Data Processing Addendum

Draft only. Requires legal review before publication. This software provides compliance tooling, but does not provide legal advice.

Data Processing Addendum

Purpose

Provide B2B controller-to-processor terms when BAAM AI processes customer personal data on behalf of a business customer.

Source model

This slot follows mature SaaS and security-software legal-center patterns: Zapier-style customer terms, DPA, subprocessors, security, and data-transfer material; Avast-style license, acceptable-use, privacy, IP, transparency, and accessibility material.

Jurisdiction focus

Prepare this for EU users and Czech-market operation. Complete operator details, Czech consumer wording, cookie consent behavior, GDPR roles, and cross-border transfer safeguards before publication.

Relationship of the parties

Identify when the customer is controller and BAAM AI is processor, and when BAAM AI acts as independent controller for account, billing, security, analytics, marketing, or legal compliance.

Subject matter and duration

Processing occurs to provide the BAAM AI service for the subscription term and any required post-termination retention period.

Categories of data

Customer users, customer contacts, marketing leads, campaign audiences, support contacts, workspace members, and any personal data imported through integrations or CSV files.

Instructions

BAAM AI processes customer personal data according to the agreement, product configuration, documented instructions, and applicable law.

Security measures

Reference the Security Statement for access control, encryption, logging, backups, vulnerability handling, and incident response.

Subprocessors

Permit approved subprocessors and link the Subprocessor List. Describe notice of changes and objection process.

International transfers

Reference SCCs, adequacy decisions, and the International Data Transfer Summary for non-EEA processing.

Assistance

Describe assistance with data subject requests, DPIAs, security incidents, deletion, and audits within reasonable limits.

Completion checklist

• Confirm GDPR Article 28 clauses with counsel.
• Attach or link SCCs where needed.
• Keep subprocessor and TOMs references current.