Horlio Logo

Data Processing Agreement (DPA)

Last Updated: July 11, 2025

This Data Processing Agreement ("DPA") is entered into by and between the Customer ("Controller") and ever-growing GmbH ("Processor," "Horlio") and is incorporated into and forms an integral part of the Horlio Terms of Service ("Terms").

This DPA applies to the extent that Horlio processes Personal Data on behalf of the Customer in the course of providing the Services.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms or under applicable Data Protection Laws.

  • "Data Protection Laws" means all applicable laws and regulations relating to data privacy and security, including but not limited to the GDPR.
  • "GDPR" means the Regulation (EU) 2016/679 (General Data Protection Regulation).
  • "Personal Data" means any information processed by Horlio on behalf of the Controller as part of the Services that relates to an identified or identifiable natural person.
  • "Processing" has the meaning given to it in the GDPR.
  • "Sub-processor" means any third party engaged by Horlio to process Personal Data.

2. Processing of Personal Data

2.1. Roles of the Parties.

The parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the Controller and Horlio is the Processor.

2.2. Details of Processing.

The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of data subjects, are described as follows:

  • Subject Matter: The Processing of Personal Data in connection with the Customer's use of the Horlio Platform to conduct LinkedIn outreach missions.
  • Duration of Processing: For the term of the Customer's subscription to the Services, and as further specified in the Privacy Policy's data retention section.
  • Nature and Purpose of Processing: To provide the Services as described in the Terms, which includes accessing, collecting, analyzing, scoring, and displaying public LinkedIn data, and facilitating outreach (comments, connection requests) based on the Controller’s instructions (i.e., the "Mission" configuration).
  • Types of Personal Data: Publicly available professional information from LinkedIn, including names, job titles, company names, profile URLs, public posts, comments, and reactions ("Mission Data").
  • Categories of Data Subjects: Individuals on LinkedIn whose public profiles and activities match the search and filtering criteria defined by the Controller in their "Mission".

2.3. Controller's Instructions.

Horlio shall only Process Personal Data on behalf of and in accordance with the Controller’s documented instructions. The configuration of a "Mission" within the Horlio Platform constitutes such documented instructions.

3. Obligations of the Processor (Horlio)

Horlio agrees to:

3.1. Confidentiality.

Ensure that any person authorized to Process Personal Data is subject to a strict duty of confidentiality.

3.2. Security.

Implement and maintain appropriate technical and organizational measures (TOMs) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 of the GDPR.

3.3. Sub-processing.

  • (a) The Controller provides a general authorization for Horlio to engage Sub-processors.
  • (b) Horlio will maintain a list of its current Sub-processors at horlio.com/subprocessors.
  • (c) Horlio will notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object.
  • (d) Horlio will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA.

3.4. Data Subject Rights.

To the extent legally permitted, Horlio will provide reasonable assistance to the Controller to respond to requests from data subjects seeking to exercise their rights under Data Protection Laws.

3.5. Assistance to Controller.

Taking into account the nature of the Processing and the information available, Horlio will provide reasonable assistance to the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (Security, Breach Notification, and Data Protection Impact Assessments).

3.6. Data Breach Notification.

Horlio will notify the Controller without undue delay after becoming aware of a Personal Data breach.

3.7. Deletion or Return of Data.

Upon termination of the Services, Horlio will delete or return all Personal Data to the Controller in accordance with the procedures and timeframes specified in its Privacy Policy, unless required by law to retain the data.

3.8. Audits.

Upon the Controller's reasonable request, Horlio will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

4. Obligations of the Controller (Customer)

The Controller represents and warrants that:

  • (a) It has complied, and will continue to comply, with all applicable Data Protection Laws in its use of the Services.
  • (b) It has a valid legal basis for the Processing of all Personal Data entrusted to Horlio.
  • (c) Its instructions to Horlio for the Processing of Personal Data are lawful.

5. International Transfers

Horlio will not transfer Personal Data outside the European Economic Area (EEA), the UK, or Switzerland to any country not deemed to have an adequate level of data protection, without implementing a valid data transfer mechanism, such as the EU Standard Contractual Clauses (SCCs).

6. General Terms

This DPA is governed by the laws of Germany. Any dispute arising from this DPA shall be subject to the jurisdiction of the courts of Munich, Germany.