Data Processing Addendum

Updated February 21st,2025

This DPA is entered into by and between Basedash and Customer and sets forth the parties’ obligations with respect to processing Customer Personal Data. For the purposes of this DPA, the “Agreement” refers to either the Terms of Service or the Cloud Service Agreement between you and Basedash (as applicable to you). This DPA is incorporated by reference into the Agreement and any capitalized terms not defined in this DPA shall have the meaning given to them in the Agreement.

  1. Processor and Subprocessor Relationships

1.1 Basedash as Processor 

In situations where Customer is a Controller of the Customer Personal Data, Basedash will be deemed a Processor that is Processing Personal Data on behalf of Customer. 

1.2 Basedash as Subprocessor

In situations where Customer is a Processor of the Customer Personal Data, Basedash will be deemed a Subprocessor of the Customer Personal Data. 

1.3 Service Provider Relationship

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Basedash is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement, which constitutes a business purpose. Basedash will not sell any Personal Data provided by Customer under the Agreement. In addition, Basedash will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Basedash certifies that it understands the restrictions of this paragraph.

  1. Processing

2.1 Processing Details

Annex I describes the subject matter, nature, purpose, and duration of this Processing, as well as the categories of personal data collected and categories of data subjects.  

2.2 Processing Instructions

Customer instructs Basedash to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Basedash about Processing Customer Personal Data under this DPA. Basedash will abide by these instruction ns unless prohibited from doing so by Applicable Laws. Basedash will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

2.3 Processing by Basedash

Basedash will only Process Customer Personal Data in accordance with this DPA. If Basedash updates the Service to update existing or include new products, features, or functionality, Basedash may change the categories of data subjects, categories of personal data, Special Category Data, Special Category Data restrictions or safeguards, the frequency of data transfer, the nature and purpose of Processing, and the duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.

2.4 Customer Processing 

Where Customer is a Processor and Basedash is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.

2.5 Consent to Processing

Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Basedash and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

2.6 Subprocessors

  1. Basedash will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. Basedash will inform Customer at least 10 business days in advance and in writing of any intended changes to the approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the Basedash begins using the new Subprocessor(s). Basedash will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Basedash will cooperate in good faith to resolve Customer’s objection or concern.

  2. When engaging a Subprocessor, Basedash will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement. 

  3. If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Basedash’s agreement with the Subprocessor will incorporate these obligations, including details about how Basedash and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, Basedash will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Basedash may redact the text of its agreement with its Subprocessor prior to sharing a copy.

  4. Basedash remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Basedash will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Basedash and the Subprocessor. 

3. Restricted Transfers

3.1 Authorization

Customer agrees that Basedash may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Basedash transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Basedash will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.

3.2 Ex-EEA Transfers  

Customer and Basedash agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Basedash outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Basedash are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:

  1. Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Basedash is Processing Customer Personal Data for Customer as a Processor.

  2. Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Basedash is Processing Customer Personal Data on behalf of Customer as a Subprocessor.

  3. For each module, the following applies (when applicable):

    1. The optional docking clause in Clause 7 does not apply;

    2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days;

    3. In Clause 11, the optional language does not apply;

    4. All square brackets in Clause 13 are removed;

    5. In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Ireland;

    6. In Clause 18(b), disputes will be resolved in the courts of Ireland; and

    7. This DPA contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs.

3.3 Ex-UK Transfers

Customer and Basedash agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Basedash outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Basedash are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:

  1. Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum. 

  2. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.

  3. This DPA contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.

3.4 Other International Transfers

For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

4. Security Incident Response

Upon becoming aware of any Security Incident, Basedash will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Basedash’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Basedash of any fault or liability for the Security Incident.

5. Audit & Reports

5.1 Audit Rights  

Upon reasonable request from the Customer and no more than once every 12 months, Basedash will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and Basedash will allow for and contribute to audits, including inspections by Customer, to assess Basedash’s compliance with this DPA. However, Basedash may restrict access to data or information if Customer’s access to the information would negatively impact Basedash’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. All expenses and costs in relation to any audit conducted under this section, including Basedash personnel time, shall be the sole responsibility of, and compensated by, the Customer. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Basedash to comply with the reporting and due diligence requirements below. Basedash will maintain records of its compliance with this DPA for 3 years after the DPA ends. 

5.2 Security Policy

Basedash will use commercially reasonable efforts to secure the Service from unauthorized access, alteration, or use and other unlawful tampering. Basedash will comply with all security requirements and obligations set forth in this Agreement. Basedash will maintain annually a SOC2 Type II certification (the “Security Policy”). 

