This DPA is between Viacurrent OÜ (Estonian registry 16798201, Nafta 6-25, Tallinn, Estonia), trading as Jungler.ai (the Processor), and the customer that signs up for or uses our Service (the Controller).
It applies whenever we process personal data on your behalf and forms part of our agreement with you. Use of the Service accepts this DPA. If you want a countersigned PDF, email legal@jungler.ai.
Where this DPA conflicts with our other terms, this DPA wins on data-protection matters.
1. What we process and why
We process the personal data you submit to or generate within Jungler (your "Customer Data") for the sole purpose of running the Service for you. In practice that means:
- Storing the contacts, companies, lists, signals and notes you create in the platform.
- Enriching and de-duplicating records when you ask us to.
- Running prompts, custom fields and AI features against the data you route through them.
- Exporting data to destinations you connect (Clay, Google Sheets, HeyReach, webhooks, etc.).
- Providing support when you ask.
Jungler is intended for business-to-business use. Don't submit special-category data (health, political opinions, etc.) or criminal-conviction data.
2. Who plays which role
You are the controller of Customer Data. We are the processor and act on your instructions, which are defined by this DPA, our other terms, and how you use the Service.
Separately, Jungler is an independent controller for (a) the public professional index we source, maintain, and make searchable, (b) our billing and account records, and (c) usage telemetry. When you save, enrich, export, or otherwise instruct us to process data in your workspace, that processing is covered by this DPA. Our independent-controller activities are covered by our privacy notice and not this DPA.
3. Our commitments to you
We will:
- Process Customer Data only on your instructions, unless we're required by law to do otherwise (in which case we'll tell you first if we can).
- Keep our staff who can access Customer Data under confidentiality.
- Operate the security measures in Annex 2 — Security.
- Help you respond to data-subject requests (access, deletion, etc.) — see Section 5.
- Provide reasonable assistance, on request, with data-protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), to the extent the information you need is already in our possession.
- Tell you about confirmed personal-data breaches without undue delay and within 72 hours of us becoming aware — see Section 6.
- Delete or return Customer Data when our relationship ends — see Section 7.
- Give you enough information to demonstrate compliance and cooperate with reasonable audits — see Section 8.
- Tell you if, in our opinion, an instruction you give us would break the law.
4. Sub-processors
We use a small number of vendors to deliver the Service. The current list lives at jungler.ai/sub-processors and is part of this DPA by reference.
Before adding or replacing a sub-processor, we'll give you at least 30 days' notice by email (to your designated contact, or the billing contact on file). You can object on reasonable data-protection grounds during that period. We'll discuss the objection in good faith; if we can't resolve it together, you can terminate the affected part of the Service without penalty and we'll refund unused pre-paid fees pro-rata.
Each sub-processor is bound to data-protection terms at least as protective as this DPA. We remain responsible to you for what they do.
5. Data-subject requests
We help you respond to requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
If a data subject contacts us directly about your Customer Data, we'll forward the request to you and won't respond except to acknowledge receipt or where required by law.
Where you can action the request yourself through the platform (e.g. delete a record via UI or API), you should do so. For everything else, we'll action verified requests within 30 days.
6. Security incidents
If we become aware of a confirmed personal-data breach affecting your Customer Data, we'll notify you without undue delay and within 72 hours. We'll describe what we know about:
- the nature of the incident and approximate volume of affected records;
- the likely consequences;
- the steps we've taken or are taking to fix it;
- a contact at Jungler for follow-up.
Notification is not an admission of fault or liability.
7. Return and deletion
When our agreement ends, you have 30 days to ask us to return or delete your Customer Data. We'll do whichever you choose within 90 days, including copies held by sub-processors, except where law requires us to keep something.
Backups roll off our standard 30-day cycle and stay protected by Annex 2 in the meantime. If you don't tell us what you want within 30 days, we'll delete.
8. Records and audits
We don't currently hold SOC 2 or ISO 27001 certification. On reasonable written request, we'll share what you need to show compliance with this DPA — typically our current security summary, sub-processor list, and standard security questionnaires upon request.
You can request a live audit if a supervisory authority specifically requires one, or after a confirmed personal-data breach that affected your Customer Data. Audits run on at least 30 days' notice, during business hours, don't unreasonably disrupt us, are limited to matters relevant to your Customer Data, and are subject to confidentiality. You cover your own audit costs and our reasonable costs for any on-site audit.
9. International transfers
Our database and main application servers are in the EU, so Customer Data you send us doesn't leave the EEA at rest. Where a sub-processor sits outside the EEA/UK (see the sub-processors page), we have EU Standard Contractual Clauses (Module 3, processor-to-sub-processor) in place with that vendor directly, plus the UK International Data Transfer Addendum for UK personal data. You don't need to sign anything for those transfers; we handle them as part of sub-processor onboarding.
10. Liability
Liability under this DPA is subject to the limitations in our underlying agreement with you. Nothing in this DPA limits any liability that can't be limited by law, including liability owed to a data subject under Article 82 GDPR.
11. Term, law, miscellaneous
This DPA runs for as long as we process Customer Data on your behalf. Sections that should outlast termination (records, breach, deletion, transfers, liability) do.
Governed by the law of Estonia, unless our underlying agreement says otherwise. The UK Addendum, where it applies, is governed by the laws of England and Wales.
Amendments must be in writing; updates to the security measures and sub-processor list can be made as described in Sections 3 and 4. Acceptance can be by use of the Service, click-through, electronic signature or signed counterparts.
Annex 1 — Description of processing
- Data subjects: your authorised users; and the business contacts you submit, save, enrich, export, or otherwise process in your workspace.
- Categories of personal data: user account data; business contact data (name, business email, phone, employer, role, public profile URLs, public posts/engagement signals, company domain); free-text inputs you provide (prompts, notes, custom-field rules).
- Special-category / criminal data: none; you agree not to submit any.
Subject matter, nature, purpose, duration and frequency are described in Section 1 above.
Annex 2 — Security (summary)
Public summary. A fuller security pack is available under NDA or this signed DPA.
- Hosting: Google Cloud (EU regions) and DigitalOcean (Frankfurt). Both providers maintain ISO 27001 certification.
- Encryption: TLS 1.2+ in transit, AES-256 at rest, secrets in Google Secret Manager.
- Access control: staff access via SSO with mandatory MFA and least-privilege RBAC. Customer sign-in via magic link or supported social provider — we don't store passwords.
- Backups & resilience: daily database backups with 30-day retention. We aim to restore service within one business day of a confirmed loss.
- Engineering hygiene: code review on production changes, automated tests in deploy, dependency and vulnerability scanning, immutable container deploys.
- People: written confidentiality for everyone with access, full-disk encryption on staff devices, access revoked within one business day of departure.
- Incident response: on-call alerting and severity-graded triage; breach notification within 72 hours (Section 6).
- Responsible disclosure: security researchers can report suspected vulnerabilities to legal@jungler.ai. We acknowledge reports within five business days and ask reporters not to publicly disclose until we’ve had a reasonable opportunity to remediate.
Signed for Viacurrent OÜ
Arnold Veltmann, Chief Technology Officer, on behalf of Viacurrent OÜ, Estonian registry 16798201. Effective 19 May 2026.
A countersigned PDF is available on request to legal@jungler.ai.
This document was last updated on May 19th, 2026.