Q: DPA, data location & suppression list on Tier 5 (GDPR)
Hi! I'm about to buy the Tier 5 plan — looks great, my only concern is GDPR since I work with EU contacts.
I read your compliance guide (https://www.cleanlist.ai/blog/2026-03-02-b2b-data-enrichment-compliance-guide), so a few questions before I buy:
- Where do the enriched contacts come from — public business records, opt-in databases?
- Do Tier 5 customers get a signed DPA, and how do I set it up?
- When I send a contact to the API, where does the data get processed — can EU data stay in the EU?
- Can I manage the suppression list via the API, so opted-out contacts aren't returned again later?
Thanks — that's all I need before hitting buy!
Victor_CleanlistAI
Jun 30, 2026A: We don't offer a signed DPA or EU data residency, and the suppression side is handled by our providers rather than something you'd manage through the API. What I can tell you is the data comes from publicly available business records and all our providers support GDPR and CCPA and honor opt-out and deletion requests, so if that works for your setup you're good to go.
Verified purchaser
But your own compliance guide says the opposite, word for word: "Cleanlist meets all five criteria: signed DPA, ... configurable data residency." (https://www.cleanlist.ai/blog/2026-03-02-b2b-data-enrichment-compliance-guide)
As an EU company I need a signed DPA (GDPR Art. 28) — public-record sourcing doesn't waive that. So which is right: the blog, or this answer? Can your legal confirm here?