DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B

Internal Use

As part of our due diligence, we require companies that list manage data to supply Leadscale
campaigns to complete this questionnaire and provide the requested evidence. Thank you in
advance for taking the time to complete it. In this agreement, references to “I” and “my”
mean you and your company (if a sole-trader) or the business you work for (if completing on
behalf of a business).

Please note: this is a dynamic questionnaire, so if fields do not appear it will be because of
answers that you have previously given, and the questions are therefore not applicable to you.

YOUR DETAILS
Your Name: [email protected]

Job Title: Media Partnership Director

Email Address: [email protected]

Company Name: Exellius B2B Systems Pvt Ltd

PLEASE SELECT THE MOST APPLICABLE STATEMENT(S)

I supply Leadscale Labs campaigns X

I supply Leadscale Services campaigns X

B2B LEAD SUPPLIER DUE DILIGENCE QUESTIONNAIRE

DATA COLLECTION/SOURCING

1. What marketing channels do you use for third-party offers?

The below-listed channels are our major drivers while executing
third-party offers -

1) Content Gating, Syndication, and Marketing.

2) Email Marketing. (Solus & Newsletters)
3) Telemarketing.
4) Display Advertising.
5) Native Advertising.
2. What legal basis do you rely on for processing your marketing database?

Both

LEADSCALE IS THE PARENT OF LEADSCALE ENGINE, LEADSCALE LABS, LEADSCALE SERVICES AND LEADSCALE HOLDINGS
REGISTERED OFFICE: UNIT 1, 6 OWEN STREET, LONDON, EC1V 7JX
REGISTERED IN ENGLAND AND WALES
LEADSCALE LIMITED | COMPANY NUMBER: 08650664 | VAT NUMBER: GB187 730083
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

a. Please provide full list of capture points where you capture data for use in marketing
(landing pages, LinkedIn etc)
(https://www.exellius.com),(https://www.humanresources-tech.online),(
https://www.manufact-tech.online),(https://www.info-tech.online),(htt
ps://www.channel-tech.online),(https://www.finance-tech.online),(http
s://www.healthcare-tech.online),(https://www.transport-tech.online),(
https://www.engineering-tech.online),(https://www.entertainment-tech.
online),(https://www.nonprofit-tech.online)

3. Do you document consent on a per-record basis?

Yes

a. If so, please explain this process.

We use standardized consent opt-in forms, that are
placed at each and every capture point, where our
'Terms', data privacy statements, and policies are
clearly stated. We clearly outline the type of data
being collected, how it will be used, and stored. The
recorded consent forms for data subjects are kept on
file and linked to their records, for any future
validation. Marketing preferences updated in realtime.
b. If not, please explain your current process for identifying consent

4. Please identify your legitimate interests in processing the data.

Below-mentioned is our legitimate interests in data
processing:
Analyze customer behavior and trends; Personalization;
Protect customer data and ensure compliance with applicable
laws and regulations; Measure and improve the effectiveness
of advertising campaigns; Accurate ICP targeting; Customer
service; Responding to inquiries, resolving issues, managing
complaints; Optimize website performance, and content design
to improve user experience;

5. Do you conduct Legitimate Interest Assessments (LIAs) to ensure that your processing is
lawful?
Yes

a. If so, do you abide by the outcome?

Yes
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

b. Please provide evidence of a legitimate interest assessment for the work you are
going to be carrying out for the company/ies identified on the first page

6. Do you specifically name the third party(ies) who you will be marketing on behalf of?
Yes

7. Do you specifically name the category of companies who you will be marketing on behalf of?
Yes

8. Do your capture points clearly highlight your Privacy Policy/Data Protection statements?

Yes

9. Where are they placed on your data capture points? At what point are they stated/referred
to during a telemarketing call?
Our privacy policy and data protection statements are prominently
displayed on our websites, in the footer of our emails, and at the
point of data capture on any online forms (often above the final
submission CTA). During a telemarketing call, the privacy policy and
data protection statements will be stated and referred to at the
beginning of the call, with a callback during the closure.

10. Do you use brand/trading names?

Yes

a. If so, do you make a clear link back to the main organisational trading name/brand?
Yes

11. At the point of data capture, do you clearly identify yourself and/or the organisation on
whose behalf you are obtaining personal data, the purpose for the data capture, together
with other information so to guarantee fair processing?

