Data Processing Addendum

(b) It has and will maintain all lawful bases, consents, and authorizations necessary for:

• Collection and Processing of Personal Data
• Disclosure of Personal Data to BBos
• BBos's Processing of Personal Data as contemplated by this DPA and the Agreement
• All international transfers of Personal Data

(c) It has provided and will provide all required notices to Data Subjects, including:

• Privacy notices compliant with Data Protection Laws
• Notice that Personal Data will be Processed by BBos and its Subprocessors
• Notice that Personal Data may be transferred internationally
• Notice that de-identified data may be used for AI training and cannot be deleted

(a) All obligations under Data Protection Laws, including but not limited to:

• Determining lawful bases for Processing
• Providing privacy notices to Data Subjects
• Obtaining all required consents
• Maintaining records of Processing activities
• Conducting Data Protection Impact Assessments (DPIAs)
• Responding to Data Subject requests
• Notifying Supervisory Authorities of breaches
• Ensuring accuracy and quality of Personal Data
• Implementing appropriate security measures on Client's systems

(b) Obligations that do not require BBos to:

• Incur material additional costs or expenses
• Modify the Services or its business operations
• Obtain third-party consents or licenses
• Violate its agreements with third parties
• Disclose confidential or proprietary information

(c) BBos may decline to perform any obligation that it determines, in its reasonable discretion, would:

• Be technically infeasible
• Require disproportionate effort or expense
• Compromise security or availability of the Services
• Violate applicable laws or regulations
• Harm BBos's business interests

(b) BBos will evaluate such requests and may, in its sole discretion:

• Accept the instructions without additional fees
• Accept the instructions subject to additional fees
• Decline the instructions if they:
  • Are not technically feasible
  • Would require modification of the Services
  • Are inconsistent with the Agreement
  • Would violate laws or third-party agreements
  • Would require disproportionate effort

(a) If BBos believes that an instruction violates Data Protection Laws, BBos may (but has no obligation to):

• Inform Client in writing
• Suspend compliance with the instruction
• Terminate the Agreement immediately

(b) BBos has no obligation to:

• Monitor whether Client's instructions comply with law
• Provide legal advice to Client
• Investigate the lawfulness of instructions

(b) It is Client's sole responsibility to:

• Monitor changes to the Subprocessor list at bbos.ai/subprocessors
• Determine whether any Subprocessor changes impact Client's use of the Services
• Take any action Client deems necessary in response to Subprocessor changes

(d) BBos has no obligation to:

• Send email notifications of Subprocessor changes
• Provide advance notice of Subprocessor changes
• Explain reasons for Subprocessor changes
• Respond to Client objections to Subprocessors

(a) If Client objects to a new Subprocessor, Client's sole and exclusive remedy is to:

• Terminate the affected portion of the Services within fifteen (15) days of the Subprocessor change appearing on the website
• Pay all fees through the end of the then-current term
• Receive no refund of any prepaid fees

(d) BBos has no obligation to:

• Provide alternative solutions
• Remove or replace Subprocessors
• Modify the Services to avoid Subprocessors
• Provide refunds or credits

(b) However, Client acknowledges and agrees that:

• BBos's agreements with Subprocessors are confidential and proprietary
• BBos has no obligation to provide copies of Subprocessor agreements
• Subprocessor agreements may contain terms different from this DPA
• BBos's liability for Subprocessors is limited as set forth in Section 13

(b) It is Client's responsibility to:

• Monitor changes to Annex 2 (available at bbos.ai/dpa)
• Determine whether security measures meet Client's requirements
• Implement additional security measures on Client's own systems
• Verify security measures before using the Services

(c) BBos has no obligation to:

• Notify Client of security measure changes
• Consult with Client before changing security measures
• Maintain any specific security certification or standard
• Meet Client's specific security requirements

(c) BBos makes no warranty, representation, or guarantee regarding:

