Data Processing Agreement

Last updated: April 18, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Shot ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you", "Client"). This DPA governs the processing of personal data by Shot on behalf of the Client in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by Shot on behalf of the Client.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-processor" means any third party engaged by Shot to process Personal Data on behalf of the Client.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.

2. Subject Matter and Duration

This DPA applies to the processing of Personal Data by Shot as described in the Terms of Service. The duration of processing corresponds to the term of the Client's subscription. Upon termination, the provisions of Section 12 (Return and Deletion) apply.

3. Nature and Purpose of Processing

Shot processes Personal Data to provide its GTM intelligence platform, which includes:

Ingesting and analyzing CRM data (contacts, deals, pipeline stages) to generate revenue insights.
Processing meeting notes, call transcripts, and email content through AI agents.
Scoring leads and prioritizing outreach based on behavioral signals.
Executing automated workflows such as follow-up emails and Slack notifications.
Providing analytics dashboards and AI-generated recommendations.

Processing is carried out on documented instructions from the Client, as defined by the Client's configuration of the Service.

4. Types of Personal Data

The following categories of Personal Data may be processed:

Contact information: names, email addresses, phone numbers, job titles, company names.
Deal and pipeline data: deal values, stages, close dates, associated contacts.
Communication content: email bodies, meeting transcripts, call notes, chat messages.
Behavioral data: engagement scores, activity timestamps, interaction history.
Account data: Client user names, email addresses, and profile information.

5. Data Subject Categories

Personal Data may relate to the following categories of Data Subjects:

Prospects and leads of the Client.
Existing customers of the Client.
Business contacts and partners of the Client.
Employees and authorized users of the Client.

6. Processor Obligations

Shot shall:

Process Personal Data only on documented instructions from the Client, unless required by applicable law.
Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments.
Assist the Client in fulfilling its obligations to respond to Data Subject requests.
Assist the Client in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities.
Make available to the Client all information necessary to demonstrate compliance with this DPA.
Not engage a Sub-processor without prior written authorization from the Client (see Section 7).

7. Sub-processors

The Client provides general authorization for Shot to engage the following Sub-processors:

| Sub-processor | Purpose | Location | |---|---|---| | Supabase | Database hosting and storage (PostgreSQL) | EU (eu-west-3) | | OpenAI | AI processing, language model inference | United States | | Composio | Tool orchestration and third-party integrations | United States | | Resend | Transactional email delivery | United States |

Shot shall:

Inform the Client of any intended changes to Sub-processors, giving the Client the opportunity to object within 30 days.
Impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a contract.
Remain fully liable to the Client for the performance of each Sub-processor's obligations.

8. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Shot shall ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission.
Verification that the Sub-processor maintains adequate data protection measures.
Compliance with any additional requirements imposed by applicable data protection laws.

The Client acknowledges that certain Sub-processors (OpenAI, Composio, Resend) are located in the United States. Shot ensures that transfers to these Sub-processors are covered by appropriate SCCs.

9. Breach Notification

In the event of a Data Breach, Shot shall:

Notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach.
Provide the Client with sufficient information to enable the Client to meet its obligations to report the breach to the Supervisory Authority and affected Data Subjects.
Cooperate with the Client and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

The notification shall include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
The name and contact details of the data protection point of contact.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach.

10. Data Subject Rights

Shot shall assist the Client in responding to requests from Data Subjects exercising their rights under the GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

Shot shall promptly forward any Data Subject request received directly to the Client and shall not respond to such requests without the Client's prior written authorization, unless required by law.

11. Audit Rights

The Client has the right to conduct audits, including inspections, to verify Shot's compliance with this DPA. Shot shall:

Make available all information necessary to demonstrate compliance.
Allow and contribute to audits conducted by the Client or an independent auditor mandated by the Client, subject to reasonable advance notice (minimum 30 days).
Immediately inform the Client if, in Shot's opinion, an instruction from the Client infringes the GDPR or other applicable data protection law.

Audits shall be conducted during normal business hours, with minimal disruption to Shot's operations, and subject to reasonable confidentiality obligations.

12. Return and Deletion

Upon termination of the Service:

Shot shall, at the Client's election, return all Personal Data to the Client in a standard, machine-readable format or delete all Personal Data within 30 days of receiving the Client's written instruction.
Shot shall delete all existing copies of Personal Data unless applicable law requires further storage.
Shot shall provide written certification of deletion upon the Client's request.

Data retained in encrypted backups shall be deleted in accordance with the backup rotation schedule, not exceeding 90 days from termination.

For questions about this Data Processing Agreement, contact us at privacy@shot.so.