Data Processing Addendum
Forms part of the Terms of Service where BDR Team processes personal data on your behalf.
1. Roles
For prospect/lead data you upload, you are the controller and BDR Team is the processor. We process it only on your documented instructions (i.e. operating the service).
2. Processing scope
Subject matter: AI outbound automation. Duration: the life of your workspace plus the configured retention window. Data subjects: your prospects and contacts. Categories: business contact details and engagement events.
3. Subprocessors
- Google Cloud Platform — hosting & compute (US).
- Supabase — managed Postgres.
- OpenAI / Google AI — only for the workspace’s configured models.
We notify customers of new subprocessors before they process customer data.
4. Security measures
- Encryption in transit (TLS) and secrets at rest (AES-256-GCM).
- Strict per-workspace tenant isolation enforced at the query layer.
- Least-privilege service accounts; audit logging of admin actions.
5. Data subject requests
Self-serve export and erasure are available to workspace admins (Admin → Compliance), enabling you to fulfil access/erasure obligations without a support ticket.
6. International transfers
Data is processed in the United States. Where required, Standard Contractual Clauses apply to transfers from the EEA/UK.
7. Sub-processor breach
We notify affected customers without undue delay after becoming aware of a personal data breach and provide the information needed to meet your notification duties.