ListMatchGenie

Data Processing Agreement

Last updated: April 13, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ListMatchGenie ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the ListMatchGenie service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person contained in files uploaded by the Controller to the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, matching, cleansing, analysis, and deletion.
  • "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

2. Roles and Responsibilities

2.1 Controller

The Controller determines the purposes and means of processing Personal Data. By uploading files containing Personal Data to the Service, the Controller instructs the Processor to process that data for the purpose of providing matching, cleansing, deduplication, and analysis services.

The Controller is responsible for:

  • Ensuring a lawful basis exists for processing the Personal Data
  • Providing appropriate privacy notices to Data Subjects
  • Responding to Data Subject access, rectification, and deletion requests
  • Selecting the appropriate data storage region based on applicable legal requirements

2.2 Processor

The Processor processes Personal Data only on documented instructions from the Controller (which are the Controller's use of the Service features) and in accordance with this DPA. The Processor shall:

  • Process Personal Data only for the purpose of providing the Service
  • Not process Personal Data for any other purpose, including marketing or profiling
  • Not sell Personal Data to third parties under any circumstances
  • Ensure that persons authorized to process Personal Data have committed to confidentiality

3. Processing Activities

The Processor performs the following processing activities on behalf of the Controller:

3.1 Categories of Data Subjects

Data Subjects are determined by the Controller based on the files uploaded. Common categories include customers, prospects, employees, donors, patients, students, or other individuals whose data the Controller has a lawful basis to process.

3.2 Types of Personal Data

The types of Personal Data processed depend on the files uploaded by the Controller. Common types include:

  • Names (first, last, full)
  • Addresses (street, city, state, ZIP/postal code, country)
  • Contact information (email addresses, phone numbers)
  • Identification numbers (account IDs, customer IDs, social security numbers)
  • Dates (birth dates, registration dates)

3.3 Processing Operations

  • Storage: Uploaded files are stored in Amazon S3 in the Controller's selected region (US, EU, or UK)
  • Cleansing: Automated data standardization (format normalization, encoding conversion, whitespace cleanup)
  • Matching: Comparing records between source and master files using configured matching algorithms
  • Deduplication: Identifying duplicate records within a single file
  • AI Analysis: Generating statistical summaries and narratives using only schema-level metadata (column names, data types, aggregate statistics). Raw Personal Data is never sent to AI models.
  • Export: Generating downloadable result files (CSV, XLSX, PDF, PPTX)
  • Deletion: Permanent removal of files and associated metadata upon Controller request or account deletion

4. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

  • PII-free database: The application database stores only metadata (file names, column headers, row counts, job configurations). Actual data records remain exclusively in S3.
  • Encryption at rest: All files in S3 are encrypted using AES-256 server-side encryption.
  • Encryption in transit: All data transmitted between the user's browser, the application, and storage services uses TLS 1.2 or higher.
  • Access controls: File access is restricted by user-specific S3 key prefixes. Users cannot access other users' files.
  • Authentication: Passwords hashed with bcrypt. Sessions managed with signed JWT tokens in HTTP-only cookies.
  • File validation: Uploaded files are validated for format, size, and content. CSV injection patterns are sanitized.
  • Regional isolation: Files are stored exclusively in the region selected by the Controller and are not replicated across regions.

5. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Sub-processorPurposeLocation
Amazon Web Services (AWS)File storage (S3), AI processing (Bedrock)US, EU, or UK (per Controller selection)
RailwayApplication database, background job processingUS
StripePayment processingUS
VercelWeb application hosting, edge routingGlobal (edge network)

The Processor will notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to a new sub-processor by notifying the Processor in writing within 14 days of receiving notice. If the objection cannot be resolved, the Controller may terminate the agreement.

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Cross-Border Transfers

For Controllers in the EEA or UK who select the EU or UK data region:

  • Uploaded files are stored exclusively in the selected region (EU: Frankfurt, UK: London) and are not transferred to other regions
  • AI processing occurs in the same region as data storage via AWS Bedrock regional endpoints
  • The application database (Railway, US) stores only PII-free metadata (column headers, row counts, job configurations) — no actual data records
  • Where Personal Data must be transferred outside the EEA/UK (e.g., account email to Railway for authentication), such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission

7. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Articles 15-22:

  • Access and portability: The Controller can export all uploaded files and match results in standard formats (CSV, XLSX) at any time
  • Rectification: The Controller can re-upload corrected files at any time
  • Erasure: The Controller can delete individual files or their entire account. Deletion removes all associated files from S3 and metadata from the database.
  • Restriction: The Controller can pause processing by not initiating new match jobs

8. Data Deletion

Upon termination of the agreement or upon the Controller's request:

  • The Controller has 30 days to export any data they wish to retain
  • After 30 days, the Processor will permanently delete all Personal Data from S3 storage and remove all associated metadata from the database
  • The Processor will provide written confirmation of deletion upon request
  • Backup copies (if any) will be deleted within 90 days of the deletion request

9. Breach Notification

In the event of a personal data breach:

  • The Processor will notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach
  • The notification will include the nature of the breach, categories of data affected, approximate number of records affected, likely consequences, and measures taken or proposed to address the breach
  • The Processor will cooperate with the Controller and provide all information necessary for the Controller to fulfill its notification obligations to supervisory authorities and Data Subjects under GDPR Articles 33 and 34
  • The Processor will take immediate steps to contain the breach and minimize its impact

10. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, either directly or through an appointed auditor, with reasonable advance notice (at least 30 days) and during normal business hours. The Processor will cooperate with such audits.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not limit either party's liability for breaches of data protection law to the extent that such limitation would be prohibited by applicable law.

12. Contact

For questions about this DPA or to exercise rights under it, contact us at dpa@listmatchgenie.com.