DATA PROCESSING ADDENDUM (DPA)

Note: This DPA applies only if you are a Business Customer or Organization processing personal data on behalf of others.

1. SCOPE

This DPA applies to the processing of Personal Data by BuddyHQ ("Processor") on behalf of the Business Customer ("Controller").

Processor shall process Data only in accordance with Controller's documented instructions.

Processor ensures that all personnel authorized to process Data are committed to confidentiality.

Processor implements technical safeguards (Encryption, Access Control, MFA) appropriate to the risk.

Controller generally authorizes Processor to engage the following categories of sub-processors:

Cloud Infrastructure: Google Cloud Platform (GCP)
Payment Processing: Stripe
AI Service Providers: Reputable third-party providers of Large Language Models (LLMs) and generative AI services.

Processor remains fully liable for sub-processor performance.

Transfers to the US or India are protected via Standard Contractual Clauses (SCCs).

Processor shall assist Controller (at Controller's expense) in responding to data subject requests (access/delete).