5.3 Security Reports  

Customer acknowledges that Basedash is regularly audited against the SOC 2 Type II standard by independent third-party auditors. Upon written request, Basedash will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify Basedash’s compliance with the standards defined in the Security Policy.

5.4 Security Due Diligence  

In addition to the Report, Basedash will respond to reasonable requests for information made by Customer to confirm Basedash’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to hello@basedash.com and may only be made once a year.

6. Coordination & Cooperation

6.1 Response to Inquiries  

If Basedash receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Basedash will notify Customer about the request and Basedash will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, Basedash will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Basedash, Basedash will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Basedash will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Basedash’s Processing of Customer Personal Data under this DPA.

6.2 DPIAs and DTIAs  

If required by Applicable Data Protection Laws, Basedash will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.

7. Deletion of Customer Personal Data 

7.1 Deletion by Customer

Basedash will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. Basedash will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law. 

7.2 Deletion at DPA Expiration

  1. After the DPA expires, Basedash will return or delete Customer Personal Data at Customer’s instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Basedash will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require Basedash to continue hosting or Processing Customer Personal Data.

  2. If Customer and Basedash have entered the EEA SCCs or the UK Addendum as part of this DPA, Basedash will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one. 

8. Limitation of Liability

8.1 Liability Caps and Damages Waiver

To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

8.2 Related-Party Claims 

Any claims made against Basedash or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

8.3 Exceptions

This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

9. Conflicts Between Documents

This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement. 

10. Term of Agreement

This DPA will start when Basedash and Customer agree to an Agreement will continue until the Agreement expires or is terminated. However, Basedash and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Basedash and Basedash stops Processing Customer Personal Data.

11. Definitions

“Applicable Laws” means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.

“Applicable Data Protection Laws” means the Applicable Laws that govern how the Service may process or use an individual’s personal information, personal data, personally identifiable information, or other similar term.

“Controller” will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.

“Customer Personal Data” means Personal Data that Customer uploads or provides to Basedash as part of the Service and that is governed by this DPA.

“DPA” means this Data Processing Agreement between Basedash and Customer.

“EEA SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.

“European Economic Area” or “EEA” means the member states of the European Union, Norway, Iceland, and Liechtenstein.

“GDPR” means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.

“Personal Data” will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.

“Processing” or “Process” will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.

“Processor” will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.

“Report” means audit reports prepared by another company according to the standards defined in the Security Policy on behalf of Basedash. 

“Restricted Transfer” means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

“Security Incident” means a Personal Data Breach as defined in Article 4 of the GDPR. 

“Service” means the product and/or services described in the Agreement.

“Special Category Data” will have the meaning given in Article 9 of the GDPR. 

“Subprocessor” will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.

“UK GDPR” means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.

“UK Addendum” means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.


Annex I

Annex I(A) List of Parties

Data Exporter

The Services Customer identified in the Agreement and/or the Customer account information in the Basedash Services.

Data Importer

Name: BaseDash Inc.

Address: 8 The Green, 5775, Dover, DE, 19901, US

Contact Person: 

Name: Kristofer Lachance

Position: Head of Growth

Address: 470-4020 Rue Sainte-Ambroise, Montreal, Quebec, Canada H4C 2E1

Activities relevant to transfer: See Annex 1(B)

Role: Processor or Subprocessor (as applicable)

Annex I(B) Description of Transfer and Processing Activities

Service. Basedash AI-native business intelligence platform

Categories of Data Subjects 

  1. Customer’s end users or customers; 

  2. Customer’s potential customers; and 

  3. Customer’s employees

Categories of Personal Data

  1. Name;

  2. Contact information such as email, phone number, or address;

  3. Transactional information such as account information or purchases;

  4. User activity and analysis such as device information or IP address;

  5. Location information

Special Category Data. The parties agree that the Services are not intended for the processing of Special Category Data. If Customer wishes to use the Services to process Special Category Data, it will remain responsible for such Sensitive Data.

Frequency of Transfer. Continuous

Nature and Purpose of Processing

  1. Receiving data, including collection, accessing, and retrieval;

  2. Holding data, including storage, organization, and structuring;

  3. Combining data;

  4. Using data, including analysis, and consultation;

  5. Protecting data, including restricting, encrypting, and security testing; and

  6. Erasing data, including destruction and deletion.

Duration of Processing. Basedash will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of this DPA; or (ii) by Applicable Laws.

