Legal

Data Processing Addendum

Last updated: March 29, 2026

Preamble

This Data Processing Addendum along with the exhibits thereto (collectively referred to as “DPA”) supplements the agreement signed by and between r15s Technologies Limited (“r15s”, trading as “Because”) and the Customer (“Agreement”) and is incorporated by reference.

This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by Because pursuant to the Agreement, as required by the Applicable Data Protection Laws. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. Except as modified below, this DPA automatically expires upon deletion of all Personal Data as described herein.

THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Agreement, between Customer and Because.

1. Definitions

1.1. The following expressions are used in this DPA:

(a) “Non-Adequate Country” means a country or territory that is not recognized under the GDPR or the UK GDPR, as applicable, as providing adequate protection for personal data;
(b) “Data Protection Laws” means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of Personal Information, as amended, replaced or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws;
(c) “EU/UK Data Protection Laws” means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them;
(d) “GDPR” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
(e) “Personal Data” means all data which is defined and regulated as “Personal Data”, “Personal Information” or an equivalent term under applicable Data Protection Laws and which is provided by Customer to Because or accessed, stored or otherwise processed by Because in connection with the Services;
(f) “UK GDPR” means the United Kingdom General Data Protection Regulation;
(g) “United States Data Protection Laws” means any United States’ state or federal data protection law as such law may be amended, replaced, or consolidated from time to time;
(h) “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” (and their cognates) will have the meanings ascribed to them in the GDPR and/or UK GDPR as applicable, or the equivalent terms (“process”, “business”, “consumer”, “service provider”) under United States Data Protection Laws where applicable.

2. Status of the Parties

2.1 The Agreement(s) determines the subject matter and the duration of Because’s processing of Personal Data, as well as the nature and purpose of any collection, use and other processing of Personal Data (collectively, the “Particulars”) and the rights and obligations of Customer. Appendix 1 to the Standard Contractual Clauses specifies the Particulars and will apply to all processing of Personal Data subject to this DPA, regardless of whether such processing is subject to Section 8 of this DPA.

2.2 As between the parties, Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the “Customer Legal Basis Assurance”). Each of Customer and Because warrant in relation to Personal Data that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the Data Protection Laws; provided, however, that Because’s warranty is subject to Customer Legal Basis Assurance. Each of Customer and Because agree that it shall notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.

2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the Data Controller and Because is the Data Processor and accordingly Because agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.

2.4 Each of Because and Customer will notify to each other of one or more individuals within its organisation authorised to respond from time to time to enquiries regarding Personal Data and each of Because and Customer will deal with such enquiries promptly.

3. General Obligations Relating to the Processing of Personal Data

3.1 With respect to all Personal Data, Because agrees that it will:

(a) only process the Personal Data in order to provide the Services and will act only in accordance with this Agreement and Customer’s written instructions. The terms of the Agreement and this DPA constitute the Customer’s written instructions to Because in relation to the processing of personal data. For the avoidance of doubt, the Customer can issue further instructions for processing at any time;
(b) in the unlikely event that applicable law requires Because to process Personal Data other than pursuant to Customer’s instructions, immediately notify Customer (unless prohibited from so doing by applicable law);
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Because’s possession or under its control. Such measures include the security measures specified in Because’s information security policies;
(d) ensure that its personnel have access to such Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA;
(e) without delay after becoming aware and in any case within forty-eight (48) hours, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in Because’s possession or under its control (including when transmitted, stored or otherwise processed by Because) (a “Security Breach”);
(f) taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and information in Because’s possession concerning the Security Breach, including, to the extent known to Because, the following:
(i) the nature of the Security Breach;
(ii) the categories and approximate number of data subjects concerned;
(iii) the categories and approximate number of Personal Data records concerned;
(iv) the likely consequences of the Security Breach;
(v) a summary of the unauthorised recipients of the Personal Data; and
(vi) the measures taken or proposed to be taken by Because to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects;
(g) Insofar as a Security Breach relates to Customer, Because will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Breach or disclosure request which directly or indirectly identifies Customer (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer’s prior written approval, unless, and solely to the extent that, Because is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Because shall provide Customer with reasonable prior written notice to provide Customer with the opportunity to object to such disclosure and in any case, Because shall limit the disclosure to the minimum scope required.
(h) return or delete Customer’s Personal Data within thirty (30) days of termination or expiration of the Term, save where otherwise agreed with the Customer. Because shall comply with all directions provided by Customer with respect to the return or disposal of Personal Data. This requirement shall not apply to the extent Because is required by any applicable law to retain some or all of the Personal Data, in which event Because shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
(i) assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:
(i) data protection impact assessments (as such term is defined in the applicable Data Protection Laws);
(ii) subject access requests;
(iii) notifications to the supervisory authority/regulators under applicable Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and
(iv) Customer’s compliance with its obligations under applicable Data Protection Laws with respect to the security of processing.
(j) assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under applicable Data Protection Laws. Because will promptly notify Customer of requests received by Because, unless otherwise required by applicable law. Because will not make changes to such Personal Data except as agreed in writing with Customer.

