Data Processing Agreement
Effective May 22, 2026 · Version 1.0
This DPA describes how BAAM Review processes personal data on behalf of the business that signed up (the “Controller”). It is incorporated by reference into the Terms of Serviceand applies automatically — you don’t need to sign a separate document. If your legal team needs a counter-signed version, email privacy@baamplatform.com.
1. Definitions
Capitalized terms not defined here have the meaning given in the applicable data-protection law (GDPR Art. 4, CCPA §1798.140, or equivalent).
- Controller: the business account holder. The Controller decides why and how Customer Data is processed.
- Processor:BAAM Platform Inc. We process Customer Data only on the Controller’s documented instructions.
- Customer Data: personal data the Controller uploads to or generates through BAAM Review concerning its own customers (the Data Subjects).
- Data Subject: the end customer who receives the review-request, opens the review page, or interacts with the share card.
- Sub-processor: a third party engaged by us to process Customer Data.
2. Roles
With respect to Customer Data, the Controller is the controller and BAAM is the processor. With respect to account-administration data (your name, email, billing info), BAAM is the controller — see the Privacy Policy.
3. Scope, purpose, and duration
We process Customer Data only to provide the BAAM Review service: sending invitations, hosting the review-collection page, generating AI-assisted drafts, tracking outcomes, and reporting to the Controller. We process it for the duration of the Controller’s subscription plus the retention window described in §10.
4. Categories of data and Data Subjects
| Category | Examples | Data Subjects |
|---|---|---|
| Identification | Name, email, phone, postal address (optional) | The Controller’s customers |
| Communication metadata | Open, click, bounce timestamps; user agent | The Controller’s customers |
| Review-flow inputs | Services selected, star rating, descriptor, free-text note | The Controller’s customers |
| AI prompt / completion | The text the Data Subject provided + draft generated | The Controller’s customers |
| Referral attribution | Share-card token, source destination, conversion event | The Controller’s customers and recipients of share cards |
We do not process special-category personal data (race, religion, health, etc.) or government IDs. The Controller agrees not to upload such data through BAAM Review.
5. Processor obligations
BAAM will:
- Process Customer Data only on the Controller’s documented instructions (these terms + the Controller’s configured settings).
- Ensure that personnel authorized to process Customer Data are bound by confidentiality.
- Implement the technical and organizational measures listed in §7.
- Assist the Controller in responding to Data Subject Requests (§9).
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Data.
- Delete or return Customer Data at the end of the engagement, per §10.
- Make available to the Controller the information needed to demonstrate compliance, and allow for audits, per §11.
6. Sub-processors
The Controller authorizes BAAM to engage the following sub-processors:
| Sub-processor | Function | Location |
|---|---|---|
| Supabase, Inc. | Database, file storage, authentication | United States (AWS us-east) |
| Vercel Inc. | Application hosting and edge delivery | United States (multi-region) |
| Resend, Inc. | Transactional email delivery | United States |
| Twilio Inc. | Transactional SMS delivery | United States |
| Stripe, Inc. | Payment processing for subscription billing | United States |
| Anthropic PBC | AI-draft text generation | United States |
| Google LLC | Business Profile API (read-only with OAuth scope) | United States |
We may engage a new sub-processor with at least 30 days noticeemailed to the Controller’s account email. If the Controller objects on reasonable data-protection grounds, the Controller may terminate the subscription and receive a pro-rata refund of unused prepaid fees.
We remain liable for the acts and omissions of our sub-processors with respect to Customer Data.
7. Security measures
BAAM maintains technical and organizational measures appropriate to the risk, including:
- Encryption: TLS 1.2+ in transit; AES-256 at rest (database, file storage, backups).
- Access control: least-privilege admin roles; 2FA enforced for any staff with database access; row-level security policies on customer-facing tables.
- Audit logging: authentication, admin actions, and export operations are logged centrally.
- Backups: daily encrypted backups stored in a separate region; tested quarterly.
- Secrets management: credentials stored in a managed secrets store, rotated on personnel change.
- Vendor security: all sub-processors are SOC 2 Type II certified or equivalent; we review their compliance reports annually.
- Vulnerability management: dependency scanning on every deploy; security patches applied within 7 days of high-severity advisories.
8. International data transfers
Customer Data is processed in the United States. For Data Subjects located in the EEA, UK, or Switzerland, the transfer is covered by the European Commission’s Standard Contractual Clauses (SCCs) Module Two (controller-to-processor). The SCCs are incorporated by reference; ask for an executed copy. For UK Data Subjects, the International Data Transfer Addendum to the EU SCCs applies.
9. Data Subject requests
If a Data Subject contacts BAAM directly, we refer them to the Controller. If a Data Subject contacts the Controller (e.g., asks to be deleted from a list), the Controller can fulfill the request through the admin app — opening a customer’s record exposes Delete and Export buttons. If the Controller needs help, email privacy@baamplatform.com and we’ll respond within 7 days.
10. Return or deletion of data
On termination of the engagement, the Controller may within 30 days export Customer Data via the admin app or by request. After that window:
- Customer Data is deleted from active production systems within 30 days.
- Encrypted backups containing Customer Data are retained for an additional 30 days and then permanently deleted in the next backup-rotation cycle.
- Aggregated, de-identified statistics may be retained indefinitely provided they cannot be re-identified.
11. Audits
BAAM makes the following available to the Controller on reasonable written request:
- This DPA and Privacy Policy.
- The current sub-processor list (§6).
- Sub-processor SOC 2 / ISO 27001 reports we receive from our vendors (under NDA).
- A summary of our annual security review, including penetration-test remediation status.
On-site audits are not standard at BAAM Review’s current scale. For Controllers with regulated data-protection audit requirements (e.g., financial-services or healthcare buyers), we can arrange a remote-audit session and answer a security questionnaire.
12. Liability
The liability cap and exclusions in §14 of the Terms of Service apply to this DPA.
13. Changes
We may update this DPA to reflect changes in law, technology, or our sub-processor list. Material changes are notified at least 30 days before they take effect; the version line at the top tracks every revision.
14. Contact
Questions about this DPA, security, or sub-processors:
privacy@baamplatform.com