BusinessPulseOS

Data Processing Addendum

v1.0·

Data Processing Addendum (DPA) — Template

Business Pulse OS

Version: v1.0 Effective date: 2026-04-21

This Data Processing Addendum ("DPA") supplements the Subscription Agreement or Terms of Service in place between:

  • BizzBee Solutions DOOEL, a company registered in Kavadarci, North Macedonia, operating Business Pulse OS (the "Sub-processor" or "BizzBee Solutions"), and
  • [Customer legal name] (the "Customer" or "Consultant"), a company registered at [Customer address].

The Customer is the "Processor" of personal data under GDPR when acting for its own Clients. Where the Customer is acting for itself (for example, uploading its own business data), it is the "Controller".

1. Definitions

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679). In addition:

  • "Customer Personal Data" means any personal data that the Customer uploads, inputs, or transmits through Business Pulse OS.
  • "Sub-sub-processor" means any third party engaged by the Sub-processor to process Customer Personal Data.
  • "Services" means the Business Pulse OS software platform.

2. Subject matter and duration of processing

The Sub-processor processes Customer Personal Data for the sole purpose of providing the Services to the Customer, for the duration of the Subscription Agreement plus the 90-day grace period after termination.

3. Nature and purpose of processing

Storage, transmission, backup, AI-assisted analysis, transcription, and administrative processing necessary to deliver the Services as described in our Privacy Policy and public documentation.

4. Types of personal data processed

  • Account data: names, emails, profile metadata.
  • Authentication data: password hashes, MFA secrets.
  • Usage data: login timestamps, audit events, device metadata.
  • Content uploaded by the Customer or its Clients: documents, notes, audio/video recordings, survey responses, any free-form text.

5. Categories of data subjects

  • Customer's employees and contractors.
  • Customer's Clients' employees and contractors.
  • Any individual whose personal data the Customer or its Clients upload into the Platform.

6. Obligations of the Sub-processor

The Sub-processor shall:

  • Process Customer Personal Data only on documented instructions from the Customer.
  • Ensure that persons authorised to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see Section 9).
  • Assist the Customer in responding to data subject rights requests.
  • Notify the Customer of personal data breaches without undue delay, within 72 hours of becoming aware.
  • Delete or return Customer Personal Data on termination, subject to the grace period in Section 13.
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA.
  • Allow for and contribute to audits as set out in Section 11.

7. Rights and obligations of the Customer

The Customer:

  • Represents that it has a lawful basis to transfer Customer Personal Data to the Sub-processor.
  • Is responsible for the accuracy, quality, and legality of Customer Personal Data.
  • Is responsible for communicating with Data Subjects as the Controller or Processor (depending on the tier).
  • Authorises the Sub-processor to engage the Sub-sub-processors listed in Section 8.

8. Sub-sub-processors

The current Sub-sub-processor list is published at https://businesspulseos.com/subprocessors (see the App Subprocessor List (L6)). The Customer may object to a new Sub-sub-processor under Section 14 of that list.

9. Security measures

The Sub-processor implements:

  • Encryption in transit: TLS 1.3 between Customer and Platform; TLS 1.2 minimum between Platform and databases.
  • Encryption at rest: AES-256 for database and file storage (Supabase default).
  • Access control: role-based access with row-level security (RLS) enforcing tenant isolation. Service-role credentials limited to automated backend functions with explicit tenant filters.
  • Authentication: 12-character password minimum, HIBP breached-password check, TOTP MFA available to all users.
  • Audit logging: every security-significant action logged with actor attribution, retained for 2 years.
  • Incident response: documented Incident Response Plan with 72-hour breach notification workflow.
  • Backup and recovery: Supabase point-in-time recovery with annual restore test.

Full control documentation is available on request to security@businesspulseos.com.

10. Assistance with data subject rights

The Sub-processor provides tooling in the Platform for the Customer to access, export, correct, and delete data subject records. Where a request cannot be fulfilled in-product, the Sub-processor assists within 30 days of a written request.

11. Audit rights

The Customer (or its authorised auditor) may request, once per calendar year, documentation demonstrating the Sub-processor's compliance with this DPA. On-site audits require 60 days' written notice, must be scheduled outside peak operational periods, and are conducted at the Customer's expense. The Sub-processor may satisfy audit requests by providing current SOC 2 reports or equivalent certifications.

12. International transfers

The primary data centre is Supabase Frankfurt (EU). Specific processing operations involve international transfers as disclosed in the App Privacy Policy Section 13. Where personal data is transferred to a third country:

  • Standard Contractual Clauses (SCCs) are incorporated by reference (Modules 2 and 3 as applicable).
  • Where the destination is certified under the EU-US Data Privacy Framework (DPF), both SCCs and DPF apply; DPF takes precedence.
  • AssemblyAI is accessed via its EU endpoint; US transfer is contractually prohibited.

13. Data return and deletion

On termination of the Subscription Agreement:

  • Customer Personal Data remains accessible for 90 days during the grace period.
  • At day 60 and day 85, automated reminders are sent to the Customer's billing contact.
  • At day 90, all Customer Personal Data is hard-deleted from primary systems and purged from backups within the 14-day backup rotation.
  • Audit logs relating to the Customer are retained for 2 years from the date of the action, then hard-deleted.
  • On written request during the grace period, the Customer can download a full export (JSON of structured data plus original uploaded files in a ZIP).

14. Liability

Liability under this DPA is subject to the cap in the main Subscription Agreement.

15. Termination

This DPA terminates automatically with the underlying Subscription Agreement, subject to the deletion and audit-record provisions in Section 13.

16. Governing law

This DPA is governed by the laws of North Macedonia. Any dispute is resolved in the courts of Skopje.

Acceptance

This DPA is accepted electronically at signup via a consent checkbox covering the Terms of Service, Privacy Policy, and this DPA together. A copy of the accepted version is downloadable from Settings > Legal at any time.

Signed for BizzBee Solutions DOOEL: Dancho Dimkov, CEO, 2026-04-21 (electronic acceptance of v1.0).

Signed for Customer: [auto-populated from Customer account at electronic acceptance]