Data Processing Addendum

Capitalised terms not defined here bear the meaning in the GDPR or, where GDPR does not apply, the equivalent term in the applicable law.

• “Personal Data” — any information relating to an identified or identifiable natural person processed by Anvil on behalf of the Controller.
• “Controller Data” — Personal Data uploaded to or generated in the Anvil tenant by the Controller and its users.
• “Sub-processor” — a third party engaged by Anvil to process Controller Data.
• “Supervisory Authority” — an authority with jurisdiction under applicable data-protection law.
• “Standard Contractual Clauses” / “SCCs” — the EU Commission Decision 2021/914 clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum.

• The Controller determines the purposes and means of processing its data and is responsible for the lawful basis of that processing.
• Anvil acts as Processor when running the Service and only processes Controller Data on documented instructions from the Controller.
• Anvil acts as independent Controller when processing account-administration data (billing, login, support tickets from the Controller’s admins) as described in the Privacy Policy.
• This DPA applies for the term of the underlying subscription and any wind-down period.

The Controller’s instructions to Anvil consist of (a) the Agreement, (b) this DPA, (c) use of the Service interface and API, and (d) written instructions to support@anvilhk.com.

Anvil will inform the Controller if it believes an instruction infringes applicable data-protection law, and may pause processing while the point is resolved.

Anvil will not (a) sell Controller Data, (b) share it for cross-context behavioural advertising, (c) retain or use it outside the direct business relationship, or (d) combine it with data from other sources except to provide the Service.

See Annex I for the full breakdown. In summary:

• Data subjects: Controller’s users, its end-customers, and business prospects the Controller loads into the platform.
• Categories of data: business contact data (name, work email, title, company), CRM activity data, communication content (emails, chat, call transcripts), platform logs, and AI-feature inputs/outputs.
• Special categories (Art. 9 GDPR): not processed unless the Controller uploads such data in violation of this DPA; if it does, the Controller indemnifies Anvil.

The Controller grants Anvil general authorisation to engage Sub-processors to deliver the Service. The current list is published at /legal/subprocessors and is part of this DPA.

Anvil:

• Imposes data-protection obligations on each Sub-processor no less protective than this DPA.
• Remains fully liable to the Controller for the performance of its Sub-processors.
• Gives at least 30 days’ notice via the Subprocessors page (with email option on request) before adding or replacing a Sub-processor that processes Personal Data.
• During that notice period, the Controller may object for reasonable data-protection grounds by emailing 738888@proton.me. If we cannot reasonably accommodate the objection, the Controller may terminate the affected Service portion with a pro-rated refund of prepaid fees.

Controller Data is hosted in Hong Kong SAR by default, with edge caching on Cloudflare’s global network. Certain Sub-processors (e.g. OpenAI, Stripe) process data in the United States or EU.

• For transfers out of the EEA / UK / Switzerland, Anvil relies on the Standard Contractual Clauses (Module Two) and, where required, the UK IDTA and Swiss addendum. The SCCs are incorporated by reference into this DPA.
• For transfers out of mainland China (PIPL), Anvil and the Controller will cooperate on the CAC-approved standard contract, security assessment, or certification route depending on volume.
• Anvil performs a transfer-impact assessment on each Sub-processor and applies supplementary measures (encryption in transit and at rest, key segregation, access controls) as required by Schrems II.
• The Controller may request a copy of the executed SCCs by emailing us.

Anvil implements the technical and organisational measures set out in Annex II, which conform to Art. 32 GDPR. Measures are reviewed annually and may be updated provided they do not materially reduce the overall security posture.

Anvil provides self-serve tools in the admin console to help the Controller honour requests to access, correct, delete, export, or restrict Personal Data. Where a request cannot be completed through the product, Anvil assists within five business days of a written request sent to 738888@proton.me.

Anvil will forward any data subject request it receives directly to the relevant Controller without responding on the Controller’s behalf (except to acknowledge receipt and direct the subject to the Controller).

• Anvil notifies the Controller without undue delay and in any event within 48 hours after confirming a Personal Data breach affecting Controller Data.
• Notifications include, to the extent known: nature of the breach, categories and approximate numbers of affected data subjects and records, likely consequences, measures taken or proposed, and a contact point.
• Notifications are sent to the security contact the Controller has registered in the admin console (or, failing that, to the billing email). It is the Controller’s responsibility to keep this address current.
• A breach of Anvil’s own (Controller-role) systems is disclosed under our Privacy Policy and the applicable law of affected data subjects.

