This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service between ARIA INTELLIGENCE PTE. LTD. (“Processor,” “Top Prospect,” “we”) and the customer entering into the Terms (“Controller,” “Customer”). It applies to the extent Processor processes Personal Data on Controller’s behalf in the course of providing the Service.
1. Roles of the Parties
The parties agree that, in relation to Monitored-Group Data (as defined in the Privacy Policy) processed through the Service:
- Customer is the Controller. Customer alone determines which Telegram groups to connect, what criteria to apply, and what action (if any) to take with respect to any individual identified through the Service.
- Top Prospect is the Processor, acting only on Customer’s documented instructions as set out in the Terms of Service, this DPA, and Customer’s in-product configuration (e.g., monitored groups, keyword/semantic rules, retention settings).
Where applicable data protection law uses different terminology (e.g., “business” and “service provider” under certain US state laws), those terms shall be read as equivalent to Controller and Processor respectively for purposes of this DPA.
2. Subject Matter, Duration, Nature and Purpose
- Subject matter: automated monitoring and AI-based analysis of messages in Telegram groups that Customer has connected to the Service, for the purpose of identifying messages matching Customer-defined criteria and notifying Customer accordingly.
- Duration: for as long as Customer maintains an active subscription, plus any post-termination period described in Section 8.
- Nature of processing: collection, automated analysis (including AI/semantic classification), temporary storage, and transmission of matched results to Customer.
- Purpose: to provide the lead/signal-identification functionality of the Service, as instructed and configured by Customer.
3. Categories of Data Subjects and Personal Data
- Data subjects: individuals who post messages in the Telegram groups Customer connects to the Service. (Customer Account Data about Customer’s own personnel is addressed separately in the Privacy Policy and is not the subject of this DPA.)
- Categories of personal data: Telegram username/display name, message content, message timestamp, group identifier, and Top Prospect’s automated assessment of whether the message matches Customer’s configured criteria. Processor does not intentionally seek out, and Customer shall not configure the Service to specifically target, special categories of personal data (Art. 9 GDPR).
3A. Controller (Customer) Obligations
Customer warrants that: (a) it has a valid lawful basis, under all applicable data protection law, for the collection and processing of Personal Data carried out through the Service, including for any subsequent contact it makes with identified individuals; (b) its instructions to Processor, including its configured monitoring rules, comply with applicable law; and (c) it will provide any privacy notices and honor any data subject rights owed directly by Customer as Controller. Customer is solely responsible for assessing whether its use of the Service is lawful in each relevant jurisdiction.
4. Processor Obligations
Processor shall:
- process Personal Data only on documented instructions from Customer (including as set out in the Terms of Service and Customer’s Service configuration), unless required to do otherwise by law, in which case Processor will inform Customer before processing, unless legally prohibited from doing so;
- not use Personal Data processed on Customer’s behalf for Processor’s own purposes, including not using such data to train general-purpose AI/ML models, and not selling, renting, or otherwise monetizing such data independently of providing the Service to Customer;
- ensure persons authorized to process the Personal Data are bound by confidentiality obligations;
- implement appropriate technical and organizational security measures, as described in Section 6;
- engage sub-processors only in accordance with Section 5;
- taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in responding to data subject requests and in complying with Customer’s obligations regarding security, breach notification, and data protection impact assessments;
- at Customer’s election, delete all Personal Data after the end of the provision of the Service, as further described in Section 8, and delete existing copies unless applicable law requires storage. Processor does not offer a data export/return function; Customer is responsible for extracting or exporting any Personal Data it wishes to retain before triggering deletion;
- make available to Customer information reasonably necessary to demonstrate compliance with this DPA and, no more than once every 12 months (unless following a Personal Data Breach), allow for an audit or inspection conducted by Customer or a mandated third-party auditor bound by confidentiality, upon at least 30 days’ prior written notice and at Customer’s own cost, during normal business hours and without unreasonably disrupting Processor’s operations.
5. Sub-processors
Customer provides general authorization for Processor to engage sub-processors (including cloud hosting providers and AI/LLM inference providers) to support the Service, provided Processor:
- maintains a current list of sub-processors at https://app.topprospect.net/;
- imposes data protection obligations on each sub-processor no less protective than this DPA;
- gives Customer at least 14 days’ notice of any intended new sub-processor via dashboard notice, during which Customer may object on reasonable data-protection grounds; if unresolved, Customer may terminate the affected part of the Service without penalty.
6. Security Measures
Processor implements measures including, at minimum: encryption of Personal Data in transit; access controls limiting internal access to Personal Data on a need-to-know basis; logging and monitoring; and regular review of security practices. A more detailed security overview is available on request under NDA.
7. Assistance with Data Subject Requests and Breaches
Processor will notify Customer without undue delay, and in any event within 48 hours after becoming aware, of a Personal Data Breach affecting Personal Data processed under this DPA, and will provide reasonably requested information to enable Customer to meet any notification obligations under applicable law (including the 72-hour notification window under Art. 33 GDPR, where applicable). Where Processor receives a data subject request directly relating to Monitored-Group Data, Processor will, unless prohibited by law, redirect the request to Customer and provide reasonable assistance to Customer in responding.
8. Data Deletion and Return
Customer controls the retention and deletion of Monitored-Group Data through:
- Configurable retention settings in the dashboard (default: 180 days), after which data is automatically deleted;
- A “Delete All Data” function, available at any time in the dashboard, which immediately and irreversibly deletes all Monitored-Group Data associated with Customer’s account; and
- Account closure/deregistration, which deletes Customer’s Account Data and any remaining Monitored-Group Data, subject to any residual retention required by law (e.g., billing records).
Use of either function under (b) or (c) takes effect immediately upon Customer’s action and does not require a separate request to Processor. Exercising these functions is independent of, and does not by itself entitle Customer to, any refund of fees already paid; refunds are governed exclusively by the Refund Policy at www.topprospect.net/refund-policy.
9. International Transfers
Where Personal Data is transferred outside the EEA/UK (including to Processor’s Singapore headquarters for administrative purposes), the parties agree such transfer is subject to the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated by reference and available at https://app.topprospect.net/, unless another valid transfer mechanism applies.
10. Liability
Each party’s liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service.
11. Term
This DPA remains in effect for as long as Processor processes Personal Data on Customer’s behalf under the Terms of Service, and terminates automatically upon termination of the Terms of Service, subject to Section 8.
12. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls. In all other respects, the Terms of Service control.
13. Contact
Data protection queries relating to this DPA: support@topprospect.net