Skip to main content
Strategos Analytics

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Strategos Analytics (“Processor”) and the customer entity that has agreed to the Strategos Analytics Terms of Service or a signed customer agreement (“Controller”). It governs the processing of personal data by Strategos Analytics on behalf of the Controller in connection with the Revenue Navigator platform.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

1. Definitions

Terms not defined in this DPA have the meanings given in the GDPR. “Personal Data”, “processing”, “data subject”, “controller”, “processor”, and “supervisory authority” have the meanings given in Article 4 of the GDPR.

2. Subject matter and duration

Strategos Analytics processes personal data on behalf of the Controller for the purpose of providing the Revenue Navigator platform — an AI-powered pipeline intelligence service that processes CRM and revenue data to surface actionable sales insights.

Processing begins when the Controller connects a CRM or other data source to Revenue Navigator and continues for the duration of the customer agreement. Upon termination, Strategos Analytics will delete or return all personal data as described in section 9.

3. Nature and purpose of processing

Strategos Analytics processes personal data for the following purposes, strictly as instructed by the Controller:

  • Ingesting and normalising CRM data to power pipeline intelligence features.
  • Generating forecasts, deal health scores, and at-risk deal alerts.
  • Delivering pipeline insights and reports to authorised users of the platform.
  • Maintaining the platform’s integrity, performance, and security.

Strategos Analytics does not process personal data for any purpose other than providing the Revenue Navigator service, and does not use personal data to train AI models shared across customers.

4. Categories of personal data

The personal data processed under this DPA may include:

  • Contact names, job titles, and work email addresses of prospects and customers.
  • Account and company names, industry classifications, and deal values.
  • CRM activity records including call logs, email interactions, and meeting history.
  • Pipeline stage, deal status, and forecast category data.
  • Names and email addresses of the Controller’s sales team members.

Strategos Analytics does not intentionally process special categories of personal data (as defined in Article 9 GDPR). The Controller is responsible for ensuring that no such data is included in CRM data connected to Revenue Navigator.

5. Categories of data subjects

Data subjects whose personal data may be processed include:

  • The Controller’s prospects, leads, and customers.
  • The Controller’s sales, revenue operations, and account management staff.

6. Controller obligations

The Controller confirms that it has a lawful basis to transfer personal data to Strategos Analytics for processing under this DPA. The Controller is responsible for:

  • Ensuring its instructions to Strategos Analytics comply with applicable data protection law.
  • Notifying Strategos Analytics promptly of any instruction it believes may infringe the GDPR.
  • Providing its own privacy notice to relevant data subjects.
  • Ensuring that personal data connected to Revenue Navigator does not include special categories of data.

7. Processor obligations

Strategos Analytics will, in relation to all personal data processed under this DPA:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that all personnel authorised to process personal data are bound by confidentiality obligations.
  • Implement and maintain the technical and organisational measures described in section 10.
  • Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to data subject requests.
  • Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIAs, prior consultation).
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR.
  • Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.
  • Notify the Controller without undue delay of any personal data breach involving Controller data, and in any case within 72 hours of becoming aware of the breach.

8. Sub-processors

The Controller provides general authorisation for Strategos Analytics to engage sub-processors. Strategos Analytics will:

  • Impose data protection obligations on sub-processors equivalent to those in this DPA.
  • Provide the Controller with at least 14 days’ notice before engaging a new sub-processor that will process Controller personal data.
  • Remain liable to the Controller for the acts and omissions of sub-processors.

Current sub-processors used in the delivery of the Revenue Navigator platform include EU-based cloud infrastructure and hosting providers. A current list of sub-processors is available on request at privacy@strategos-analytics.com.

9. Return and deletion of data

Upon termination of the customer agreement, Strategos Analytics will, at the Controller’s election:

  • Delete all personal data processed under this DPA within 30 days of termination, or
  • Return a machine-readable export of the Controller’s data prior to deletion.

Strategos Analytics may retain personal data beyond 30 days where required by applicable law, and only for the period required. The Controller may request early deletion of its data at any time.

10. Technical and organisational measures

Strategos Analytics implements and maintains the following technical and organisational measures to protect personal data:

  • Encryption in transit: All data transferred between the Controller and Strategos Analytics systems is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Customer data is encrypted at rest using AES-256.
  • Access controls: Access to production systems and customer data is restricted to authorised personnel on a least-privilege basis. Multi-factor authentication is required for all internal system access.
  • Data isolation: Each customer’s data is logically isolated. No customer’s data is commingled with another’s.
  • Incident response: Strategos Analytics maintains a documented incident response process to detect, contain, and notify affected customers of any security event in a timely manner.
  • Secure development: Security is integrated into the software development lifecycle, including dependency scanning, code review, and automated security checks.
  • Personnel training: Personnel with access to personal data receive data protection and security training.

For a full description of our current security posture, see our Security overview.

11. Data transfers outside the EEA

Strategos Analytics processes and stores all customer personal data within the European Economic Area. Where any transfer outside the EEA is required (for example, to engage a sub-processor), Strategos Analytics will ensure that appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) under Commission Decision 2021/914 — before any such transfer occurs.

12. Governing law

This DPA is governed by the laws of England and Wales, without regard to conflict of law provisions. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless the GDPR requires a different supervisory authority or court to have jurisdiction.

13. Contact

For questions about this DPA, data protection enquiries, or to request a sub-processor list, contact us at privacy@strategos-analytics.com or via our contact form.