Data Processing Addendum (DPA)

Last Updated: December 2025

1. Definitions and Interpretation

1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Controller": The client who determines the purposes and means of processing personal data
• "Processor": Beelog Digital Marketing Agency, which processes personal data on behalf of the Controller
• "Personal Data": Any information relating to an identified or identifiable natural person as defined in applicable data protection laws
• "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion
• "Sub-processor": Any third party engaged by Beelog to process personal data on behalf of the Controller
• "Data Subject": An identified or identifiable natural person whose personal data is processed
• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council
• "SCCs": Standard Contractual Clauses approved by the European Commission

1.2 Incorporation

This DPA is incorporated into and forms part of the service agreement between the parties. In the event of conflict between this DPA and the service agreement, this DPA shall prevail with respect to data protection matters.

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all processing of personal data by Beelog as Processor on behalf of Controller in connection with the provision of digital marketing services, including but not limited to:

• Facebook Ads campaign management and optimization
• Google Ads campaign management and optimization
• Shopify store optimization services
• Marketing analytics and performance reporting
• Strategy development and consultation

2.2 Categories of Data

The personal data processed may include the following categories:

• Contact Information: Names, email addresses, phone numbers
• Commercial Data: Purchase history, transaction data, customer behavior
• Online Identifiers: IP addresses, cookie identifiers, device IDs
• Analytics Data: Website interactions, ad engagement, conversion events
• Demographic Data: Age range, gender, location (if provided by platform)

2.3 Data Subjects

Processing may involve personal data relating to the following categories of data subjects:

• Controller's customers and prospective customers
• Website visitors and users
• Social media platform users who interact with advertisements
• Newsletter subscribers and marketing contact lists

2.4 Processing Activities

The nature and purpose of processing includes:

• Advertising Delivery: Creating, managing, and optimizing advertising campaigns
• Audience Targeting: Building and managing custom audiences for ad targeting
• Analytics and Reporting: Measuring campaign performance and generating reports
• Conversion Tracking: Tracking user actions and conversions from advertisements
• A/B Testing: Testing different ad creatives and targeting strategies

3. Processor's Obligations

3.1 Lawful Processing

Beelog shall:

• Process personal data only on documented instructions from the Controller, including transfers to third countries or international organizations, unless required by applicable law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Not process personal data for any purpose other than as instructed by the Controller
• Immediately inform the Controller if, in its opinion, an instruction violates applicable data protection laws

3.2 Purpose Limitation

Beelog shall process personal data only to the extent necessary to provide the services specified in the service agreement and shall not use personal data for any other commercial purpose without the Controller's prior written consent.

4. Security Measures

4.1 Technical Security Measures

• Encryption in Transit: TLS 1.3 encryption for all data transmission
• Encryption at Rest: AES-256 encryption for stored data
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Authentication: Multi-factor authentication (MFA) for sensitive systems
• Network Security: Firewalls, intrusion detection systems, and network segmentation
• Security Monitoring: 24/7 automated monitoring and threat detection
• Vulnerability Management: Regular security assessments and penetration testing
• Secure Development: Security-by-design principles and code review processes

4.2 Organizational Security Measures

• Data Minimization: Collect and process only necessary personal data
• Employee Training: Regular data protection and security training for all staff
• Confidentiality Agreements: All employees sign confidentiality agreements
• Access Management: Documented procedures for granting, reviewing, and revoking access
• Incident Response: Documented incident response and breach notification procedures
• Vendor Management: Due diligence and contractual safeguards for sub-processors
• Data Retention: Documented retention schedules and secure deletion procedures
• Audit and Compliance: Regular internal audits and compliance reviews

4.3 Infrastructure Security

Beelog utilizes enterprise-grade cloud infrastructure with the following certifications and compliance standards:

• SOC 2 Type II certified infrastructure providers
• ISO 27001 certified data centers
• GDPR-compliant hosting and data processing facilities
• Physical security controls including restricted access and 24/7 monitoring
• Redundant systems and regular backups for business continuity

5. Sub-processors

5.1 Authorized Sub-processors

5.2 Sub-processor Obligations

Beelog shall:

• Enter into written agreements with sub-processors imposing data protection obligations equivalent to those in this DPA
• Conduct due diligence on sub-processors before engagement to ensure adequate security measures
• Remain fully liable to the Controller for any sub-processor's failure to fulfill data protection obligations
• Provide at least 30 days' notice before adding or replacing sub-processors

5.3 Right to Object

Controller may object to the appointment of a new sub-processor within 14 days of receiving notice. If Controller reasonably objects, the parties shall work together in good faith to find a commercially reasonable solution. If no solution is found, either party may terminate the affected services.

