Reach

Data Processing Addendum

Last updated: May 24, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Billslash, Inc. ("Processor") and the Customer ("Controller") and governs the processing of Personal Data submitted to the Service. It incorporates the EU Standard Contractual Clauses (Module 2: Controller-to-Processor, Commission Decision 2021/914) where required.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings in Article 4 GDPR. "UK GDPR" and "Swiss FADP" are incorporated by reference where applicable.

2. Roles

The Customer is the Controller of Personal Data submitted to the Service (including data about its team and its contacted recipients). Billslash is the Processor and acts only on documented instructions from the Customer.

3. Subject Matter, Duration, Nature & Purpose

  • Subject matter: Provision of the Reach CRM and email outreach platform.
  • Duration: The term of the Customer's subscription plus the deletion window in §10.
  • Nature & purpose: Hosting, sending, tracking, and analyzing communications initiated by the Controller.
  • Categories of Data Subjects: Customer's employees and the recipients (leads/contacts) the Customer contacts.
  • Categories of Personal Data: Name, business email, phone, job title, company, IP address, message content, opens, clicks, bounces.

4. Processor Obligations

  • Process Personal Data only on the Controller's documented instructions, including via configuration of the Service.
  • Ensure persons authorized to process the Personal Data are under a duty of confidentiality.
  • Implement appropriate technical and organizational measures (see §7).
  • Assist the Controller in fulfilling Data Subject requests (Articles 12–22 GDPR).
  • Notify the Controller without undue delay of any Personal Data Breach (see §8).

5. Sub-processors

The Customer authorizes Billslash to engage the sub-processors listed at privacy@billslash.app (current list available on request), including Cloudflare, Supabase, Resend, and Stripe. Billslash will give the Customer at least 30 days' notice of any new sub-processor and a right to object on reasonable data-protection grounds.

6. International Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree the EU Standard Contractual Clauses (Module 2) are incorporated by reference, with Clause 7 (docking) and Option 2 of Clause 9(a) (general written authorization, 30 days). UK and Swiss addenda apply where relevant.

7. Security Measures (Annex II)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-level security enforced at the database layer.
  • Role-based access control with least-privilege.
  • Audit logging of administrative actions (24-month retention).
  • Annual penetration testing and quarterly backup restore drills.
  • Background checks and confidentiality agreements for personnel.
  • Vendor risk reviews and signed DPAs with all sub-processors.

8. Personal Data Breach

Billslash will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting Controller's data, with information required by Article 33(3) GDPR.

9. Audits

On reasonable notice (at least 30 days) and at the Controller's expense, Billslash will make available information necessary to demonstrate compliance with this DPA, including current SOC 2-style reports where available. On-site audits are limited to once per 12 months, conducted during business hours, and subject to confidentiality.

10. Return & Deletion

On termination, the Controller may export Customer Data for 30 days. Thereafter Billslash will delete all Personal Data within 90 days, except where retention is required by law.

11. Liability

The liability cap in §11 of the Terms of Service applies to claims under this DPA.

12. Signature

This DPA is incorporated into the Terms of Service. By using the Service, the Controller accepts it; no separate signature is required. A countersigned PDF is available on request at legal@billslash.app.