BccBuddy

Data Processing Agreement

Effective Date: January 16, 2025

Effective Date: January 16, 2025

Entity Name: BCCBuddy, Inc.

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between you ("Customer") and BCCBuddy, Inc. ("Processor," "we," "us," or "our") and governs the processing of personal data by BCCBuddy in connection with your use of our services (the "Services").

This DPA is effective as of the Effective Date of the Agreement and shall remain in effect until the Agreement's termination.

Purpose and Scope

This Data Processing Addendum ("DPA") forms part of the BccBuddy Terms of Service or other written or electronic agreement (the "Agreement") between BccBuddy ("Provider," "we," "us," or "our") and the customer entity that has subscribed to BccBuddy's services ("Customer," "you," or "your"). This DPA applies to the processing of Personal Data submitted by or for Customer to Provider via the BccBuddy services (the "Services"). For example, when you configure a workflow like "Send Onboarding Emails to New Trial Users" or "Notify Sales Team of High-Value Lead," the data processed within these workflows is subject to this DPA.

Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:

  • "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including (without limitation) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the California Consumer Privacy Act ("CCPA"), as amended.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Provider on behalf of Customer as a result of, or in connection with, the provision of the Services under the Agreement. This includes data like email addresses in a "Customer List for Monthly Promotions" workflow or contact details in a "Follow-up with Event Attendees" workflow.
  • "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Sub-processor" means any third party engaged by Provider to process Personal Data in connection with the Services.
  • "Controller," "Processor," and "Data Subject" shall have the meanings ascribed to them in the GDPR.

Processing of Personal Data

Roles of the Parties

The Customer is the Data Controller, and BCCBuddy acts as the Data Processor when processing Personal Data under the Agreement.

The scope of this DPA covers all Personal Data processed by BCCBuddy on behalf of the Customer in connection with the Services, such as data used in workflows like "New Lead Nurturing Sequence" or "Customer Feedback Collection."

Details of Processing

  • Subject Matter: The subject matter of the Processing is the provision of the Services by Provider to Customer, as detailed in the Agreement. This includes automating email workflows like "Abandoned Cart Recovery" or "Subscription Renewal Reminders."
  • Duration: The Processing will continue for the duration of the Agreement, unless otherwise agreed upon in writing.
  • Nature and Purpose: The nature and purpose of the Processing are to enable Customer to use the Services to manage and automate email-based workflows, such as sending transactional emails (e.g., "Order Confirmation"), marketing communications (e.g., "Weekly Product Updates"), or internal notifications (e.g., "New Support Ticket Alert").
  • Categories of Data Subjects: The categories of Data Subjects are determined and controlled by Customer and may include Customer's employees, contractors, customers, prospects, suppliers, and business partners.
  • Types of Personal Data: The types of Personal Data are determined and controlled by Customer and may include names, email addresses, contact information, company details, and any other Personal Data that Customer chooses to include in its workflows or email content, such as custom fields like "Last Purchase Date" or "Subscription Tier."

2. Roles and Scope

  • The Customer is the Data Controller, and BCCBuddy acts as the Data Processor when processing Personal Data under the Agreement.
  • Each party agrees to comply with its obligations under applicable data protection laws, including but not limited to the General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"), as applicable.

3. Processor Obligations

  • Purpose Limitation: Processor will process Personal Data solely for the purposes described in the Agreement or as instructed by the Customer.
  • Confidentiality: Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Security: Processor will implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or destruction.
  • Data Breach Notification: Processor will notify the Customer without undue delay upon becoming aware of any unauthorized access to or disclosure of Personal Data.
  • Deletion or Return of Data: Upon termination of the Agreement, Processor will delete or return Personal Data to the Customer as requested unless applicable law requires retention.

4. Customer Obligations

The Customer represents and warrants that:

  • It has obtained all necessary consents or lawful bases for processing Personal Data.
  • It will not instruct the Processor to process Personal Data in a manner that violates applicable laws.

The Customer is responsible for ensuring that Personal Data provided to the Processor is accurate and up-to-date.

5. Sub-Processors

  • Authorization: Customer authorizes Processor to engage Sub-processors to provide the Services, subject to this DPA.
  • Sub-processor Obligations: Processor will ensure Sub-processors are bound by obligations that provide the same level of protection for Personal Data as those outlined in this DPA.
  • List of Sub-processors: A current list of Sub-processors can be provided upon request.
  • Notification of Changes: Processor will notify the Customer of any changes to Sub-processors and provide an opportunity to object.

6. International Data Transfers

  • Where the Processor transfers Personal Data outside of the European Economic Area ("EEA") or other jurisdictions requiring data transfer mechanisms, the Processor will ensure such transfers comply with applicable laws.
  • If required, the parties will enter into Standard Contractual Clauses ("SCCs") or other approved mechanisms to ensure lawful data transfers.

7. Data Subject Rights

  • Processor will assist the Customer in responding to requests from data subjects to exercise their rights under applicable laws, including access, rectification, deletion, and portability.
  • Any requests received directly by the Processor will be promptly forwarded to the Customer, unless prohibited by law.

8. Audits and Inspections

  • Processor will make available documentation necessary to demonstrate compliance with this DPA upon reasonable request.
  • The Customer may audit the Processor's compliance with this DPA, provided such audits:
    • Are conducted during regular business hours.
    • Do not unreasonably interfere with Processor's operations.
    • Are subject to reasonable confidentiality and security measures.

9. Limitation of Liability

The liability of each party under this DPA is subject to the limitations set forth in the Agreement, except where prohibited by applicable law.

10. General Provisions

  • Conflict: In the event of any conflict between this DPA and the Agreement, this DPA will prevail concerning the processing of Personal Data.
  • Amendments: This DPA may be updated from time to time to reflect changes in legal requirements or our Services. Continued use of the Services constitutes acceptance of such updates.
  • Governing Law: This DPA is governed by the laws of the State of Delaware, unless otherwise required by applicable data protection laws.

11. Contact Information

For questions regarding this DPA or data protection practices, please contact:

BCCBuddy, Inc.

Registered Agent: United States Corporation Agents, Inc.

131 Continental Drive, Suite 305, Newark, DE 19713

Phone: 302-777-0538

Email: support@bccbuddy.com

By signing or accepting the Agreement, the Customer acknowledges and agrees to the terms of this DPA.