• Prevention of unauthorized access or security incidents
• Detection of security vulnerabilities
• Adequacy of security for Client's specific use case
• Compliance with Client's security policies or requirements
• Meeting any specific security standard or certification

(d) Client uses the Services at its own risk and is solely responsible for:

• Evaluating whether BBos's security measures are adequate for Client's needs
• Implementing additional security measures as Client deems necessary
• Securing Client's own systems, networks, and devices
• Protecting account credentials and access
• Monitoring for unauthorized access

(g) All security incidents caused by:

• Client's negligence or misconduct
• Authorized Users' actions
• Client's failure to maintain security
• Unauthorized use of Client's accounts
• Client's systems being compromised

(b) BBos will not provide Client with:

• Results of security assessments
• Vulnerability reports
• Penetration testing results
• Detailed security documentation
• Security certifications or attestations

Unless Client separately purchases enterprise security documentation at additional cost.

(c) Any security information provided to Client is:

• Confidential and proprietary to BBos
• Provided "as is" without warranty
• Subject to change without notice
• Not a guarantee of security

(a) BBos's assistance is limited to:

• Providing Client with access to Personal Data in BBos's possession that is retrievable through the Services' standard user interface
• Deleting or returning Personal Data upon termination as described in Section 11
• Providing information about BBos's Processing activities as documented in this DPA

(b) BBos has no obligation to:

• Directly communicate with Data Subjects
• Verify Data Subject identities
• Determine whether a request is valid
• Determine applicable legal exceptions or exemptions
• Provide Personal Data in any specific format unless such format is available through the Services' standard functionality
• Retrieve or reconstruct Personal Data that has been deleted, archived, or is not readily accessible
• Create new reports, exports, or data compilations beyond what is available in the Services
• Perform manual data extraction or processing

(d) Client will defend, indemnify, and hold BBos harmless from any claims arising from:

• Data Subject requests
• Client's responses (or failure to respond) to Data Subject requests
• Client's failure to implement appropriate processes for handling Data Subject requests
• Any allegation that Client violated Data Subject rights

(a) If BBos becomes aware of a Personal Data Breach that BBos determines, in its sole discretion, is reasonably likely to result in a risk to Data Subjects, BBos will notify Client within a commercially reasonable time, and in no event more than:

• Seventy-two (72) hours for breaches affecting EEA residents (if legally required)
• Five (5) business days for breaches affecting California residents (if legally required)
• Ten (10) business days for all other breaches

(b) However, BBos's notification obligation is subject to the following conditions and limitations:

• BBos may delay notification if:
  • Required by law enforcement or regulatory authorities
  • Necessary to conduct investigation
  • Necessary to implement remediation measures
  • Disclosure would compromise security
• BBos's notification will be sent to the email address associated with Client's account. It is Client's responsibility to:
  • Maintain accurate contact information
  • Monitor email regularly
  • Implement procedures to receive and respond to notifications
  • Ensure notifications are not blocked by spam filters
• BBos's notification constitutes BBos's sole and complete obligation regarding Security Incidents

(i) BBos has no obligation to provide:

• Root cause analysis
• Detailed technical information
• Information that is confidential or proprietary
• Information about BBos's security measures
• Information about other customers
• Information that could compromise security

(g) All costs, expenses, and liabilities related to breach response, including but not limited to:

• Costs of notifying Data Subjects
• Credit monitoring or identity protection services
• Legal fees and regulatory fines
• Litigation costs and settlements
• Public relations and reputation management
• Business interruption losses

(a) BBos will use commercially reasonable efforts to:

• Investigate the incident
• Implement remediation measures
• Prevent future similar incidents

(b) However, BBos has no obligation to:

• Provide Client with detailed investigation findings
• Implement specific remediation measures requested by Client
• Prevent all future incidents
• Guarantee effectiveness of remediation measures
• Consult with Client regarding remediation

(c) BBos may implement remediation measures that:

• Temporarily disrupt the Services
• Change functionality of the Services
• Require Client to take specific actions