6. Data Subject Rights

6.1 Assistance with Requests

Beelog shall, taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to data subject requests, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

6.2 Response Timeline

If Beelog receives a data subject request directly, it shall forward the request to Controller within 2 business days. Beelog shall provide reasonable assistance to Controller in responding to data subject requests within the legal timeframes (typically 30 days under GDPR).

6.3 Cooperation Fees

Assistance with data subject requests is included in the service fees. However, if a request requires extraordinary effort (e.g., extensive manual data retrieval), Beelog may charge reasonable fees after providing an estimate to Controller.

7. Data Breach Notification

7.1 Notification Obligation

Beelog shall notify Controller without undue delay and in any event within 24 hours after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• Description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected
• Contact point for obtaining more information
• Description of the likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate its effects

7.2 Investigation and Remediation

Following a breach, Beelog shall:

• Conduct a thorough investigation to determine the root cause
• Take immediate steps to contain and remediate the breach
• Provide regular updates to Controller throughout the investigation
• Cooperate with Controller in notifying supervisory authorities and data subjects if required
• Implement measures to prevent similar breaches in the future
• Provide a final written report within 30 days of resolution

7.3 Regulatory Reporting

Controller remains responsible for determining whether to report the breach to supervisory authorities and data subjects. Beelog shall provide all reasonably requested assistance to facilitate such notifications within legal timeframes (72 hours for supervisory authorities under GDPR).

8. Data Transfers

8.1 International Transfers

Processing of personal data may involve transfers to countries outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws. Such transfers are governed by appropriate safeguards as described below.

8.2 Transfer Mechanisms

Where personal data is transferred outside the EEA or UK, Beelog ensures appropriate safeguards through one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Module 2: Controller to Processor) incorporated by reference into this DPA
• UK International Data Transfer Agreement (IDTA): For transfers subject to UK GDPR
• Adequacy Decisions: Transfers to countries with adequacy decisions from the EU Commission or UK government
• Binding Corporate Rules: Where applicable, transfers within corporate groups with approved BCRs

8.3 Standard Contractual Clauses

The parties agree that the EU Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Module 2: Controller to Processor), as adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, are incorporated into this DPA by reference.

SCC Selections:

• Optional Clause 9(a): Governing law shall be the law of the State of Delaware, with the parties agreeing to submit to the jurisdiction of Delaware courts
• Clause 11(a): The optional redress clause is not selected
• Clause 17: The parties select Option 1 (general written authorization for sub-processors)
• Clause 18: Data subjects may be represented by a not-for-profit body, organization, or association
• Annex I: The details of processing are as specified in Section 2 of this DPA

8.4 Supplementary Measures

In addition to SCCs, Beelog implements supplementary technical and organizational measures to ensure appropriate safeguards for international data transfers, including encryption, pseudonymization, and access controls as described in Section 4 of this DPA.

9. Audits and Compliance

9.1 Audit Rights

Controller may, upon reasonable notice (at least 30 days) and during normal business hours, conduct audits (including inspections) to verify Beelog's compliance with this DPA. Such audits shall not unreasonably interfere with Beelog's business operations.

9.2 Information and Documentation

Beelog shall make available to Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. This includes:

• Security and data protection policies and procedures
• Third-party security certifications and audit reports (e.g., SOC 2, ISO 27001)
• Sub-processor lists and agreements
• Incident response documentation
• Training records for personnel handling personal data

9.3 Audit Costs

Controller shall bear all costs associated with audits, including travel expenses and reasonable compensation for Beelog's time if the audit requires significant resources. If an audit reveals material non-compliance, Beelog shall bear its own costs for remediation.

