Bhoaz, LLC
Back to Home

Data Processing Agreement

Effective: March 4, 2026

Data Processing Agreement

Last Updated: 3/4/2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Bhoaz, LLC ("Processor") and the Client ("Controller") for data processing services.

2. Definitions

  • Personal Data: Information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data
  • Sub-processor: Third party engaged by Processor to process Personal Data

3. Scope of Processing

3.1 Subject Matter

Processing of Personal Data as necessary to provide the contracted services.

3.2 Duration

Processing continues for the duration of the service agreement.

3.3 Types of Data

  • Contact information
  • Account credentials
  • Project-related data
  • Communications

3.4 Data Subjects

  • Client employees
  • Client customers (if applicable)
  • End users of developed software

4. Processor Obligations

The Processor shall:

  • Process data only on documented instructions
  • Ensure personnel are bound by confidentiality
  • Implement appropriate security measures
  • Assist with data subject requests
  • Delete or return data upon termination
  • Make available information for audits

5. Security Measures

5.1 Technical Measures

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures

5.2 Organizational Measures

  • Staff training
  • Access limitation
  • Confidentiality agreements
  • Regular policy reviews

6. Sub-processors

6.1 Authorized Sub-processors

  • Stripe (payment processing)
  • Email service providers
  • Cloud infrastructure providers

6.2 Sub-processor Requirements

Sub-processors are bound by equivalent data protection obligations.

6.3 Changes

30 days notice before engaging new sub-processors.

7. Data Subject Rights

Processor will assist Controller in responding to:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Portability requests
  • Objection requests

8. Data Breach

8.1 Notification

Processor will notify Controller within 72 hours of becoming aware of a data breach.

8.2 Information Provided

  • Nature of the breach
  • Categories and number of data subjects
  • Likely consequences
  • Measures taken or proposed

9. International Transfers

Personal Data may be transferred to the United States. Appropriate safeguards are in place including Standard Contractual Clauses.

10. Audit Rights

Controller may audit Processor's compliance with this DPA:

  • With reasonable notice
  • During business hours
  • At Controller's expense

11. Termination

Upon termination:

  • Processor deletes or returns all Personal Data
  • Deletion confirmed within 30 days
  • Backup deletion per retention schedule

12. Liability

Liability is governed by the main service agreement.

13. Governing Law

This DPA is governed by the laws of the State of Delaware, USA.

14. Contact

Data protection inquiries: privacy@bhoaz.com

ANNEX A: Technical and Organizational Measures

  1. Access Control
  2. Encryption
  3. Network Security
  4. Physical Security
  5. Incident Response
  6. Business Continuity
  7. Vendor Management
  8. Training and Awareness

Other Legal Documents

Last updated: March 4, 2026