Yes
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

TELEMARKETING

1. Do you do telemarketing?
Yes

2. Do you clean telephone data against TPS and CTPS before calling?

Yes

3. Do you call telephone numbers which have been registered on TPS and CTPS for more than
28 days?
No

a. If so, what evidence do you have to demonstrate call recipient permission?

4. Do you specifically name third parties for future marketing consent purposes?
Yes

5. How do you document consent provided by the user over the phone?
We thoroughly document conversations with data subjects over
the phone and take detailed notes. With consent from the
subjects, we record accurate timestamps and the full content
of the discussion by employing automated call audio
recording and transcription services. We inform them of
their rights to opt-out, and the best channels to do so -
and how their information will be used, for what, and how it
will be stored. These records are then stored in secured
servers, and updated in realtime as preferred by subjects.
DATA SCREENING

1. Do you have the ability to suppress individual contact details, from email addresses to
telephone numbers and postal addresses, where an individual has asked not to be
contacted?
Yes

a. Please explain this process.

Yes, we do have the ability to suppress individual contact
details where an individual has asked not to be contacted.
We do this by removing the contact information from our
databases, and ensuring that the individual is not contacted
in any way. Additionally, we maintain a centralized block
list for such DNC contacts, and use automated systems to
detect and block any outgoing communication to such an
individual in question.
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

2. Are telephone numbers, mobile numbers, email addresses and postal addresses cleansed
against your suppression file before use?
Yes

3. Is postal address data cleansed against industry standard files before sending out direct
marketing material?

Yes

4. How do you process suppression files you receive from clients you are marketing on behalf
of?
At Exellius, client suppression files are processed in 4 consecutive
steps - (1) We start by thoroughly reviewing the included data points
to ensure that the required map fields are present. (2) We run
deduplication filters, remove invalid formats, and obsolete profile
information to further clean the list and make it 100% churnable. (3)
Cleaned suppression files are then cross-referenced against the
relevant targeted contact lists from our database, and any matching
profiles are excluded from the outreach initiatives. (4) Final
validation ensuring programs are compliant to suppression.
SUPPRESSIONS

1. Do you have automatic unsubscribe links in the body of every marketing email you send?

Yes

2. How do you communicate your SMS opt-out functions?

We provide detailed instructions on how the customer can
opt-out of receiving SMS messages from us, such as through a
link attached to the end of the message or by responding with a
specific keyword. Additionally, we make sure to include an
opt-out option in all emails sent to our clients so that
customers can easily choose to not receive any future emails or
SMS from Exellius Systems.

3. Is there any manual opt-out required?

Yes

4. If relying on legitimate interests, do you give the opportunity to opt out of marketing when
collecting the data?
Yes

5. If received from a source other than the data subject, do you give them the opportunity to
opt out of their data being processed within a month of collecting the data?

Yes
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

REGULAR CONSENT VALIDATION

1. Do you have a regular database validation process to ensure your data is accurate and up to
date?
Yes

a. Please describe
Yes, we do have a regular database validation process to ensure
our data is accurate and up to date. Our process includes
periodic checks for any outdated information, such as contact
information, job titles, etc. and confirms accuracy against
publicly available sources, and web channels. We also use
predictive analytics to identify trends in data and make
adjustments if needed. According to Exellius' data cleaning and
validation SOPs, every contact profile in our database is
manually validated at least once every 60 days. Any identified
AoIs, updates, or ambiguity is rectified in realtime.
2. Do you have a regular database validation process to ensure your data reflects the current
marketing preferences for each contact?

Yes

a. Please describe.
We regularly review our databases and contact data subjects at
fixed time intervals to confirm that their contact information
and preferences are up to date. Along with the software stacks
and tools that support us while validating preferences and other
contact data points, at every campaign initiation - we manually
review and validate each included profile from the targeted
lists, to ensure preferences are in line.Additionally, our
databases are thoroughly laid out with multi-level customer
marketing preference distinctions, automated in real-time from
the data subject's feedback, and are managed centrally.

