Data Processing Agreement
Standard DPA template for bizbot partners, vendors, and data processors.
Data Processing Agreement (DPA)
Effective Date: April 15, 2026
Between: bizbot Technology LLC (Data Controller) and [Partner/Vendor Name] (Data Processor)
1. PURPOSE AND SCOPE
This DPA governs the processing of personal data by the Data Processor on behalf of bizbot Technology LLC. This agreement is separate from and supplementary to any other agreement between the parties.
2. DEFINITIONS
Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR and CCPA/CPRA.
Data Subject: The individual to whom personal data relates.
Processing: Any operation performed on personal data, including collection, recording, storage, modification, sharing, or deletion.
3. ROLE OF THE DATA PROCESSOR
The Data Processor shall:
- Process personal data only on documented instructions from the Data Controller
- Ensure that persons authorized to process personal data are committed to confidentiality
- Implement appropriate technical and organizational measures for data security
- Assist the Data Controller in meeting data subject rights requests
- Maintain records of processing activities as required by law
- Report any personal data breach without undue delay (max 72 hours)
- Delete or return personal data upon termination unless law requires retention
4. SUB-PROCESSORS
The Data Processor shall not engage sub-processors without prior written authorization from the Data Controller. Sub-processors must also be bound by this DPA or equivalent protections.
Current sub-processors may include: Google Sheets, Stripe, Anthropic API, Brevo (email), Twilio (SMS/voice), Retell AI (voice transcription).
5. DATA SUBJECT RIGHTS
The Data Processor shall, without undue delay, provide the Data Controller with assistance in responding to:
- Requests to access personal data
- Requests to delete personal data
- Requests to correct inaccurate personal data
- Requests to restrict processing
- Requests to receive personal data in portable format (data portability)
- Requests to opt-out of automated decision-making
6. DATA SECURITY
The Data Processor shall implement measures appropriate to the level of risk, including:
- Encryption of personal data in transit (TLS/SSL) and at rest
- Access controls and authentication (passwords, API keys, MFA)
- Regular security assessments and penetration testing
- Incident response procedures
- Employee data protection training
- Restricted access to personal data on need-to-know basis
7. BREACH NOTIFICATION
The Data Processor shall notify the Data Controller without undue delay (no later than 72 hours) of any known or suspected personal data breach, including:
- Categories and approximate number of data subjects affected
- Categories and approximate amount of personal data involved
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Breach notification procedures and contact
8. AUDITS AND INSPECTIONS
The Data Controller has the right to audit the Data Processor's compliance with this DPA, including:
- On-site inspections (with 10 business days notice)
- Review of security controls and documentation
- Third-party audit reports (SOC 2, ISO 27001, etc.)
9. DATA TRANSFER (International)
If personal data is transferred outside the country of origin, the Data Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved adequacy decisions.
10. TERMINATION AND DATA HANDLING
Upon termination of this DPA or the underlying agreement:
- The Data Processor shall cease processing unless instructed otherwise
- The Data Processor shall delete or return personal data within 30 days unless law requires retention
- The Data Processor shall certify in writing that deletion/return is complete
11. INDEMNIFICATION
The Data Processor shall indemnify bizbot Technology LLC against claims arising from the Data Processor's failure to comply with this DPA or applicable data protection laws.
12. LIABILITY
The Data Processor's liability under this DPA shall not exceed the fees paid or payable under the underlying agreement in the 12 months preceding the claim.
13. GOVERNING LAW
This DPA shall be governed by and construed in accordance with the laws of California, without regard to its conflict of law principles.
14. ENTIRE AGREEMENT
This DPA, together with the underlying agreement, constitutes the entire agreement between the parties regarding data processing and supersedes all prior agreements.
15. AMENDMENTS
bizbot Technology LLC may amend this DPA upon 30 days written notice to the Data Processor. Continued use of the service constitutes acceptance of amendments.
SIGNATURE
bizbot Technology LLC
EIN: 42-1842381
By: _________________________________ Date: __________
Name: _____________________________
Title: ______________________________
[Data Processor Name]
By: _________________________________ Date: __________
Name: _____________________________
Title: ______________________________
How to Use This Template
This DPA applies to: All partners, vendors, and service providers who process personal data on behalf of bizbot, including affiliate partners, payment processors (Stripe), communication platforms (Google Sheets, SendGrid), and API providers (Anthropic).
Step 1: Customize
Fill in [Data Processor Name] with the specific partner name. Review Section 4 (Sub-Processors) and add any not listed.
Step 2: Review
Have both parties' legal representatives review and approve the DPA.
Step 3: Execute
Both parties sign and date the agreement. Retain signed copies for compliance records.
Step 4: Maintain
Store DPAs in a centralized compliance folder. Update sub-processor list annually or when changes occur.
Related Documents
- Privacy Policy — bizbot's data practices
- Terms of Service — Overall service agreement
- CCPA/CPRA Rights — California privacy rights