Data Processing Addendum

Effective Date: May 18, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between:

BUSYBUDDY, LLC (“Processor”)
The customer agreeing to the Terms (“Controller”).

1. Purpose

This DPA governs the processing of Personal Data by BusyBuddy on behalf of the Controller in connection with the provision of CRM software and related services (the “Services”).

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Controller: The entity that determines the purposes and means of processing Personal Data.
Processor: BusyBuddy, which processes Personal Data on behalf of the Controller.
Subprocessor: Any third party engaged by Processor to process Personal Data.

Definitions shall align with the EU General Data Protection Regulation (GDPR), UK GDPR, and similar applicable laws.

3. Scope of Processing

3.1 Nature and Purpose

Processor provides CRM software that enables Controller to:

Store and manage contact information
Import and receive lead data (including via Meta Lead Ads and API integrations)
Track sales activities and payments
Sync data with third-party services connected by Controller

3.2 Categories of Data Subjects

Customers of Controller
Leads/prospects
Employees or representatives of Controller
Website visitors

3.3 Categories of Personal Data

May include:

Name
Email address
Phone number
Company information
Marketing metadata (e.g., campaign IDs)
Payment-related customer information (if integrated)
Device/IP information (if applicable)

3.4 Duration

Processor will process Personal Data for the duration of the Agreement unless otherwise required by law.

4. Processor Obligations

Processor shall:

Process Personal Data only on documented instructions from Controller.
Ensure personnel are subject to confidentiality obligations.
Implement appropriate technical and organizational security measures.
Assist Controller in responding to data subject rights requests.
Assist Controller in complying with GDPR Articles 32–36 (security, breach notification, DPIA).
Notify Controller without undue delay after becoming aware of a Personal Data Breach.
Delete or return Personal Data upon termination, unless retention is required by law.

5. Subprocessors

Controller authorizes Processor to engage Subprocessors.

Processor shall:

Maintain a list of Subprocessors.
Ensure Subprocessors are bound by data protection obligations equivalent to this DPA.
Remain liable for Subprocessor compliance.

Typical Subprocessors may include:

Cloud hosting providers
Email delivery providers
Payment processors
Infrastructure providers
Analytics providers

6. International Data Transfers

If Personal Data is transferred outside the EEA, UK, or other restricted jurisdictions, Processor shall implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum (where applicable)
Other lawful transfer mechanisms

The SCCs (latest approved version) are incorporated by reference where required.

7. Data Subject Rights

Processor shall, to the extent legally permitted:

Notify Controller of any request received directly from a data subject.
Not respond directly unless authorized.
Provide reasonable assistance in fulfilling requests for access, correction, deletion, portability, restriction, and objection.

8. Security Measures

Processor implements appropriate technical and organizational measures, including:

Encrypted data transmission (HTTPS/TLS)
Access controls
Role-based permissions
Data isolation between customer accounts
Monitoring and logging
Secure cloud infrastructure

9. Deletion & Return of Data

Upon termination of Services:

Controller may export its data.
Processor shall delete Personal Data within 30 days, unless legally required to retain it.

10. Liability

Liability under this DPA shall be subject to the limitations set forth in the main Terms of Service.

11. Governing Law

This DPA shall be governed by the law specified in the main Agreement.