3. How do you allow your database to update their preferences and ensure the information
you hold about them is accurate and up to date?
We provide 'Update Preferences' & 'Opt-Out' links over every marketing
communication, email copy, and brand landing page. Privacy Statements
and links to data security policies are included at every marketing
touch-point which states the data subject's rights to privacy, and
explicit instructions on how individuals can unsubscribe from our
mailing lists or database if they wish to do so in the future. Using the
'Update Preferences' links on our digital communications, data subjects
are enabled to update their marketing preferences in real-time, as,
users get access to a simple web form with clear instructions on how to
complete the form, and explanations around what information is needed.
With such web forms, data subjects use simple checkboxes to update their
marketing preferences, and opt-out requests, which we honor in
real-time. We also send out periodic reminder emails to your data
subjects, offering them the chance to review and update preference
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

JOINT-CONTROLLER ARRANGEMENT

1. If processing data as a co-controller, do you execute the relevant agreements?

Yes

a. If so, do you make them accessible to data subjects on request?

Yes

DATA RENTAL & THIRD-PARTY DATA SUPPLY

1. Do you rent or buy data for use in third party marketing?

No

2. Do you check the quality of the supplied data?

a. How?

3. Do you perform due diligence checks on your suppliers?

a. Please describe the checks, alternatively attach a copy as evidence

4. Do you have list/data rental agreements in place with all of them which cover unacceptable
use and GDPR Provisions?
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

5. What legal basis are they relying on for providing the data to you?

6. Do you require documented evidence of consent or legitimate interest assessment from

them?

a. Please describe what evidence you request, or provide an example

7. Do you test the validity of the consent provided? (E.g. by testing the capture form)

a. Please describe the process.

Do you use them to…

8. Make calls on your behalf?

9. Manage and deliver email marketing campaigns on your behalf?

DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

10. Manage and deliver SMS marketing campaigns on your behalf?

11. Manage and deliver direct mail marketing campaigns on your behalf?

Do you train their employees with respect to…

12. How they should process your data?

13. How they should carry out the services you have agreed to?

Do you check whether they…

14. Properly screen against relevant preference service files?

15. Abide with the same procedures outlined in this audit?

16. Do you require secure transfer mechanisms?

17. Do you pass details of any opt-out requests or data corrections back to them?
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

GENERAL DATA MANAGEMENT

1. What Data Protection training do you offer staff and how often?
We offer data protection training to our staff on an annual basis.
This training is designed to ensure that our staff have a full
understanding of their responsibilities as an employee and how to
handle data properly and securely. We also run refresher courses for
staff who have been trained previously, to ensure that all staff are
aware of the latest changes to the data protection laws and
practices.

2. How do you ensure your staff know where the individual’s data has come from when data
subjects ask?
We maintain detailed technographic records while acquiring every
piece of data in our systems. They include but are not limited to
timestamps, sources, IP information, etc. Using a combination of
diverse CRM systems and thoroughly labeled data sets - we ensure
that all information about data sources is easily accessible and up
to date, so that relevant staff can quickly answer questions if
they arise. We have developed clear processes for handling requests
for information about data sources, and ensure that all staff are
trained on data protection and privacy policies.
3. Do you train staff with data management responsibility on CTPS requirements?

Yes

4. Do you have a Data Retention policy?

Yes

5. Do you retain UK personal data for longer than the purpose for which it was initially
collected?
No

a. If so, what are your reasons for justifying the retention of personal data post a
marketing campaign?

6. Do you have an ISMS?

Yes
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use

7. Who is the person responsible for data protection in your organisation? Please provide their:

a. Name [email protected]

b. Job title Media Partnership Director

[email protected]
c. Email

d. Telephone number +919503292454

I confirm that the information I have provided in this document is true and correct to the best of my
knowledge. I understand that any information that is found to be untrue or misleading will give
Leadscale the right to terminate my contract for services, and take any action required to comply
with Data Protection rules, safeguard personal data or prevent damage to Leadscale.
I confirm that Leadscale (and any of its subsidiaries) reserve the right to audit me to verify
compliance with the above terms.
I give Leadscale the right to retain a copy of this document and the contact information contained
for administrative purposes and for future reference.
In the event that Leadscale has a claim for non-compliance or damage, it may withhold any money
due to you, in whole or part, and require reasonable security for damage, legal costs and expenses
of defending any claim against Leadscale resulting from your non-compliance. You agree to
indemnify Leadscale for any costs, damage or expenses Leadscale incurs through your
noncompliance.
Any non-compliance under this agreement shall be deemed to be a breach of warranty
DocuSign Envelope ID: 9B4E9AE1-F950-4F63-BE7C-F5337196D98B
Internal Use