(b) BBos's obligations regarding Security Incidents are limited to:

• Providing the notification described in Section 8.1
• Using commercially reasonable efforts to investigate and remediate
• Cooperating with Client's reasonable requests (subject to fees)

(c) BBos has no liability for Security Incidents caused by:

• Client's negligence or misconduct
• Authorized Users' actions
• Client's failure to maintain security
• Unauthorized use of Client's accounts
• Client's systems being compromised
• Third parties outside BBos's control
• Force majeure events

(a) For Personal Data originating from the EEA, UK, or Switzerland, the parties agree that:

• The Standard Contractual Clauses in Annex 4 apply only to the minimum extent legally required
• If any alternative transfer mechanism becomes available (such as adequacy decisions, approved certifications, or other mechanisms), BBos may rely on such mechanisms instead of SCCs without notice to Client
• Client is responsible for:
  • Determining whether SCCs are necessary for Client's transfers
  • Ensuring Client's own compliance with requirements for using SCCs
  • Implementing supplementary measures if required
  • Monitoring legal developments affecting SCCs

(b) BBos makes no warranty or representation that:

• SCCs provide adequate protection for Client's specific use case
• SCCs will remain valid or enforceable
• U.S. laws comply with EU requirements
• The Services meet EU adequacy requirements

(c) Standard Contractual Clauses are incorporated with the following modifications:

• Clause 7 (Docking Clause): Does NOT apply - third parties may not accede to the Clauses
• Clause 9(a) (Subprocessor Authorization): General authorization with website notification only
• Clause 11(a) (Redress): Optional clause does NOT apply
• Clause 17 (Governing Law): Laws of California, United States (to the extent permitted)
• Clause 18(b) (Forum): Courts of Los Angeles County, California (to the extent permitted)
• Any provisions of SCCs that conflict with the Agreement or this DPA are modified to the maximum extent permitted by law to align with the Agreement and this DPA

(a) If BBos receives a government request for Personal Data, BBos may (but has no obligation to):

• Notify Client if legally permitted
• Challenge requests BBos deems invalid
• Redirect requests to Client where possible

(b) However, Client acknowledges and agrees that:

• BBos may be legally compelled to disclose Personal Data to government authorities under U.S. law, including FISA, national security letters, and other legal process
• BBos may be prohibited from notifying Client of requests or disclosures
• BBos has no obligation to:
  • Challenge government requests
  • Delay compliance with government requests
  • Notify Client of requests
  • Provide copies of government requests
  • Limit disclosures beyond what is legally required
• BBos's compliance with government requests does not breach this DPA or the Agreement

(a) Frequency: Not more than once every two (2) years, unless:

• Required by a Supervisory Authority in connection with a specific investigation of Client
• In response to a Security Incident affecting Client's Personal Data

(d) Auditor Requirements:

• Must be independent third-party auditor (not Client personnel)
• Must be pre-approved by BBos (BBos may reject any auditor)
• Must execute BBos's standard NDA
• Must not be a competitor or work for competitors
• Must carry professional liability insurance of at least $2M

(e) Scope Limitations: Audits are limited to:

• Review of policies and procedures (not technical systems)
• Interviews with designated BBos personnel (subject to availability)
• Review of documentation BBos chooses to provide
• No access to source code, systems, facilities, or other customers' data

(f) Timing: Audits must be conducted:

• During BBos's normal business hours
• At times convenient to BBos
• Without disruption to BBos's operations
• Subject to postponement by BBos for any reason

(b) Client and auditor must:

• Execute BBos's NDA before audit begins
• Not disclose any audit findings, observations, or information to third parties (except as legally required)
• Not use information for any purpose other than verifying BBos's compliance
• Return or destroy all materials provided by BBos after audit concludes

(c) Breach of confidentiality obligations:

• Immediately terminates Client's audit rights
• Entitles BBos to seek injunctive relief
• Makes Client liable for all damages caused by disclosure