Anvil makes available to the Controller the information necessary to demonstrate compliance with Art. 28 GDPR:

• SOC 2 Type II report (planned Q4 2026) under NDA on request.
• Annual penetration-test summary on request.
• Completed CAIQ / SIG-Lite questionnaires on request.

Where the information above is insufficient, the Controller may conduct an audit no more than once per twelve-month period on 30 days’ written notice, at its own cost, during business hours, and subject to confidentiality obligations. Audits may not unreasonably interfere with Anvil’s operations or other customers’ data. A Supervisory Authority’s audit rights are not limited by this clause.

• Upon termination, the Controller has 30 days to export Controller Data through the product or API.
• After 30 days Anvil will delete or anonymise Controller Data within a further 60 days, except for data Anvil is required to retain by law (e.g. tax records, ongoing legal proceedings).
• Backups containing Controller Data are overwritten on the standard backup rotation (≤ 35 days).
• A certificate of deletion is available on request.

• The liability cap in the Agreement applies to claims arising under this DPA.
• If there is a conflict between the Agreement and this DPA in relation to data protection, this DPA prevails. If there is a conflict between this DPA and the SCCs, the SCCs prevail.
• This DPA takes effect when the Agreement takes effect and terminates when the Agreement does, subject to clause 11.

A. List of parties

• Controller: the customer identified in the Anvil subscription.
• Processor: Hong Kong Anvil Ltd., Hong Kong SAR. Contact: 738888@proton.me.

B. Description of processing

• Subject matter: provision of the Anvil lead-generation, CRM, outreach, and analytics SaaS.
• Duration: for as long as the Controller has an active subscription, plus the 30-day export window and 60-day deletion window.
• Nature and purpose: hosting, storage, transmission, analysis, enrichment, AI inference, email and messaging delivery, and analytics of the Controller’s lead and CRM data.
• Categories of data subjects: Controller’s users, its end-customers, and B2B prospects.
• Categories of personal data: name, work email, work phone, job title, employer, LinkedIn/social profile URL, company size and industry; CRM activity logs; email and message content; call recordings and transcripts (if voice features used); AI inputs and outputs; platform audit logs.
• Frequency: continuous.
• Retention: as specified in the Privacy Policy and clause 11 above.

C. Competent Supervisory Authority

Where the Controller is established in the EEA, its lead authority; where in the UK, the ICO; where in Hong Kong, the PCPD.

• Encryption: TLS 1.3 in transit; AES-256-GCM at rest for database and object storage; envelope encryption for secrets using hardware-backed KMS.
• Identity & access: SSO (SAML/OIDC) for enterprise; MFA enforced for admin; RBAC with least-privilege defaults; production access gated by short-lived credentials and approvals.
• Network: Cloudflare WAF, DDoS protection, rate-limiting, bot management; private-network boundaries between services; zero-trust access to production.
• Application security: SAST, dependency scanning, secret scanning, and container scanning in CI; annual third-party penetration testing; coordinated vulnerability disclosure programme.
• Monitoring: centralised logging with tamper-evident retention; anomaly and intrusion detection; Sentry error reporting; 24/7 alerting on security-critical signals.
• Change management: peer code review required for production changes; automated deployment with rollback; separation of production and development environments.
• Backup & recovery: encrypted daily full backups, hourly incrementals; geographically separated backup storage; tested restore procedures at least quarterly; RPO ≤ 1h, RTO ≤ 4h for the primary database.
• People: background checks where permitted by law; confidentiality undertakings; annual security-awareness training; documented joiner/mover/leaver process.
• Physical: data centre security is delegated to hosting providers (see Annex III) and relies on their SOC 2 / ISO 27001 certifications.
• Incident response: documented runbook; defined severity tiers; post-incident review with publishable root-cause analysis for material incidents.
• Pseudonymisation: customer identifiers rather than production email are used in logs and analytics where feasible.
• Data segregation: strict tenant isolation at the row-security and application-authorisation layers; cross-tenant tests run on every deploy.

A more detailed description is published on our Security page and updated as controls evolve.

The current list of Sub-processors is maintained at /legal/subprocessors. It forms part of this DPA and is updated with at least 30 days’ notice of material changes.

Agreement to this DPA is effected by the Controller’s execution of the underlying Anvil subscription. A manually countersigned version is available on request — email 738888@proton.me with your legal entity name, address, signatory, and DUNS/VAT identifiers.

Processor: Hong Kong Anvil Ltd.
Registered office: Hong Kong SAR
Authorised signatory: Director
Contact: 738888@proton.me · +852 4748 1911