How Sellion processes personal data on your behalf.

For CRM and GTM data that you choose to process through Sellion, your organization is typically the controller (or equivalent role under applicable law) and Sellion is the processor.

The DPA would describe how Sellion processes personal data solely on documented instructions from you, except where otherwise required by law.

The subject matter of processing is CRM and GTM-related data that you choose to integrate with Sellion, including, where applicable, contact details of prospects and customers, account-level information, and conversation content generated through AI SDR pods.

The purpose of processing is to run AI SDR pods, deliver related analytics and insights, and maintain the Sellion platform and integrations used by your team.

Depending on your configuration, personal data may include:

• Business contact details of your prospects or customers.
• Information about employees or contractors who use the platform (for example, SDRs, AEs, admins).
• Conversation content between your team, AI SDR pods, and external recipients, where such content contains personal data.

The DPA would typically describe categories of data subjects such as your end customers, prospects, and users.

A binding DPA would normally commit Sellion to obligations such as:

• Processing personal data only on your documented instructions.
• Implementing appropriate technical and organizational measures.
• Ensuring personnel with access to personal data are subject to confidentiality obligations.
• Assisting you, where appropriate, with data subject requests or regulatory inquiries related to the services.

Sellion may engage third-party subprocessors (for example, hosting providers or infrastructure vendors) to support the services.

The DPA would typically list or reference a list of approved subprocessors, describe how we vet them, and explain how we will notify you of changes to that list.

A DPA would refer to Sellion's technical and organizational measures to protect personal data, often by attaching or referencing a separate security schedule.

These may include controls related to access management, encryption, logging, incident response, and business continuity. For a qualitative overview, see our Security overview.

If personal data is transferred across borders in connection with the services, a DPA may contain provisions and mechanisms to address applicable transfer requirements (for example, standard contractual clauses or similar frameworks).

The DPA would describe how long personal data is processed in connection with the services, and what happens at the end of the engagement (for example, return or deletion of data, subject to any legal retention obligations).