Data Processing Addendum (DPA)

Effective: 2026-07-01 · This DPA forms part of the Terms between [Operator Legal Entity — set LEGAL_ENTITY_NAME] ("Processor") and you ("Controller").

1. Roles

For personal data of YOUR customers/leads processed through bnoula, you are the Controller and we are the Processor. For our own account/billing data we are the Controller (see Privacy Policy).

2. Scope & instructions

We process such data only on your documented instructions and to provide the Service, and will inform you if an instruction appears to infringe applicable data-protection law.

3. Confidentiality & security

Authorized personnel are bound by confidentiality. We apply appropriate technical/organizational measures (TLS in transit; AES-256-GCM for secrets/tokens at rest; access controls; audit logging; rate limiting) — see Privacy §7.

4. Sub-processors

You authorize the sub-processors in the Sub-processor List. We bind them to terms no less protective than this DPA and remain responsible for them. We give notice of changes; you may object on reasonable data-protection grounds.

5. Data-subject requests & breach

We assist you (per the nature of processing) to respond to data-subject requests, and notify you without undue delay after becoming aware of a personal-data breach affecting your data.

6. International transfers

Where data leaves its origin region, appropriate safeguards apply (e.g. EU Standard Contractual Clauses; the EU adequacy decision recognizing Israel, where relevant).

7. Deletion / return & audit

On termination we delete or return your customers' personal data within a reasonable period, except where retention is legally required (see Retention Policy). We make available information necessary to demonstrate compliance and allow reasonable audits.

You remain responsible for a lawful basis and required consents for the data you process and the messages you send.

Document version 2026-07-01

bnoula - Multi-Industry Business Management