(b) BBos will review findings and may, in its sole discretion:

• Agree with findings and develop remediation plan
• Dispute findings and provide explanation
• Take no action if BBos determines findings are inaccurate or immaterial

(c) BBos has no obligation to:

• Implement any specific remediation measures
• Remediate findings within any specific timeframe
• Provide updates on remediation progress
• Allow follow-up audits to verify remediation

(a) Upon termination of the Agreement:

• BBos will provide a thirty (30) day Export Period during which Client may export Customer Data using the Services' standard export functionality
• After the Export Period, BBos may (in its sole discretion):
  • Delete Personal Data
  • Retain Personal Data for any lawful purpose
  • De-identify Personal Data and retain it indefinitely
  • Continue Processing Personal Data as necessary for BBos's business

(b) BBos has no obligation to:

• Return Personal Data to Client
• Delete Personal Data on any specific schedule
• Provide confirmation of deletion
• Maintain Personal Data in any specific format
• Preserve Personal Data for Client

(a) To the extent required or permitted by applicable law, including but not limited to:

• Tax and accounting records (7+ years)
• Financial transaction records (7+ years)
• Employment records (as required by law)
• Litigation holds and legal proceedings (duration of matter + 7 years)
• Regulatory requirements (as required)
• Business records retention policies

(b) For BBos's legitimate business purposes, including but not limited to:

• Preventing fraud, abuse, or security incidents
• Enforcing BBos's rights and agreements
• Defending against legal claims or potential claims
• Complying with audits and investigations
• Maintaining business records and archives
• Historical reference and analysis

(c) In backup, archival, or disaster recovery systems, for up to:

• Two (2) years for standard backups
• Seven (7) years for archival systems
• Indefinitely for business records archives

(d) In aggregated, anonymized, or de-identified form, including:

• Data incorporated into analytics and benchmarking
• Data used for AI training (which cannot be extracted)
• Statistical and research data
• Product improvement data

Such data may be retained indefinitely and is no longer subject to this DPA

(e) Where deletion would:

• Be technically infeasible
• Require disproportionate effort
• Compromise system integrity
• Affect rights of other customers
• Violate agreements with third parties

(a) BBos has no obligation to:

• Provide certification or confirmation of deletion
• Verify that all Personal Data has been deleted
• Delete Personal Data from all systems (including backups)
• Provide deletion timeline or schedule
• Respond to deletion status inquiries

(a) Client may request deletion of specific Personal Data during the Agreement term through:

• The Services' user interface and deletion features
• API calls (where available)
• Written request to dpo@bbos.ai

(b) BBos will use commercially reasonable efforts to process deletion requests within a reasonable time, but has no obligation to:

• Delete data within any specific timeframe
• Confirm deletion
• Delete data from backup systems immediately
• Delete data that BBos is required or permitted to retain

(c) BBos may charge fees for unusual or extensive deletion requests:

• Standard UI deletion: Included
• Bulk deletion requests: $250 per request
• Custom deletion requiring engineering: $200 per hour
• Urgent deletion requests: 2x standard fee

(a) Deletion rights do NOT apply to:

• Aggregated or de-identified data
• Data incorporated into AI models (cannot be extracted)
• Data BBos is required or permitted to retain by law
• Data in backup or archival systems (until automatic deletion occurs)
• Data necessary for BBos's legitimate business purposes

(c) Deletion may not be immediate and may take:

• Up to 30 days for active systems
• Up to 90 days for backup systems
• Up to 2 years for archival systems
• Indefinitely for data BBos is permitted to retain

(b) Retain, use, or disclose Personal Information except:

• To perform the Services under the Agreement
• As permitted by the CCPA
• As permitted by the Agreement (including creating Aggregated Data and AI training)
• For BBos's business purposes as defined in CCPA

(c) De-identified information includes:

• Aggregated data that cannot identify individuals
• Data incorporated into AI models
• Statistical and analytical data

(b) Client acknowledges that:

• BBos's assistance obligations are minimal
• BBos may charge fees for assistance
• Client is solely responsible for responding to Consumer requests
• BBos has no liability for Client's failure to respond to Consumer requests

(c) BBos has no obligation to:

• Respond directly to Consumers
• Verify Consumer identities
• Determine whether to honor Consumer requests
• Meet CCPA deadlines

(b) However:

• BBos may charge a fee of $500 per certification request
• Certification is provided "as is" without warranty
• Certification does not constitute legal advice
• BBos makes no warranty regarding Client's CCPA compliance

(b) Client's sole remedy is to:

• Terminate the Agreement (with no refund)
• Stop using the Services immediately

(c) BBos has no liability for:

• Client's inability to continue using the Services
• Costs of migrating to alternative services
• Business interruption
• Any consequential damages

(b) IN NO EVENT WILL BBOS'S TOTAL LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATED TO THIS DPA EXCEED THE LESSER OF:

• $50 (fifty dollars), OR
• The fees paid by Client in the 12 months preceding the claim

(c) The above cap applies regardless of:

• The legal theory (contract, tort, strict liability, statute, etc.)
• Whether BBos was advised of the possibility of damages
• Whether the limited remedy fails of its essential purpose
• The number of claims or incidents

(d) EXCLUDED DAMAGES: In no event will BBos be liable for:

• Consequential damages
• Indirect damages
• Special damages
• Punitive damages
• Incidental damages
• Lost profits or revenue
• Loss of data
• Loss of goodwill
• Business interruption
• Cost of substitute services
• Regulatory fines or penalties imposed on Client
• Claims by third parties (including Data Subjects)

(a) Client's breach of this DPA or the Agreement, including:

• Failure to have lawful basis for Processing
• Failure to obtain required consents
• Unlawful instructions to BBos
• Failure to respond to Data Subject requests
• Breach of Client's warranties

(b) Acts or omissions of:

• Client
• Authorized Users
• Third parties not engaged by BBos
• Subprocessors (beyond BBos's limited liability in Section 13.3)

(c) Matters beyond BBos's control, including:

• Force majeure events
• Internet failures or disruptions
• Third-party service failures
• Government actions or legal requirements
• Changes in Data Protection Laws
• Invalidation of transfer mechanisms

(d) Client's use of the Services, including:

• Failure to properly configure security settings
• Failure to maintain secure credentials
• Improper or unauthorized use
• Use inconsistent with Documentation

(b) BBos's maximum liability for any Subprocessor failure is limited to the lesser of:

• $50, OR
• The fees paid by Client in the 6 months preceding the failure

(c) Client's sole remedy for Subprocessor failures is to:

• Object to the Subprocessor and terminate as set forth in Section 5.4
• Seek recovery from BBos subject to the caps above

(b) To the maximum extent permitted by law:

• The liability limitations in this Section 13 apply to SCCs
• The Agreement's liability provisions control over conflicting SCC provisions
• Client waives any rights under SCCs that conflict with this Section 13

(a) Client's breach of this DPA, including:

• Breach of Client's warranties and representations
• Failure to have lawful basis for Processing
• Failure to obtain required consents
• Provision of unlawful instructions
• Failure to provide required notices to Data Subjects

(b) Client's violation of Data Protection Laws, including:

• Failure to comply with GDPR, CCPA, or other privacy laws
• Improper handling of Data Subject requests
• Failure to notify Supervisory Authorities or Data Subjects
• Failure to conduct required DPIAs
• Violation of Data Subject rights

(c) Claims by Data Subjects, including:

• Privacy violations
• Unauthorized Processing
• Failure to honor Data Subject rights
• Improper disclosures

(d) Claims by Supervisory Authorities, including:

• Fines and penalties
• Investigation costs
• Compliance orders
• Regulatory enforcement actions

(e) Client's use of the Services, including:

• Improper configuration
• Unauthorized use
• Security incidents caused by Client
• Violation of Acceptable Use Policy

