Data Processing Addendum (DPA)
Effective: 2026-07-01 · This DPA forms part of the Terms between [Operator Legal Entity — set LEGAL_ENTITY_NAME] ("Processor") and you ("Controller").
1. Roles
For personal data of YOUR customers/leads processed through bnoula, you are the Controller and we are the Processor. For our own account/billing data we are the Controller (see Privacy Policy).
2. Scope & instructions
We process such data only on your documented instructions and to provide the Service, and will inform you if an instruction appears to infringe applicable data-protection law.
3. Confidentiality & security
Authorized personnel are bound by confidentiality. We apply appropriate technical/organizational measures (TLS in transit; AES-256-GCM for secrets/tokens at rest; access controls; audit logging; rate limiting) — see Privacy §7.
4. Sub-processors
You authorize the sub-processors in the Sub-processor List. We bind them to terms no less protective than this DPA and remain responsible for them. We give notice of changes; you may object on reasonable data-protection grounds.
5. Data-subject requests & breach
We assist you (per the nature of processing) to respond to data-subject requests, and notify you without undue delay after becoming aware of a personal-data breach affecting your data.
6. International transfers
Where data leaves its origin region, appropriate safeguards apply (e.g. EU Standard Contractual Clauses; the EU adequacy decision recognizing Israel, where relevant).
7. Deletion / return & audit
On termination we delete or return your customers' personal data within a reasonable period, except where retention is legally required (see Retention Policy). We make available information necessary to demonstrate compliance and allow reasonable audits.
You remain responsible for a lawful basis and required consents for the data you process and the messages you send.