Skip to content

Customer Data Processing Addendum

This Data Processing Addendum (“DPA”) is made and entered into as of the Effective Date of the Master Subscription Agreement (the “SaaS Agreement” or “Agreement”), by and between the customer identified in the signature box (“Customer”) and Bevy Labs, Inc. (“Bevy”). The parties have entered into the Agreement for the provision of certain services, including access to the software platform available at www.bevy.com.

This DPA is supplemental to the SaaS Agreement and outlines the requirements for processing personal data subject to Applicable Data Protection Legislation (defined below) and which Bevy processes as a processor (defined below) on Customer's behalf. Except for the changes made by this DPA, the SaaS Agreement remains unchanged and in full force and effect. If there is any conflict between the terms of this DPA and the SaaS Agreement, the terms of this DPA shall prevail.

1. Definitions

Affiliate: Any entity that is directly or indirectly controlled by, controlling, or under common control with a party.

Applicable Data Protection Legislation: Data protection and privacy laws of Europe and the U.S., including GDPR, UK GDPR, Swiss DPA, CCPA, VCDPA, CPA, CTDPA, UCPA, and others as applicable.

Europe: The EEA, Switzerland, and the UK.

Good Industry Practice: Using the same skill, expertise, and judgment expected from a professional in compliance with applicable law.

Restricted Transfer: A transfer of personal data outside the EEA, UK, or Switzerland that lacks an adequacy determination.

Security Breach: A breach leading to unauthorized destruction, loss, or access to personal data, excluding unsuccessful attempts like failed log-ins or network scans.

Services: The services provided by Bevy under the SaaS Agreement.

Standard Contractual Clauses (SCCs): EU SCCs and UK SCCs as required for data transfers.
Subprocessor: Any third party engaged by Bevy to process personal data, including affiliates but excluding Bevy employees, contractors, or consultants.

2. Scope

Customer is either a controller or a processor on behalf of a third-party controller, and Bevy is a processor regarding personal data processed under the SaaS Agreement.

3. Data Protection

Bevy shall:

Process personal data per Customer’s written instructions and Applicable Data Protection Legislation.

Implement and maintain technical and organizational security measures as outlined in Schedule B.

Engage Subprocessors only with prior notice to the Customer. If Customer does not object within 30 days, the Subprocessor is deemed pre-approved.

Ensure confidentiality and security of personal data by properly training personnel.

Assist Customer in responding to data subject requests and fulfilling regulatory obligations.
Not retain personal data longer than necessary and will securely destroy or return it upon request.

Ensure Restricted Transfers comply with SCCs or an Alternative Transfer Mechanism.

4. Customer Responsibilities

Customer is responsible for:

Ensuring its use of the Services complies with Applicable Data Protection Legislation.
Providing necessary notices and obtaining consents from data subjects.

Notifying Bevy if its instructions would violate any data protection laws.


5. Limitation of Liability

Any claims related to this DPA shall be subject to the limitations of liability outlined in the SaaS Agreement.

6. Permitted Disclosures

Each party may disclose the SCCs, DPA, and privacy-related provisions to a regulator upon request.

7. Governing Law and Jurisdiction

This DPA is governed by the same laws as the SaaS Agreement, unless required otherwise by Applicable Data Protection Legislation.