Data Processing Agreement
As of March, 2026
This Data Processing Agreement (“DPA”) applies where Toth-Leanboost processes personal data on behalf of a Client.
1. Roles
The Client acts as data controller.
Toth-Leanboost acts as data processor and processes personal data solely on behalf of the Client.
2. Purpose and Scope
Processing is carried out only to:
deliver consulting, coaching, workshops, and assessment services
enable collaboration and analysis
3. Categories of Data
Personal data may include:
identification and contact data
professional and organizational data
survey responses and feedback
assessment-related insights
4. Duration
Processing continues:
for the duration of the service engagement
until deletion or return is requested
subject to legal retention obligations
5. Instructions
Toth-Leanboost processes data only on documented instructions from the Client unless required by law.
6. Confidentiality
All persons authorized to process personal data are bound by confidentiality obligations.
7. Security Measures
Toth-Leanboost implements appropriate technical and organizational measures including:
role-based access controls
secure hosting environments
restricted administrative access
8. Sub-processors
Approved sub-processors include hosting, payment, storage, and communication providers.
Toth-Leanboost remains responsible for sub-processor compliance.
Clients may object to new sub-processors on reasonable grounds.
9. Assistance
Toth-Leanboost shall reasonably assist the Client in responding to:
data subject requests
supervisory authority inquiries
security incidents
10. Breach Notification
Toth-Leanboost shall notify the Client without undue delay after becoming aware of a personal data breach.
11. Return or Deletion
Upon termination, personal data shall be:
returned
deleted
or anonymized
unless retention is required by law.
12. Liability
Liability for data protection obligations follows the main agreement and applicable law.