Data Processing
Agreement.
This DPA governs how Baseerat processes personal data on your behalf. It supplements our Terms of Service and Privacy Policy.
Definitions
"Controller" means you, the customer who determines the purposes and means of processing personal data. "Processor" means Baseerat, Inc., which processes personal data on behalf of the Controller. "Data Subject" means any identified or identifiable natural person whose personal data is processed. "Personal Data" means any information relating to a Data Subject. "Processing" means any operation performed on personal data.
Scope & Purpose
This DPA applies to all personal data that Baseerat processes on your behalf in connection with the Baseerat service. We process personal data solely to provide the Service as described in our Terms of Service. We do not process personal data for our own purposes, except as required to maintain and improve the Service infrastructure.
Data Processing Details
Categories of data subjects: your customers, leads, prospects, and business contacts. Types of personal data: names, email addresses, phone numbers, company information, communication history, and any custom fields you configure. Processing activities: storage, retrieval, organization, analysis (for features like lead scoring), and transmission (for features like email and messaging).
Security Measures
We implement and maintain appropriate technical and organizational measures including: encryption at rest (AES-256) and in transit (TLS 1.3); access controls with principle of least privilege; multi-factor authentication for all production access; regular penetration testing; SOC 2 Type II certification; employee security training; incident response procedures with 24/7 on-call rotation.
Sub-processors
We use sub-processors to deliver the Service. Current sub-processors: Amazon Web Services (infrastructure), Vercel (application hosting), Stripe (payment processing), Sendgrid (email delivery), Twilio (SMS delivery). We maintain a list of sub-processors at baseerat.app/legal/sub-processors. We notify you at least 30 days before adding a new sub-processor. You may object within 14 days.
Data Subject Rights
We assist you in fulfilling data subject requests including: access, rectification, erasure, data portability, restriction of processing, and objection to processing. We provide self-service tools for most requests. For requests we cannot fulfill through the UI, contact [email protected]. We respond within 72 hours.
Data Breach Notification
We notify you of a personal data breach without undue delay, and in any event within 72 hours of becoming aware. Notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. We cooperate with your breach notification obligations.
International Transfers
If personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. We conduct transfer impact assessments for each destination country. EU data residency is available upon request (contact us to enable it).
Audit Rights
You may audit our compliance with this DPA once per year with 30 days' written notice. Audits may be conducted by you or a mutually agreed third-party auditor bound by confidentiality. We provide our SOC 2 Type II report as an alternative to on-site audits. Additional audit costs are borne by you.
Term & Termination
This DPA remains in effect for the duration of your subscription. Upon termination, we delete or return all personal data within 30 days, at your choice. We provide a data export tool for this purpose. Backup copies are purged within 90 days of account termination.
To execute this DPA, send a signed copy to [email protected]. We countersign within 5 business days.
Download DPA (PDF) ↓