Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between BizTech Management LLC ("Processor") and the customer ("Controller") for the provision of the BizTechMgt Service ("Service"). It applies when Processor processes Personal Data on behalf of Controller in connection with the Service.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679) or our Terms of Service.
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
- "Data Subject" means the natural person to whom Personal Data relates.
- "Processing" includes collection, recording, storage, alteration, retrieval, transmission, and deletion of Personal Data.
- "Sub-processor" means any third party engaged by Processor to process Personal Data on Controller's behalf.
2. Roles & Responsibilities
Controller determines the purposes and means of processing Personal Data. Controller is responsible for ensuring it has lawful basis to provide Personal Data to Processor and for the accuracy and quality of that data.
Processor processes Personal Data only on Controller's documented instructions, including with regard to international data transfers. Processor will not process Personal Data for any other purpose.
3. Subject Matter & Nature of Processing
| Subject matter | Provision of the BizTechMgt website-leasing platform |
| Duration | For the term of the subscription, plus a 90-day post-termination retention period |
| Nature of processing | Hosting, storage, retrieval, transmission, and deletion of Customer Content and end-user data |
| Purpose | To provide the Service as described in the Terms of Service |
| Categories of data | Identifying data (names, email, addresses), payment data (via Stripe), donor records, member records, customer records, content/media files |
| Categories of data subjects | Controller's website visitors, donors, members, customers, employees, volunteers |
4. Duration
This DPA applies from the date Controller subscribes to the Service and continues until all Personal Data is deleted or returned per Section 11.
5. Processing Instructions
Processor will process Personal Data only on documented instructions from Controller. Controller's instructions are set out in the Terms of Service, this DPA, and any supplementary written instructions Controller may provide.
Standing instructions. Controller instructs Processor to: (a) process Personal Data only as necessary to provide the Service; (b) never sell, share, or train AI models on Personal Data; (c) implement appropriate technical and organizational security measures; (d) ensure confidentiality of personnel processing data.
6. Sub-processors
Controller authorizes Processor to engage Sub-processors to provide the Service. The current list of Sub-processors is published on our Trust page. Processor will:
- Bind each Sub-processor by written contract to data protection obligations no less protective than this DPA
- Remain liable to Controller for the performance of Sub-processors
- Notify Controller of any new Sub-processor at least 30 days before that Sub-processor begins processing Personal Data
- Allow Controller to object to a new Sub-processor; if no commercially reasonable resolution can be found, Controller may terminate the Service
7. Data Subject Rights
Processor will assist Controller, by appropriate technical and organizational measures, in fulfilling Controller's obligations to respond to Data Subject requests under applicable law (access, rectification, erasure, restriction, portability, objection).
If Processor receives a request directly from a Data Subject relating to Controller's data, Processor will promptly forward the request to Controller and not respond directly except as required by law or instructed by Controller.
8. Personal Data Breach Notification
Processor will notify Controller without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Controller's data. The notification will include: (a) the nature of the breach, (b) categories and approximate number of Data Subjects and records concerned, (c) likely consequences, (d) measures taken or proposed to address the breach and mitigate harm.
Processor will provide Controller with sufficient information and assistance to enable Controller to comply with its own notification obligations under applicable law.
9. International Data Transfers
Where Processor transfers Personal Data outside the European Economic Area, United Kingdom, or Switzerland, Processor relies on appropriate transfer mechanisms including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
- UK International Data Transfer Addendum for transfers from the United Kingdom
- Swiss FADP-compliant safeguards for transfers from Switzerland
Processor implements supplementary technical measures including encryption at rest and in transit, pseudonymization where feasible, and access controls limiting Personal Data access to authorized personnel.
10. Audit Rights
Controller has the right to audit Processor's compliance with this DPA. Processor will make available all information reasonably necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by Controller or a mutually agreed independent auditor.
Audits may occur at most once per year (unless required more frequently by a regulator), with at least 30 days advance notice, during normal business hours, and at Controller's expense (unless the audit reveals material non-compliance).
11. Return & Deletion of Personal Data
Upon termination of the Service, at Controller's choice, Processor will:
- Return all Personal Data via export to a Controller-specified format (CSV, JSON, or SQL dump), or
- Delete all Personal Data from production systems within 30 days of termination, and from backup systems within an additional 30 days
Upon written request, Processor will provide Controller with a certificate of deletion.
12. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) breach of confidentiality obligations, (b) violation of intellectual property rights, (c) gross negligence or willful misconduct, or (d) liability that cannot be limited under applicable law.
Questions about this DPA? Contact privacy@biztechmgt.com or call +1 248-940-1100. Enterprise customers may execute a co-signed copy of this DPA on request.