Annex I(C) Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II: Technical and Organizational Measures

Basedash prioritizes the security of our Services and has implemented comprehensive administrative, technical, physical, and organizational measures to protect Customer Personal Data including against unauthorized access, alteration, disclosure, or loss of data. The list below includes some (though not all) of the technical and organizational security measures Basedash has implement.

  1. Security Certifications and Standards. Basedash maintains SOC 2 Type II compliance and undergoes regular third-party security audits to validate the effectiveness of its security controls and practices. 

  2. Access Control and Authentication. Basedash implements comprehensive access controls including role-based access control, multi-factor authentication, and strict password policies.

  3. Event Logging. Basedash maintains complete event logging and monitoring through Segment for user activities and system events, with logs securely stored in our Digital Ocean infrastructure. Additionally, we utilize Sentry for real-time error tracking and monitoring to ensure rapid detection and response to any technical issues. 

  4. User Identification and Authorization. Basedash employs secure authentication through Magic Link sign-on and enterprise Single Sign-On (SSO), complemented by a granular in-app permissions system that allows precise control over data access and user capabilities.

  5. Data Security and Encryption. All confidential data is protected using industry-standard encryption protocols including TLS v1.2 or better for transit and AES-256 for confidential data, with robust key management procedures in place. 

  6. System Security and Monitoring. Comprehensive security monitoring includes regular vulnerability scanning, penetration testing, and automated security event alerting, with all systems maintaining strict separation between development and production environments. 

  7. Business Continuity and Disaster Recovery. Regular backup procedures and annual disaster recovery testing ensure business continuity, supported by documented incident response procedures and redundant infrastructure for critical services. 

  8. Access Control and Password Policies. Basedash enforces strict credential management through mandatory minimum 10-character passwords for confidential systems, unique user identifiers for all personnel, and prohibition of shared credentials. Basedash maintains secure password management systems for administrative accounts, with all passwords being cryptographically protected through hashing or encryption. Multi-Factor Authentication (MFA) is required for all privileged access to production systems.

  9. Human Resource Security. All employees undergo background verification and regular security awareness training, with confidentiality agreements and clear procedures for security violation management. 

  10. Third-Party Risk Management. Vendor security is maintained through regular assessments, monitoring of service delivery, and documented security requirements in all supplier agreements with annual security control reviews. 

  11. Development Security. Secure development practices include regular code reviews, security testing before deployment, and comprehensive version control and change management procedures. 

  12. Incident Response. A comprehensive incident response framework includes documented procedures, clearly defined roles and responsibilities, and regular testing of response capabilities.

Annex III: List of Subprocessors

The Customer has approved the use of the Subprocessors below: 

United States

  • Open AI

    • Processing task: AI language processing

  • Sentry

    • Processing task: Application error monitoring and performance tracking

  • Segment

    • Processing task: Customer data platform for analytics​

  • Liveblocks

    • Processing task: Real-time collaboration functionality

  • Stripe

    • Processing task: Online payment processing ​

  • Digital Ocean

    • Processing task: Cloud infrastructure and hosting services

  • Fullstory

    • Processing task: Session replay and related analytics

  • Posthog

    • Processing task: Product analytics ​

  • Loops

    • Processing task: Email sending and marketing automation ​

  • Mixpanel

    • Processing task: Product usage analytics 

  • Customer.io

    • Processing task: Customer engagement and messaging 

  • Google Analytics

    • Processing task: Website traffic tracking​ analytics

  • Anthropic

    • Processing task: AI language processing​

  • Clickhouse

    • Processing task: Analytical database system

  • Amazon Web Services

    • Processing task: Cloud computing services​

  • Google Ads

    • Processing task: Online advertising and related analytics​

  • Replicache

    • Processing task: Real-time data synchronization framework for web apps​

Czech Republic

  • Betterstack

    • Processing task: Observability and log management


Sign up

Sign up

Sign up

© 2025 BaseDash Inc.

X

LinkedIn

Slack Community

Privacy Policy

Terms of Service

Log in

Sign up

Product Hunt Badge

© 2025 BaseDash Inc.

X

LinkedIn

Slack Community

Privacy Policy

Terms of Service

Log in

Sign up

Product Hunt Badge

© 2025 BaseDash Inc.

X

LinkedIn

Slack Community

Privacy Policy

Terms of Service

Log in

Sign up

Product Hunt Badge