Data Processing Addendum

Last updated May 29, 2026

This DPA forms part of the agreement between The Berchtold Group (“Processor”) and the customer (“Controller”) who has accepted our Terms of Service. It applies whenever Berchtold processes personal data on behalf of the Controller in connection with the Service. To execute a counter-signed copy, email [email protected].

1. Definitions

Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), UK GDPR, or Swiss FADP as applicable. “Personal Data,” “Controller,” “Processor,” “Sub-processor,” and “Data Subject” have those statutory meanings.

2. Subject Matter and Duration

Berchtold processes Personal Data to provide the Service for the duration of the Controller's subscription, plus a limited post-termination period for billing and legal hold purposes (see Section 14).

3. Nature and Purpose of Processing

We process Personal Data only to (a) operate the Service as contracted, (b) respond to Controller instructions, (c) comply with legal obligations, and (d) ensure the security and integrity of the platform.

4. Type of Personal Data

The categories of Personal Data we typically process include:

Identification: names, email addresses, account credentials (hashed).
Billing: postal addresses, tax IDs, last 4 of payment card, card brand and expiration. Full card numbers and CVCs are never seen by Berchtold — Stripe processes them under PCI DSS Level 1.
Usage: IP addresses, user agents, timestamps of in-app actions, rate-limit counters.
Customer Content: any Personal Data the Controller chooses to upload, configure, or process through the Service (e.g. contact lists pulled from connected integrations).

5. Categories of Data Subjects

The Controller's employees, contractors, and agents who access the Service.
End customers, leads, or subscribers whose data the Controller imports via connected integrations (e.g. Mailchimp, ActiveCampaign, Google Analytics).

6. Controller Obligations

The Controller represents and warrants that:

It has a lawful basis under the GDPR (or applicable law) for every category of Personal Data it instructs us to process.
It will not provide us with special categories of data (Article 9 GDPR) unless explicitly agreed in writing.
Documented instructions to Berchtold include this DPA, the Terms of Service, and any later written communication to [email protected].

7. Processor Obligations

Berchtold will:

Process Personal Data only on documented Controller instructions, except as required by applicable law (and where law requires deviation, we will notify the Controller unless the law prohibits notice).
Ensure personnel with access to Personal Data are bound by confidentiality obligations.
Implement the technical and organisational measures set out in Annex 2 (Security Measures).
Assist the Controller in responding to Data Subject Rights requests (Articles 12–22 GDPR) and in conducting Data Protection Impact Assessments (Article 35 GDPR) as reasonably required.
Make available to the Controller the information necessary to demonstrate compliance, and contribute to audits as set out in Section 12.

8. Sub-processors

The Controller authorises Berchtold's engagement of the Sub-processors listed in Annex 1. We will give the Controller at least 30 days' notice (by email or in-app announcement) of any new Sub-processor engagement. The Controller may object on reasonable grounds, in which case the parties will work in good faith to resolve the objection; failing resolution, the Controller may terminate the Service.

Berchtold remains liable for the acts and omissions of its Sub-processors in the same manner as for its own.

9. International Transfers

Berchtold is established in the United States. Personal Data of EU/EEA, UK, and Swiss Data Subjects is transferred to the United States and, where Sub-processors host data elsewhere, to those jurisdictions.

For such transfers we rely on (a) the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as applicable; (b) the UK International Data Transfer Addendum where the data exporter is UK-based; and (c) the equivalent Swiss FADP transfer instrument. The SCCs are deemed incorporated into this DPA by reference and prevail in the event of conflict.

10. Security Measures

See Annex 2 for the technical and organisational measures we maintain. We will not materially reduce these measures during the term of the subscription.

11. Data Subject Rights

Where the Controller cannot fulfil a Data Subject Rights request directly through the Service's self-serve tools (export/delete on Profile, member removal from Org admin), we will assist on reasonable written request to [email protected] and respond within 30 days.

12. Audits

On the Controller's written request (no more than once per 12-month period, except following a material security incident or as required by a supervisory authority), Berchtold will provide a copy of our most recent independent audit report (when available), our security questionnaire response, and answer reasonable follow-up questions. On-site audits are by mutual agreement and at the Controller's expense.

13. Data Breach Notification

We will notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach affecting the Controller's data. Notification will include the information required by Article 33(3) GDPR to the extent known at the time of notification, with updates as the investigation progresses.

14. End of Processing

On termination of the subscription, the Controller may export their Customer Content using the in-app self-serve export tools. Within 30 days of termination Berchtold will delete (or anonymise) Customer Content, except for (a) backups in rotation, which expire on the standard 35-day cycle, and (b) records we are legally required to retain (e.g., tax invoices retained for 7 years per US law). These exceptions remain subject to the confidentiality and security obligations of this DPA until destroyed.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits either party's liability for damages caused by infringement of the GDPR to the extent such liability cannot be limited under applicable law.

16. Conflicts

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

17. Governing Law

Except where the SCCs require otherwise (in which case the law designated by the SCCs governs the SCCs), this DPA is governed by the law of the State of Missouri, United States.

Annex 1 — Sub-processors

Current Sub-processors authorised under this DPA:

Google LLC (Firebase, Firestore, Cloud Functions, Cloud KMS) — application + identity infrastructure, US.
Netlify, Inc. — web hosting and edge delivery, US.
Stripe, Inc. — payment processing, invoicing, tax calculation, dispute handling. US + EU regions.
Resend, Inc. — transactional email delivery, US.
Anthropic, PBC — large language model provider (Claude), US.
OpenAI, Inc. — large language model provider, US.
Adobe Inc. (Adobe Fonts / Typekit) — web font delivery to the dashboard UI. Receives only the visitor's IP address and User-Agent on each font request; no account data is sent. US.

Customer-authorised integrations (e.g. Google Analytics, Ahrefs, Buffer, Mailchimp, WordPress) are processed only when the Controller explicitly connects them and are governed by their respective providers' terms.

Annex 2 — Security Measures

Encryption in transit: TLS 1.2+ for all public endpoints. HSTS enforced on the production domain.
Encryption at rest: AES-256 for Firestore documents (Google-managed keys). Integration credentials encrypted with customer-isolated keys via Cloud KMS.
Authentication: Firebase Authentication with email-verified gating on write paths. Multi-factor authentication supported via Firebase.
Authorisation: Role-based access control on every API endpoint (viewer / editor / admin / owner). Org-level and brand-level membership tracked separately.
Audit logging: Material actions (ownership transfers, plan changes, deletions, integrations) are logged with actor, timestamp, IP, and user agent.
Network: All compute runs behind provider-managed firewalls. Webhook endpoints verify signatures (Stripe, OAuth callbacks) before any state mutation.
Backups: Daily Firestore backups retained on a rolling 35-day cycle.
Incident response: Documented procedure; customer notification within 72 hours of confirmed breach.
Personnel: All staff with production access are bound by written confidentiality obligations.

Questions or DPA signature requests: [email protected]