(f) Employment-related claims, including:

• Use of employee monitoring features
• Improper handling of employee data
• Violations of employment laws
• Privacy violations related to employees

(a) BBos will defend, indemnify, and hold Client harmless only from third-party claims that:

• BBos's technology directly infringes a U.S. patent, copyright, or trademark
• But excluding claims arising from:
  • Client's use of the Services in violation of the Agreement
  • Combination of the Services with non-BBos products
  • Modifications to the Services not made by BBos
  • Use of non-current versions when infringement is avoided in current version
  • Content or data provided by Client
  • Use of open source components

(c) BBos may, at its option:

• Procure the right to continue using the Services
• Replace or modify the Services to be non-infringing
• Terminate the Agreement and refund prepaid fees on a pro-rata basis

(a) For Client indemnification of BBos:

• BBos may (but need not) notify Client of claims
• BBos may control defense and settlement
• Client must not settle without BBos's written consent
• Client must pay all costs and damages

(b) For BBos indemnification of Client:

• Client must promptly notify BBos of claims
• Client must give BBos sole control of defense and settlement
• Client must cooperate fully (at BBos's expense)
• Client must not settle without BBos's written consent

(b) Client may NOT:

• Terminate this DPA separately from the Agreement
• Suspend use of the Services due to DPA concerns without terminating the Agreement
• Withhold payment due to DPA concerns

(c) BBos has no obligation to:

• Return Personal Data
• Delete Personal Data on any specific schedule
• Maintain Personal Data after termination
• Provide access to Personal Data after the Export Period

(a) BBos may amend this DPA at any time for any reason by:

• Posting the updated DPA on bbos.ai/dpa
• Updating the "Last Updated" date

(c) BBos has NO obligation to:

• Notify Client of amendments by email
• Provide advance notice of amendments
• Explain reasons for amendments
• Negotiate amendments with Client
• Maintain prior versions

(d) It is Client's sole responsibility to:

• Monitor bbos.ai/dpa for changes
• Review amendments regularly
• Determine whether amendments affect Client's use
• Cease using Services if Client objects to amendments

(f) If Client does not accept amendments, Client's sole remedy is to:

• Terminate the Agreement immediately (with no refund)
• Stop using the Services

(a) BBos may assign this DPA without notice or consent:

• To any Affiliate
• In connection with merger, acquisition, or sale of assets
• To any successor entity
• For any business reason

(b) No third parties have any rights under this DPA, including:

• Data Subjects
• Supervisory Authorities
• Subprocessors
• Any other third parties

(b) To the maximum extent permitted by law, California law applies even for:

• International transfers
• EEA, UK, or Swiss Data Subjects
• Processing in other jurisdictions

(a) ALL DISPUTES ARISING FROM OR RELATED TO THIS DPA MUST BE RESOLVED BY BINDING ARBITRATION in accordance with the Agreement (Section 13), except:

• BBos may seek injunctive relief in court for breach of confidentiality or intellectual property
• Either party may seek temporary restraining orders

(b) Arbitration provisions:

• JAMS Comprehensive Arbitration Rules
• One arbitrator selected by JAMS
• Venue: Los Angeles County, California
• Each party bears its own costs (no fee shifting)
• Discovery limited to what arbitrator permits
• No class or collective actions
• No representative actions
• Arbitrator's decision is final and binding

(a) Notices to Client:

• Posting on bbos.ai constitutes sufficient notice
• Email to account email address (if BBos chooses)
• Notice within the Services (if BBos chooses)

(b) Notices to BBos:

• Must be in writing to:
• Email: dpo@bbos.ai
• Mail: BBos Holdings, LLC, Attn: DPO, 612 S. Cochran Ave. #409, Los Angeles, CA 90036
• Notice is effective only when received by BBos

(c) Client is responsible for:

• Monitoring bbos.ai for notices
• Maintaining accurate contact information
• Ensuring emails from BBos are not blocked