# Data Processing Agreement (DPA)

**Between:**  
**Customer** ("Controller") — the entity identified in the Order Form or Billslash Reach account.

**and**

**Billslash, Inc.**, a Delaware corporation with offices at 2261 Market Street #4854, San Francisco, CA 94114, USA ("Processor", "we", "Billslash").

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Billslash Reach Terms of Service ("Agreement") between the parties. It applies to the extent Billslash processes Personal Data on behalf of Customer in providing the Billslash Reach service (the "Service").

---

## 1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement, the GDPR, or the CCPA/CPRA, as applicable.

- **"Personal Data"** means information relating to an identified or identifiable natural person processed by Billslash on behalf of Customer through the Service.
- **"Sub-processor"** means a third party engaged by Billslash to process Personal Data on Customer's behalf.
- **"Applicable Data Protection Law"** means GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, and other privacy laws applicable to processing under this DPA.

## 2. Scope and roles

Customer is the Controller (or Business under CCPA). Billslash is the Processor (or Service Provider under CCPA) and processes Personal Data only on documented instructions from Customer, including those set out in the Agreement and this DPA.

## 3. Nature, purpose, duration and categories

- **Subject matter:** provision of the Billslash Reach CRM and outreach service.
- **Duration:** for the term of the Agreement plus any retention period set out in our Data Retention & Deletion Policy.
- **Categories of data subjects:** Customer's users (employees, contractors) and the leads/contacts Customer chooses to upload or contact.
- **Categories of Personal Data:** name, business email, phone, job title, company, postal address, IP address, browser metadata, content of email outreach and replies, and integration tokens where Customer connects third-party accounts.
- **Special categories:** none expected; Customer must not upload special-category data without prior written agreement.

## 4. Billslash obligations

1. Process Personal Data only on Customer's documented instructions.
2. Ensure persons authorized to process Personal Data are under a duty of confidentiality.
3. Implement appropriate technical and organizational measures (see Annex II).
4. Assist Customer in responding to data-subject requests.
5. Assist Customer with DPIAs and prior consultations where required.
6. Notify Customer without undue delay (and in any event within **48 hours**) after becoming aware of a Personal Data Breach.
7. At the end of the Agreement, delete or return Personal Data per the Data Retention & Deletion Policy.
8. Make available all information necessary to demonstrate compliance and allow for audits.

## 5. Sub-processors

Customer authorizes Billslash to engage the sub-processors listed in **Annex III** and any future sub-processors notified to Customer at least **30 days** in advance, subject to Customer's right to reasonably object. Billslash imposes data-protection obligations on each sub-processor that are no less protective than this DPA.

## 6. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum by reference, with the following selections: Clause 7 (docking) applies; Clause 9 option 2 (general authorization for sub-processors, 30-day notice); Clause 11 (no independent dispute resolution body); Clause 17 option 1, governing law: Ireland; Clause 18, courts of Ireland.

## 7. CCPA / CPRA terms

Billslash will not (a) sell or share Personal Data, (b) retain, use, or disclose it outside the direct business relationship, or (c) combine it with information received from other sources, except as permitted by CCPA §1798.140(ag)(1). Billslash certifies it understands and will comply with these restrictions.

## 8. Audits

Customer may, on 30 days' written notice and no more than once per year (more often after a Personal Data Breach), request a copy of Billslash's most recent third-party audit reports (e.g., SOC 2 once available) and reasonable written responses to a security questionnaire. On-site audits are at Customer's expense and subject to confidentiality.

## 9. Liability and conflicts

The liability provisions of the Agreement apply to this DPA. In case of conflict, this DPA prevails for matters of data protection only.

---

## Annex I — Description of processing

| Item | Detail |
|---|---|
| Subject matter | Billslash Reach CRM & outreach service |
| Nature | Storage, transmission, organization, retrieval, deletion |
| Purpose | Providing the Service under the Agreement |
| Data subjects | Customer's authorized users and the contacts Customer manages |
| Data categories | Identification, contact, professional, communications metadata and content, IP/log data |
| Duration | Term of the Agreement + retention windows in the Data Retention Policy |

## Annex II — Technical and organizational measures

- TLS 1.2+ in transit; AES-256 at rest (managed by Lovable Cloud / Supabase / Cloudflare R2)
- Role-based access control with least privilege; production access limited to named personnel
- MFA required for all administrative accounts
- Row-Level Security on customer-data tables
- Audit logging of administrative actions (24-month retention)
- Centralized secret management; quarterly secret-rotation drill
- Automated dependency vulnerability scanning on every deploy
- Encrypted, geographically redundant backups with 35-day rolling retention
- Documented Incident Response Plan; tabletop exercise annually
- Background checks and confidentiality agreements for employees with production access

## Annex III — Authorized sub-processors

| Sub-processor | Purpose | Location |
|---|---|---|
| Lovable Cloud (Supabase, Inc.) | Database, auth, file storage, edge runtime | US |
| Cloudflare, Inc. | CDN, DDoS protection, edge compute, object storage | Global |
| Stripe, Inc. | Payment processing | US |
| Resend (Resend Inc.) | Transactional email delivery | US |
| Sentry (Functional Software, Inc.) | Error monitoring | US |

A current list is maintained at https://reach.billslash.app/legal/retention and notified to Customer in advance of any change.

---

**To execute this DPA**, Customer should sign and return it to `legal@billslash.app`. We will countersign and send a fully-executed PDF for your records.

| Customer | Billslash, Inc. |
|---|---|
| Name: ______________________ | Name: ______________________ |
| Title: ______________________ | Title: ______________________ |
| Date: ______________________ | Date: ______________________ |
| Signature: __________________ | Signature: __________________ |
