Skip to content

Data Processing Addendum

Updated July 14, 2025

This DPA is entered into by and between Basedash and Customer and sets forth the parties’ obligations with respect to processing Customer Personal Data. For the purposes of this DPA, the “Agreement” refers to either the Terms of Service or the Cloud Service Agreement between you and Basedash (as applicable to you). This DPA is incorporated by reference into the Agreement and any capitalized terms not defined in this DPA shall have the meaning given to them in the Agreement.

  1. Processor and Subprocessor Relationships

1.1 Basedash as Processor

In situations where Customer is a Controller of the Customer Personal Data, Basedash will be deemed a Processor that is Processing Personal Data on behalf of Customer.

1.2 Basedash as Subprocessor

In situations where Customer is a Processor of the Customer Personal Data, Basedash will be deemed a Subprocessor of the Customer Personal Data.

1.3 Service Provider Relationship

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Basedash is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement, which constitutes a business purpose. Basedash will not sell any Personal Data provided by Customer under the Agreement. In addition, Basedash will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Basedash certifies that it understands the restrictions of this paragraph.

  1. Processing

2.1 Processing Details

Annex I describes the subject matter, nature, purpose, and duration of this Processing, as well as the categories of personal data collected and categories of data subjects.

2.2 Processing Instructions

Customer instructs Basedash to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Basedash about Processing Customer Personal Data under this DPA. Basedash will abide by these instructions unless prohibited from doing so by Applicable Laws. Basedash will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

2.3 Processing by Basedash

Basedash will only Process Customer Personal Data in accordance with this DPA. If Basedash updates the Service to update existing or include new products, features, or functionality, Basedash may change the categories of data subjects, categories of personal data, Special Category Data, Special Category Data restrictions or safeguards, the frequency of data transfer, the nature and purpose of Processing, and the duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.

2.4 Customer Processing

Where Customer is a Processor and Basedash is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.

2.5 Consent to Processing

Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Basedash and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

2.6 Subprocessors

  1. Basedash is authorized to engage (and to permit each sub-processor/service provider engaged in accordance with this DPA and set out in the list in the link in Annex III to engage) sub-processors/service providers (“Sub-processor”) in accordance with this DPA and set out in the list in the link in Annex III.

  2. When engaging a Subprocessor, Basedash will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.

  3. If the GDPR applies to the Processing of Customer Personal Data, the data protection obligations described in this DPA are also imposed on the Subprocessor.

  4. Basedash remains fully liable for all obligations subcontracted to its Subprocessors.

  5. Restricted Transfers

3.1 Authorization

Customer agrees that Basedash may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service.

3.2 Ex-EEA Transfers

Customer and Basedash agree that if the GDPR protects the transfer of Customer Personal Data, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Basedash are deemed to have signed the EEA SCCs and their Annexes.

3.3 Ex-UK Transfers

Customer and Basedash agree that if the UK GDPR protects the transfer of Customer Personal Data, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Basedash are deemed to have signed the UK Addendum and their Annexes.

3.4 Other International Transfers

For Personal Data transfers where Swiss law applies, references to the GDPR in the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor.

  1. Security Incident Response

Upon becoming aware of any Security Incident, Basedash will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident.

  1. Audit & Reports

5.1 Audit Rights

Upon reasonable request from the Customer and no more than once every 12 months, Basedash will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and will allow for and contribute to audits, including inspections by Customer.

5.2 Security Policy

Basedash will use commercially reasonable efforts to secure the Service and will maintain annually a SOC 2 Type II certification.

5.3 Security Reports

Upon written request, Basedash will give Customer, on a confidential basis, a summary copy of its then-current report.

5.4 Security Due Diligence

Basedash will respond to reasonable requests for information to confirm compliance with this DPA.

  1. Coordination & Cooperation

6.1 Response to Inquiries

If Basedash receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Basedash will notify Customer and will not respond without Customer’s prior consent unless required by law.

6.2 DPIAs and DTIAs

If required by Applicable Data Protection Laws, Basedash will reasonably assist Customer in conducting mandated impact assessments and consultations.

  1. Deletion of Customer Personal Data

7.1 Deletion by Customer

Basedash will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services.

7.2 Deletion at DPA Expiration

After the DPA expires, Basedash will return or delete Customer Personal Data at Customer’s instruction unless further storage is required by Applicable Law.

  1. Limitation of Liability

Each party’s total cumulative liability arising out of or related to this DPA is subject to the waivers, exclusions, and limitations stated in the Agreement.

  1. Conflicts Between Documents

If there is any inconsistency between this DPA, the Agreement, or any of their parts, the following order controls: (1) EEA SCCs or UK Addendum, (2) this DPA, and then (3) the Agreement.

  1. Term of Agreement

This DPA starts when Basedash and Customer agree to an Agreement and continues until the Agreement expires or is terminated, with obligations surviving as required by Applicable Data Protection Laws.

  1. Definitions

Definitions in this DPA include Applicable Laws, Applicable Data Protection Laws, Controller, Customer Personal Data, DPA, EEA SCCs, EEA, GDPR, Personal Data, Processing, Processor, Report, Restricted Transfer, Security Incident, Service, Special Category Data, Subprocessor, UK GDPR, and UK Addendum.

Annex I

Annex I(A) List of Parties

Data Exporter The Services Customer identified in the Agreement and/or the Customer account information in the Basedash Services.

Data Importer Name: BaseDash Inc. Address: 8 The Green, 5775, Dover, DE, 19901, US Contact Person: Kristofer Lachance, Head of Growth Address: 470-4020 Rue Sainte-Ambroise, Montreal, Quebec, Canada H4C 2E1

Annex I(B) Description of Transfer and Processing Activities

Service: Basedash AI-native business intelligence platform

Categories of Data Subjects

  1. Customer’s end users or customers
  2. Customer’s potential customers
  3. Customer’s employees

Categories of Personal Data

  1. Name
  2. Contact information
  3. Transactional information
  4. User activity and analysis
  5. Location information

Frequency of Transfer: Continuous Duration of Processing: As long as required to provide services and comply with law.

Annex I(C) Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II: Technical and Organizational Measures

Basedash maintains technical and organizational safeguards, including SOC 2 Type II compliance, access controls, logging, authentication controls, encryption, security monitoring, business continuity controls, HR security, third-party risk management, secure development practices, and incident response capabilities.

Annex III: List of Subprocessors

The list of subprocessors includes providers in the United States and Czech Republic, including OpenAI, Sentry, Segment, Liveblocks, Stripe, Digital Ocean, Fullstory, Posthog, Loops, Mixpanel, Customer.io, Google Analytics, Anthropic, ClickHouse, Amazon Web Services, Google Ads, Replicache, and Betterstack.