Data Processing Addendum
Effective April 30, 2026. This DPA forms part of the Terms of Service (or the signed MSA, if any) between B&G Solutions ("Processor") and the Customer ("Controller") identified in the order record. See also the Privacy Policy and Acceptable Use Policy.
1. Definitions
Capitalized terms not defined here have the meanings given in the Terms or Privacy Policy. "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Sub-processor" have the meanings given by applicable U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA (Montana), TIPA, ICDPA (Iowa), DPDPA, NJDPA, NHDPA, MODPA, the Minnesota Consumer Data Privacy Act, RIDTPPA) and, where the parties so agree in writing, the EU/UK GDPR.
2. Roles & scope
Controller (Customer) determines the purposes and means of Processing for Personal Data of its End Users. Processor (Company) Processes such Personal Data only on Controller's documented instructions, which include the Terms, the Privacy Policy, this DPA, the Acceptable Use Policy, the dashboard configurations Controller selects, and lawful written instructions Controller transmits to [email protected]. If Processor reasonably believes an instruction violates law, it will notify Controller and may pause the affected Processing.
Processor is an independent Controller for its own business records (Customer billing, support communications, audit logs).
3. Categories of Data Subjects & Personal Data
- Data Subjects: Controller's customers and prospects (homeowners, property managers, occupants, callers, reviewers).
- Identifiers: name, phone number, email, address (when provided for dispatch).
- Communications: inbound and outbound voice-call audio and transcripts, SMS content, email content, web-form submissions.
- Commercial: booking details, job notes, review content and ratings, payment status (without card numbers).
- Usage: timestamps, duration, interaction outcomes, identifiers used to deduplicate or match contacts.
Processing is limited to (i) operating the Service described in the Terms, (ii) providing Controller-requested support, (iii) detecting and preventing fraud and abuse, (iv) enforcing the AUP, (v) complying with law, and (vi) creating de-identified, aggregated analytics for Service improvement.
4. Controller obligations
Controller represents and warrants that it has (a) a lawful basis to collect and forward Personal Data to Processor; (b) provided required notices and obtained required consents — including for SMS marketing under TCPA, for call recording where state law requires all-party consent, and for any other Processing that requires consent; (c) accurate and current DNC, opt-out, and reassigned-number records; and (d) not directed Processor to Process Personal Data outside the categories listed above. Controller will promptly notify Processor of any Data Subject right request that requires Processor's action.
5. Processor obligations
- Process Personal Data only on documented Controller instructions (per Section 2);
- Maintain confidentiality obligations on personnel authorized to Process Personal Data;
- Implement and maintain the technical and organizational security measures in Annex A;
- Assist Controller in responding to Data Subject rights requests within 7 business days of receipt;
- Assist Controller with data-protection assessments where reasonably required by law;
- Make available, on request, the information reasonably necessary to demonstrate compliance with this DPA, no more than once per twelve-month period (subject to confidentiality);
- Not "sell" or "share" Personal Data within the meaning of CCPA/CPRA, and not retain, use, or disclose Personal Data for any purpose other than as set out in this DPA or as required by law (and in particular, not for cross-context behavioral advertising);
- Not combine Personal Data received from Controller with Personal Data from any other source, except to deliver the Service to Controller; and
- On termination, delete or return all Personal Data within 30 days, except as retained per the Privacy Policy retention schedule or as required by law.
The parties acknowledge Processor is a "service provider" under CCPA/CPRA and a "processor" under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA (Montana), TIPA, ICDPA (Iowa), DPDPA, NJDPA, NHDPA, MODPA, the Minnesota Consumer Data Privacy Act, and RIDTPPA, with the certifications and restrictions required by those statutes.
6. Sub-processors
Controller authorizes Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Twilio, Inc. | Voice & SMS transport | United States |
| Stripe, Inc. | Payment processing | United States |
| Anthropic PBC | AI reasoning & analysis (no training) | United States |
| X.AI Corp. (xAI) | AI drafting & classification (no training) | United States |
| Google LLC | GBP & calendar APIs where authorized | United States |
| Cloudflare, Inc. | DNS & static-asset hosting | United States |
Processor will give Controller at least 30 days' notice before adding or replacing a Sub-processor. Controller may object on reasonable data-protection grounds within that window. If the parties cannot reach a resolution, Controller may terminate the affected portion of the Service without penalty. Processor remains liable for the acts and omissions of its Sub-processors as if they were Processor's own.
7. International transfers
All current Sub-processors are located in the United States, and Personal Data does not leave the United States in the normal course of Service operation. If a transfer outside the United States becomes necessary in the future, the parties will execute a lawful transfer mechanism (such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-U.S. Data Privacy Framework, or another mechanism approved by applicable law), which is incorporated into this DPA by reference upon execution.
8. Security & breach notification
Processor maintains the technical and organizational measures described in Annex A. Processor will notify Controller of a confirmed Personal Data breach without undue delay and in any event within 72 hours of discovery, with the information reasonably available, and will provide updates as more is learned. The notice is not an acknowledgment of fault or liability.
9. Audit
Once per twelve-month period, Controller may submit a written information-security questionnaire (CAIQ-Lite or equivalent), and Processor will respond within 30 days. On-site or third-party audit rights apply only where required by a regulator or by a binding contract with a downstream Data Subject's regulator, are conducted at Controller's expense, are subject to mutual NDA, and are scheduled with at least 30 days' notice during business hours, no more than once per year, and not in a way that disrupts the Service or other customers.
10. Liability
Each party's liability under this DPA is subject to the limitation of liability in the Terms (and, if signed, the MSA). For the avoidance of doubt, this DPA does not increase the cap or expand the categories of recoverable damages.
11. Order of precedence & governing law
If there is a conflict between this DPA and the Terms (or MSA), this DPA controls solely with respect to Processing of Personal Data. This DPA is governed by the laws of the State of Georgia, USA, except that the substantive privacy obligations imposed by the law of a Data Subject's residence apply to the extent legally required.
Annex A — Security measures
- Access control. Authenticated sessions for all administrative surfaces; per-user access and audit logging; least-privilege internal access.
- Encryption. TLS for all data in transit; database and backup encryption at rest (FileVault for primary storage, age for backups); secrets stored outside source code.
- Network. Front-door behind reverse proxy with WAF; outbound calls limited to allow-listed APIs; production isolated from development.
- Operations. Source control with reviewed deploys; automated tests; nightly encrypted backups with offline copy.
- Personnel. Confidentiality obligations on all personnel and contractors; background context appropriate to role.
- Incident response. Documented runbook; 72-hour notification commitment; root-cause analysis.
- Vendor diligence. Sub-processors selected against published security and privacy commitments; reviewed annually.
If your legal team requires additional clauses (HIPAA BAA, EU SCCs, UK IDTA, sector-specific addenda, FedRAMP), email them to us. We will review and, where commercially reasonable, sign a mutually acceptable version.
Questions: [email protected] · Last updated April 30, 2026