Draft — pending legal review. This page has not been reviewed or
approved by counsel, and contains placeholder text (shown in brackets)
that has not yet been filled in. Do not rely on this document as final
until it has been reviewed and finalized.
Last updated: July 14, 2026
This Data Processing Agreement (“DPA”) is entered into between Gravity GTM, Inc. (“Gravity GTM,” “Processor,” “we,” or “us”), a company organized under the laws of Delaware with a registered address at 2995 55th Street, Unit 17033, Boulder, CO 80308, and the customer entity that has accepted the Horizon Terms of Service (“Controller,” “Customer,” or “you”), in connection with Customer’s use of the Horizon API, MCP server, and/or Slack app (collectively, “Horizon” or the “Service”), operated by Gravity GTM and available at horizon.gravitygtm.com (documentation at docs.gravitygtm.com/horizon).
This DPA supplements and is incorporated by reference into the Horizon Terms of Service. Capitalized terms not defined here have the meaning given in the Terms of Service.
1. Definitions
1.1 “Applicable Data Protection Law” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, where applicable, the EU/UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act as amended (“CCPA”), together with any successor or equivalent legislation.
1.2 “Controller,” “Processor,” “Data Subject,” “Personal Data,” and “Processing” (and their variants) have the meanings given in Applicable Data Protection Law. Where CCPA applies, “Controller” corresponds to “Business” and “Processor” corresponds to “Service Provider,” and this DPA should be read accordingly.
1.3 “Sub-processor” means any third party engaged by Gravity GTM to Process Personal Data on Gravity GTM’s behalf in connection with providing the Service.
1.4 “Customer Data” means the Personal Data submitted to, or looked up through, the Service by or at the direction of Controller in the course of using Horizon.
2. Subject Matter and Duration
2.1 This DPA governs Gravity GTM’s Processing of Personal Data on behalf of Controller in connection with Controller’s use of the Service.
2.2 Processing under this DPA will take place for as long as Controller maintains an active Horizon account, plus any additional period during which Gravity GTM retains Customer Data in accordance with Section 9 (Deletion and Return of Data) or applicable law.
3. Nature and Purpose of Processing
3.1 Gravity GTM Processes Personal Data solely to provide the Service as directed by Controller — namely, to look up, enrich, verify, and return third-party Personal Data in response to queries submitted by Controller. This includes: LinkedIn person and company enrichment; person and company search; email finding and verification; job search; LinkedIn post and engagement data; and general web search, each performed via the specific Sub-processors identified in Section 5.
3.2 Where Controller connects the Horizon Slack app, Gravity GTM additionally Processes the conversational messages Controller’s workspace users send to the Horizon Slack bot, for the purpose of interpreting the request and executing the corresponding lookup(s), as described in Section 5 (Anthropic).
3.3 Gravity GTM Processes Personal Data only on Controller’s documented instructions, as reflected in Controller’s configuration and use of the Service, except where otherwise required by law.
4. Categories of Data Subjects and Personal Data
4.1 Categories of Data Subjects. The individuals looked up through the Service — typically business prospects, contacts, or other individuals identified by Controller in the ordinary course of Controller’s sales, recruiting, or research activity. These individuals are generally not Controller’s own employees, customers, or end users.
4.2 Categories of Personal Data. Depending on the endpoint used, Processing may include: full name; job title; current and past employer(s); LinkedIn profile data (headline, profile URL, work history, education, posts, and engagement activity); business email address and associated deliverability/verification status; and derived signals such as company size, industry, and location. Where the Slack app is used, Processing also includes the content of messages sent to the Horizon bot.
5. Sub-processors
5.1 Controller authorizes Gravity GTM to engage the following Sub-processors as of the effective date of this DPA. This table is maintained in lockstep with the equivalent table in Section 4 of the Horizon Privacy Policy — the two are kept identical and updated together:
| Sub-processor | Role |
|---|
| HarvestAPI | Receives LinkedIn URLs, names, company names/domains, and search terms; returns LinkedIn profile, company, job-posting, and post data. Backs most enrichment endpoints. |
| Findymail | Receives a LinkedIn URL, or a name and domain, to find an email; or an email address to verify it. Returns an email address and/or deliverability verdict. |
| You.com | Receives search queries; returns web search results. |
| Stripe | Payment processor; handles all card data directly for credit pack purchases and free-trial card verification. Gravity GTM never receives or stores raw card numbers. |
| Resend | Transactional email delivery, e.g., a signup confirmation or credit-purchase notification sent to Controller’s registered email address. |
| Upstash (managed Redis) | Stores application state: hashed API keys, credit balances, cached lookup results, and Slack workspace connection records. |
| Vercel | Cloud hosting and infrastructure provider for the Service. |
| Slack | For customers who install the Horizon Slack app: workspace messages the bot participates in, and Slack account tokens, flow through Slack’s platform as an inherent part of that integration. |
| Anthropic (Claude, via Managed Agents API) | For Slack app users only: processes conversational messages sent to the Horizon Slack bot to generate responses and determine which lookups to perform. |
5.2 General authorization. Gravity GTM may engage additional or replacement Sub-processors from time to time. Gravity GTM will provide notice of any new Sub-processor by updating this Section and the corresponding table in the Privacy Policy, and by email to Controller’s registered account contact, in either case at least ten (10) days before the new Sub-processor begins Processing Customer Data. Controller may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Controller’s sole remedy is to terminate the affected portion of the Service.
