Data Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by Bulsu Labs ("Processor") on behalf of a customer ("Controller") under a signed statement of work ("SOW"). It forms part of our Terms of Service and is required by Article 28 GDPR.
This DPA takes effect automatically when Bulsu Labs processes personal data of Controller's data subjects as part of delivering services. Customers with specific DPA needs (e.g. a signed version, custom SCCs) may email info@bulsulabs.com.
1. Definitions
Terms used in this DPA have the meanings given in Article 4 GDPR: "personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach".
2. Subject matter and duration
The subject matter is the processing of personal data as described in the applicable SOW and Annex 1 of this DPA. The duration is the term of the engagement plus any period during which we are legally required to retain data (e.g. for tax records).
3. Nature and purpose of processing
We process personal data solely to perform the services agreed in the SOW, for example to build, test, and maintain automations that operate on Controller's CRM, finance, or support data. We do not use personal data for any other purpose.
4. Categories of data subjects and data
See Annex 1 below for categories of data subjects, types of personal data, and processing activities. Specific scope is further defined in each SOW.
5. Processor obligations
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorized to process personal data are under appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures (see Annex 2).
- Not engage any sub-processor without Controller's prior general or specific authorization (see Section 7).
- Assist the Controller, to the extent reasonably possible, in responding to data subject rights requests.
- Notify Controller of a personal data breach without undue delay, and in any event within 48 hours of becoming aware.
- Assist with data protection impact assessments and consultations with supervisory authorities, where required.
- Upon termination, at Controller's choice, delete or return all personal data, unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 9).
6. International transfers
Where personal data is transferred outside the European Economic Area, we rely on an appropriate transfer mechanism under Chapter V GDPR, such as an adequacy decision, EU Standard Contractual Clauses (2021/914), or equivalent safeguards. A list of current sub-processors and transfer mechanisms is available on request.
7. Sub-processors
Controller grants general authorization for Processor to engage the sub-processors listed in Annex 3. We will notify Controller at least 30 days before engaging a new sub-processor. Controller may object on reasonable data protection grounds. If we cannot accommodate the objection, Controller may terminate the engagement.
8. AI model providers
Where an SOW involves AI/LLM processing, we use providers that:
- Offer a no-training guarantee on API inputs and outputs.
- Provide appropriate GDPR safeguards (DPA, SCCs).
- Retain API data only for short-term abuse monitoring, with configurable retention where available.
Controller is informed of the specific AI providers used in their engagement and may request alternatives where commercially reasonable.
9. Audit
Upon reasonable written notice (at least 30 days), Controller may audit Processor's compliance with this DPA, no more than once per 12 months, during normal business hours, and in a manner that does not disrupt Processor's operations. Audits may be performed remotely by reviewing documentation, policies, and third-party attestations. Where an on-site audit is strictly required by law, costs are borne by the Controller unless a material violation is found.
10. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service, except where mandatory under Article 82 GDPR.
11. Term and termination
This DPA remains in force for as long as Processor processes personal data on behalf of Controller. Upon termination, Processor will delete personal data within 30 days, except where retention is required by law, in which case the data remains subject to this DPA until deletion.
Annex 1 · Processing details
- Categories of data subjects: Customer's employees, contractors, customers, prospects who have opted in, and other individuals whose data is in the systems covered by the SOW.
- Types of personal data: Typically name, email, phone, job title, company, interaction history. Specific categories are defined per SOW.
- Special category data: Not processed unless expressly agreed in writing with additional safeguards.
- Processing operations: Collection, structuring, storage, adaptation, retrieval, use, disclosure by transmission, erasure.
- Location of processing: EU by default; specific sub-processors may be elsewhere (see Annex 3).
- Retention: Duration of engagement + as required by SOW and law.
Annex 2 · Technical and organizational measures
- Encryption in transit (TLS 1.2+) and at rest for stored personal data.
- Access control: role-based access, principle of least privilege, 2FA on all accounts handling personal data.
- Credentials stored in a secret manager; never stored in plain text, email, or code repositories.
- Logging and monitoring of access to personal data; logs retained for 90 days.
- Secure software development practices (code review, dependency scanning, environment separation).
- Incident response procedure with 48-hour breach notification target.
- Regular backups with encryption; tested restoration at least annually.
- Employee training on data protection at onboarding and annually thereafter.
- Written confidentiality obligations for all staff and contractors.
Annex 3 · Approved sub-processors
We maintain a current list of sub-processors on request. Typical categories include:
- Cloud hosting & email infrastructure (EU region where possible).
- Secret management & source code repository.
- AI model providers (with no-training guarantees).
- Payment processing.
- Accounting and invoicing.
Each sub-processor is bound by a DPA providing protections substantially equivalent to those in this document.
Contact
Data protection questions: info@bulsulabs.com.