9.4 Third-Party Audits

Instead of conducting its own audit, Controller may accept Beelog's most recent third-party audit reports (SOC 2 Type II, ISO 27001, or similar) as evidence of compliance, subject to appropriate confidentiality agreements.

10. Data Retention and Deletion

10.1 Retention Period

Beelog shall retain personal data only for the duration of the service agreement and as necessary to fulfill its obligations. Standard retention periods:

• Active Client Data: Duration of service agreement plus 30 days for transition
• Campaign Data: Retained for 90 days after campaign end for reporting purposes
• Billing Records: 10 years for tax and accounting compliance (IRS and Delaware corporate law requirements)
• Backup Data: Automatically purged after 90 days

10.2 Data Deletion

Upon termination or expiration of the service agreement, Beelog shall, at Controller's choice:

• Return: Return all personal data to Controller in a commonly used machine-readable format within 30 days
• Delete: Securely delete all personal data, including backups, within 90 days and provide written certification of deletion

10.3 Legal Retention Requirements

Notwithstanding the above, Beelog may retain personal data to the extent required by applicable law (e.g., tax records, dispute resolution) and shall continue to protect such data in accordance with this DPA. Beelog shall notify Controller of any such retention requirements.

10.4 Secure Deletion Methods

Deletion shall be performed using industry-standard secure deletion methods, including:

• Cryptographic erasure of encryption keys
• Multiple-pass overwriting of data storage
• Physical destruction of storage media when decommissioned
• Deletion verification through audit logs

11. Liability and Indemnification

11.1 Processor Liability

Each party's liability arising under this DPA shall be subject to the limitation of liability provisions in the service agreement, except that:

• Liability for data breaches caused by Beelog's gross negligence or willful misconduct shall not be limited
• Liability for violations of data protection laws due to Beelog's failure to follow Controller's documented instructions shall not be limited
• Beelog's liability for sub-processor breaches shall be unlimited (Beelog remains fully liable for sub-processors)

11.2 Mutual Indemnification

Each party shall indemnify, defend, and hold harmless the other party from claims, losses, and expenses (including reasonable attorneys' fees) arising from:

• The indemnifying party's breach of its obligations under this DPA
• The indemnifying party's violation of applicable data protection laws
• Claims by data subjects based on the indemnifying party's non-compliance

11.3 Defense and Settlement

The indemnifying party shall have the right to control the defense and settlement of any indemnified claim, provided that any settlement requiring the indemnified party to admit liability or pay money shall require the indemnified party's prior written consent, not to be unreasonably withheld.

12. Term and Termination

12.1 Term

This DPA shall commence on the effective date of the service agreement and remain in effect until all personal data has been deleted or returned in accordance with Section 10.

12.2 Survival

The following provisions shall survive termination of this DPA:

• Confidentiality obligations (indefinitely)
• Data deletion and return obligations (until completed)
• Audit rights (for 2 years post-termination)
• Liability and indemnification provisions (as per applicable statutes of limitations)
• Dispute resolution provisions

12.3 Effect of Termination

Upon termination, Beelog shall immediately cease processing personal data except as necessary to comply with data return/deletion obligations or as required by law. All sub-processing agreements shall be terminated unless legally required to be maintained.

13. General Provisions

13.1 Amendments

This DPA may be amended only by mutual written agreement of both parties, except where amendments are required by law or by supervisory authorities, in which case Beelog may amend this DPA upon 30 days' written notice to Controller.

13.2 Precedence

In the event of any conflict or inconsistency between this DPA and the service agreement, this DPA shall take precedence with respect to data protection matters.

13.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves the same or similar effect.

13.4 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware. However, nothing in this choice of law shall exclude or limit the application of mandatory data protection laws, including GDPR and UK GDPR, where applicable.

13.5 Dispute Resolution

Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the service agreement. However, Controller and Beelog agree that data subjects in the EU/EEA have the right to bring claims before competent supervisory authorities or courts in their Member State of habitual residence.

13.6 Language

This DPA is written in English. In the event of any conflict between the English version and any translation, the English version shall prevail.

14. Contact Information

For questions about this DPA or to exercise audit rights, contact: