Status: this page reflects the current Data Processing Addendum (the “DPA”) Funkel offers its customers. To execute a signed copy for your organization, email hello@funkel.ai. This DPA forms part of, and is subject to, our Terms of Service and Privacy Policy.
This Data Processing Addendum (“DPA”) is entered into between Funkel (the “Processor”) and the customer identified in the Funkel subscription (the “Controller”) and reflects the parties’ agreement on the processing of personal data carried out by Funkel on behalf of the Controller in connection with the Funkel service. It is governed by the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and, where applicable, the German Bundesdatenschutzgesetz (BDSG).
1. Parties
Processor. Ogbemudia Terry Osayawe, trading as Osayawe Ventures (Einzelunternehmen), Hufer Weg 59, 51467 Bergisch Gladbach, Germany. Operator details on the Legal Notice page.
Controller. The customer entity entering into a Funkel subscription, as identified at signup or in a separately executed order form.
2. Definitions
Capitalized terms not defined in this DPA have the meaning given to them in the GDPR. “Customer Personal Data” means personal data the Controller submits to, or generates within, the Funkel service while it is under the Controller’s control. “Sub-processor” means any third party engaged by Funkel to process Customer Personal Data on the Controller’s behalf.
3. Subject matter, duration, and purpose
Funkel processes Customer Personal Data solely to provide the services described in the Terms of Service: signal-based lead discovery, ICP scoring, AI-drafted outreach, message delivery via connected sender accounts, inbox aggregation, billing, and product support. Processing continues for the duration of the Controller’s subscription and for any return-or-deletion period required after termination.
4. Categories of data subjects and types of personal data
Data subjects. Authorized users of the Controller’s Funkel workspace, and the third-party business contacts (leads, prospects, replied conversations) who appear in Funkel through the Controller’s use of the service.
Types of personal data. Account and identity data (name, work email, password hash, auth-provider identifiers); workspace and campaign data (ICP settings, agent configuration, message templates, drafted and sent messages, replies); business contact and intent data (names, job titles, companies, public LinkedIn URLs, public engagement signals, job changes); usage and diagnostic data (logs, performance, abuse-prevention signals); billing and communications data.
5. Controller instructions
Funkel processes Customer Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law. The Controller’s subscription, the configuration of agents, signals, and campaigns inside the service, and any explicit support requests constitute documented instructions for the purposes of this DPA. Funkel will inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.
6. Confidentiality
Funkel ensures that any persons authorized to process Customer Personal Data are subject to a contractual or statutory obligation of confidentiality and have received appropriate training on their data-protection obligations.
7. Security measures (Article 32 GDPR)
Funkel implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Passwords stored using bcrypt with a cost factor of 10.
- Access tokens issued as short-lived JWTs (15-minute access, 7-day refresh) signed with HMAC-SHA256.
- Customer-provided LinkedIn integration tokens encrypted at rest with AES-256-GCM using a server-only key, with a fresh nonce per write.
- HTTPS-only enforcement on customer-controlled webhook URLs at create and update time.
- HMAC-SHA256 signature on every outbound webhook event so customers can verify authenticity.
- Application-level user-scoping on every database query that returns customer data, generated by the typed query layer rather than applied loosely in handlers.
- Sender-pacing rules (weekly caps under LinkedIn’s soft limits, 14-day warmup ramp, randomized inter-send jitter) that protect customer LinkedIn accounts from automated-pattern detection.
Additional detail is published on our Security page, including the security limitations Funkel does not yet have in place (SOC 2 Type II, ISO 27001).
8. Sub-processors
The Controller authorizes Funkel to engage the sub-processors listed below to process Customer Personal Data. Funkel will give the Controller prior written notice of any new or replacement sub-processor. The Controller may object on reasonable data-protection grounds within ten (10) business days; Funkel will work with the Controller in good faith to address the concern, and either party may terminate the affected service if the objection cannot be resolved.
Funkel imposes data protection obligations on each sub-processor that are no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.
9. International transfers
Where Customer Personal Data is transferred outside the European Economic Area to a third country that has not received an adequacy decision, Funkel relies on the European Commission’s Standard Contractual Clauses (SCCs) (Decision 2021/914) and, where applicable, on additional safeguards following the Schrems II judgment. SCCs are concluded with the relevant sub-processor before transfer.
10. Data subject rights
Funkel will assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Articles 15 to 22 GDPR. The Controller may instruct Funkel to delete or correct Customer Personal Data at any time using the in-product controls or by emailing hello@funkel.ai.
11. Personal data breach
Funkel will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information required under Article 33(3) GDPR to the extent it is then available to Funkel.
12. Audit
Funkel will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR. The Controller may, at its own cost and on reasonable prior written notice, conduct an audit no more than once per year. Funkel may propose alternative reasonable means (e.g., third-party audit reports, written attestations) to satisfy this obligation.
13. Return or deletion of data
On termination of the Controller’s subscription and in accordance with the Funkel Terms of Service, Funkel deletes Customer Personal Data and the connected LinkedIn integration at the end of the current billing period, subject to retention required by applicable law (e.g., billing records under commercial law).
14. Liability
Each party’s liability under this DPA is governed by the liability provisions of the underlying Terms of Service.
15. Governing law and jurisdiction
This DPA is governed by German law, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods (CISG). The exclusive place of jurisdiction is Cologne, Germany, where applicable by law.
16. Order of precedence
In case of conflict between this DPA and the Funkel Terms of Service, this DPA prevails with respect to data-protection matters.
17. Contact
Data-protection questions, sub-processor objections, breach notifications, and audit requests can be sent to hello@funkel.ai.