5.3 Gravity GTM remains responsible for each Sub-processor’s compliance with obligations materially equivalent to those in this DPA.
6. Security Measures
Gravity GTM implements and maintains the following technical and organizational measures:
- API key protection: Customer API keys are stored only as a one-way SHA-256 hash; the plaintext key is displayed once at issuance and cannot be retrieved thereafter, only rotated or revoked.
- Slack credential encryption: Slack bot tokens and workspace API keys stored for Slack-connected workspaces are encrypted at rest using AES-256-GCM, as they must be used to make live calls on the workspace’s behalf.
- Encryption in transit: All connections to the Service use TLS.
- Log minimization: Operational logs contain only metadata (request ID, tenant/account ID, API key ID, endpoint called, credits charged, cache hit/miss status, and timestamps). Logs never contain lookup content — no names, emails, LinkedIn URLs, search queries, or vendor response bodies are logged. Logs are retained no longer than 30 days.
- Access controls limiting internal access to Customer Data to personnel who require it to operate the Service.
7. Assistance with Data Subject Rights
Taking into account the nature of the Processing, Gravity GTM will provide reasonable assistance to Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including access, correction, deletion, and portability requests), insofar as such assistance is within Gravity GTM’s control. Horizon offers a self-service, API-based mechanism (DELETE /v1/cache) for evicting a specific cached lookup result ahead of its natural expiry, given the exact parameters originally used for that lookup; this does not extend to Controller’s own account data, for which deletion requests must be submitted to Gravity GTM at help@gravitygtm.com and will be handled manually by Gravity GTM personnel within a commercially reasonable time.
8. Personal Data Breach Notification
Gravity GTM will notify Controller without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and will provide such information as it has available to assist Controller in meeting its own notification obligations under Applicable Data Protection Law. This notification obligation does not constitute an acknowledgment of fault or liability by Gravity GTM.
9. Deletion and Return of Data Upon Termination
9.1 Cached lookup data ages out automatically regardless of account status: person enrichment, company enrichment, company people-search, company search, person search, and person-email-find results expire from cache within 24 hours; email verification results expire within 60 days. Job search, LinkedIn posts, LinkedIn engagement, and web search results are never cached.
9.2 Following termination or closure of Controller’s account, Gravity GTM will delete or anonymize Controller’s account data (including stored API key hashes and, where applicable, encrypted Slack credentials) within a reasonable period, except to the extent retention is required for legal, tax, or accounting purposes, or to resolve disputes.
9.3 As Horizon does not currently offer a bulk data-export or “return of data” mechanism, Controller should retrieve any lookup results it wishes to retain prior to closing its account.
10. Audit Rights
Upon reasonable prior written request, and no more than once per twelve-month period (unless required by a supervisory authority or following a confirmed breach), Gravity GTM will provide Controller with reasonable information — such as security documentation or responses to a written questionnaire — sufficient to demonstrate compliance with this DPA. Full on-site or third-party audits are not offered as a standard practice and, if requested, are subject to separate written agreement on scope, timing, confidentiality, and cost.
11. International Data Transfers
Where Processing of Personal Data under this DPA involves a transfer across jurisdictions in a manner restricted by Applicable Data Protection Law, the parties will rely on an appropriate transfer mechanism recognized under that law — such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful equivalent — as applicable to the parties’ respective locations at the time of transfer. Nothing in this Section asserts that any specific mechanism is currently executed between the parties; the applicable mechanism, if any, will be documented separately upon request.
12. Liability
Each party’s liability arising out of or related to this DPA, including liability for breach of this DPA by either party or its Sub-processors, is subject to the limitations and exclusions of liability set out in the Horizon Terms of Service. Nothing in this DPA expands either party’s liability beyond what is set out in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of Delaware, without regard to conflict-of-laws principles, consistent with the governing law provision of the Terms of Service.
14. Acceptance
This DPA is incorporated into, and forms part of, the Horizon Terms of Service. By accepting the Terms of Service — including via clickthrough acceptance during account signup or a subsequent credit purchase — Controller is deemed to have accepted this DPA without further action. Enterprise customers requiring a separately countersigned copy for internal recordkeeping may request one by contacting help@gravitygtm.com.