4. Obligations Relating to the Processing of Personal Data subject to EU/UK laws

4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, Because agrees that it will:

(a) as soon as possible after becoming aware, inform Customer if, in Because’s opinion, any instructions provided by Customer under Clause 3.1(a) infringe the GDPR or UK GDPR;
(b) maintain records of its processing activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.

5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws

5.1 With respect to all Personal Data subject to United States Data Protection Laws, Because agrees that it will:

(a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
(b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Because’s provision of Services and in accordance with this DPA.
(c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.

5.2 Because agrees that the terms “Aggregate Consumer Information”, “Service Provider”, “Business Purpose” and “De-identified” will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that Because will process such Personal Data accordingly.

5.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Because is a Service Provider.

5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, Because shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of Because’s performance of its Services or b) a Business Purpose.

5.5 Subject to Because’s compliance with this DPA, Customer agrees to make Personal Data available to Because for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that Because processes Personal Data in a manner consistent with Customer’s obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.

6. Sub-processing

6.1 Customer authorises Because to appoint sub-processors in accordance with this Section 6. Because publishes a list of its sub-processors on request.

6.2 When any new sub-processor is engaged, Because will add them to the Sub-processor List. Because will give Customer prior written notice of any changes to the Sub-processor List, including full details of the processing to be undertaken by that respective Sub-processor, giving Customer fourteen (14) days to object upon reasonable data protection grounds by providing written notice of such objection to Because.

6.3 If Customer objects to the authorisation of any future sub-processor on reasonable data protection grounds within fourteen (14) days of notification of the proposed authorisation, Because will use its reasonable efforts to provide an alternative or workaround to avoid processing of Personal Data by the objected-to sub-processor to the satisfaction of Customer within a reasonable period of time.

6.4 Because will require its sub-processors to comply with terms that provide substantially the same protection of Personal Data as those imposed on Because in the Agreement and this DPA. Because will be liable for all the acts and omissions of its sub-processors in relation to the Agreement and this DPA.

7. Audit and Records

7.1 Because will, in accordance with applicable Data Protection Laws, make available to Customer such information in Because’s possession or control as Customer may reasonably request with a view to demonstrating Because’s compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data.

7.2 Because shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer, in order to assess Because’s compliance with this DPA and Data Protection Laws. Such audits may be undertaken no more than once in a twelve (12) month period by providing Because with reasonable notice. Customer shall reimburse Because for any time expended for any such on-site audit at Because’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Because shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.

8. Data Transfers

8.1 Customer will ensure that Customer and Customer’s authorised users are entitled to transfer the Personal Data to Because so that Because, and its sub-processors, may lawfully process the Personal Data in accordance with this DPA.

8.2 The Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the UK and EEA, including in the United States.

8.3 Insofar as the Agreement involves the transfer of Personal Data from the EEA to a Non-Adequate Country, the parties agree to comply with the Standard Contractual Clauses – Module 2, incorporated by reference in Exhibit 1.

8.4 Insofar as the Agreement involves the transfer of Personal Data from the UK to a Non-Adequate Country, the parties agree to comply with the Controller-Processor UK Standard Contractual Clauses, incorporated by reference in Exhibit 2.

8.5 In the event that the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction and/or the analogous competent authority in the EEA or United Kingdom revises and thereafter publishes new Standard Contractual Clauses or as otherwise required or implemented by such authority, such new Standard Contractual Clauses will supersede and replace the existing Standard Contractual Clauses. If such revision or publication requires that this DPA be adjusted to accommodate new or changing requirements, the parties agree to promptly negotiate in good faith to amend this DPA.

8.6 Except as covered or permitted by the Standard Contractual Clauses, applicable law, or a country in respect of which a valid adequacy decision has been issued by the European Commission, as the case may be, Because shall not process Personal Data outside the European Economic Area or the United Kingdom without the express written consent of the Customer.

9. General

9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. This DPA is incorporated into and made a part of the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail so far as the subject matter concerns the processing of Personal Data.

9.2 Customer and Because each agree that the governing law and venue provisions in the Agreement apply to this DPA.

Exhibit 1: Standard Contractual Clauses — Controller to Processor

The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2 (as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021), which are incorporated herein by reference. The parties agree that the following terms apply:

1. Clause 7: The parties have chosen not to include Clause 7.
2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least fourteen (14) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a): The competent supervisory authority shall be determined in accordance with Annex I.C of this DPA.
5. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
6. Clause 18(b): The parties agree that those shall be the courts of the Republic of Ireland.

