governs.
Contact
For DPA-related questions and assistance:
Sales Consulting Group LLC (operating as FollowUP CRM) Bakhtrioni 11, Tbilisi, Georgia Company ID: 405727254
- DPA / Privacy / Data Protection: info@followup.agency
End of Data Processing Addendum v2.0