Annex I

A. List of Parties

1. Data exporter(s): Refer to Signatories of the Agreement

Signature and date: Refer to Signatories of the Agreement

Role (controller/processor): Controller

2. Data importer(s): r15s Technologies Limited (trading as Because)

Signature and date: Refer to Signatories of the Agreement

Role (controller/processor): Processor

B. Description of Transfer

Data subjects: The Personal Data transferred concerns the following categories of data subjects:

  • Customer’s employees, customers

Categories of Personal Data: As part of the Services, Because processes the following information:

Personal Data of Customer’s users (“User Data”)

  • Username
  • Name
  • Email address

Personal Data of Customer’s contacts (“Contact Data”)

  • Name
  • Phone number
  • Email address
  • Company name
  • Job Title

Special categories of data (if appropriate): None. The Services are not intended to process special categories of personal data as defined in Article 9 GDPR.

Other categories of data processed (relating to Customer’s business):

  • Agreement Details: Contract numbers, start and end dates, renewal terms, termination conditions.
  • Financial Information: Pricing terms, discounts, payment terms, tax details, total amounts.
  • Scope of Services: Products/services descriptions, service levels, delivery schedules.
  • Order Details: Product/service identifiers, quantities, delivery dates, order numbers.

Frequency of the transfer: Continuous basis

Nature of the processing: As described in the Agreement(s)

Purpose(s) of the data transfer and further processing: As described in the Agreement(s)

Period for which the personal data will be retained: For the duration of the relevant Agreement(s) and Order Form(s)

For transfers to (sub-) processors: The same as the Data Importer

Processing operations: As described in the Agreement(s)

C. Competent Supervisory Authority

Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as the competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of Regulation (EU) 2016/679 by virtue of Article 3(2), the competent supervisory authority shall be the Irish Data Protection Commission:

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

Annex II — Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

The Data Importer currently abides by the security standards in this Annex. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Hosting Infrastructure

Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Amazon Web Services (AWS).

Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.

Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions, and which will, when appropriate, trigger failover mechanisms.

Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.

Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.

Networks & Transmission

Network Data Transmission. Interactions between users, administrators and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting and other network security services from both its hosting providers and third-party providers.

Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.

Policies and Procedures

Policies. The Data Importer has written, approved policies governing Account Management, Acceptable Use, Data Retention, Employee Code of Conduct, Encryption, Incident Response, Information Sensitivity, Use of Mobile Devices, Password Protection, Patch Management and Risk Management.

Procedures. The Data Importer has written and approved procedures for Data Breach Notification, Change Management, Communication, Disaster Recovery, DoS Response, System Backup and Recovery, and Monitoring.

Security Response. The Data Importer monitors a variety of communication channels for security incidents, and the Data Importer’s security personnel are required to react promptly to known incidents.

Access Controls

Access Procedures. The Data Importer maintains formal access procedures for allowing its personnel access to the production service and components involved in building the production service. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components. Audit records are maintained to indicate who has access to restricted components.

Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.

Logging. Access to the Data Importer’s production service and build infrastructure is done using unique IDs and is logged.

Infrastructure Security Personnel. The Data Importer maintains several security policies governing its personnel. The Data Importer’s infrastructure security personnel are responsible for the ongoing monitoring of the Data Importer’s security infrastructure, the review of the Services, and responding to security incidents.

Data Protection

In Transit. Interactions between users, administrators and Because modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets.

Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted datacenters within the same geographic region.

Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service.

Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.

Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change.

Automated testing. Each software build is subjected to a comprehensive suite of automated tests.

Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.

Sub-processor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.

Data Privacy Office. The Data Privacy Office of the Data Importer can be contacted by the Data Exporter’s administrators by emailing security@becausehq.com (or via such other means as may be provided by the Data Importer).

Staff Conduct and Security

Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance and professional standards.

Annex III — Amendments to Enable the Transfer of Data from Switzerland to a Third Country

Pursuant to the FDPIC’s guidance titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties are adopting the GDPR standard for all data transfers under the FADP and under the GDPR. To the extent personal data is transferred outside of Switzerland to a country with an inadequate level of data protection, the following amendments to the Standard Contractual Clauses provided for in Exhibit 1 shall apply:

1. Annex I.C: The competent supervisory authority shall be the FDPIC, insofar as the data transfer is governed by the FADP; and shall be the EU authority referenced in Annex I.C insofar as the data transfer is governed by the GDPR.
2. The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
3. The Standard Contractual Clauses shall also protect the data of legal entities to the extent required by the FADP.

Exhibit 2: UK International Data Transfer Addendum

Insofar as the Agreement involves the transfer of Personal Data from the United Kingdom to a Non-Adequate Country, the parties agree to comply with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the Information Commissioner under S119A(1) of the Data Protection Act 2018 and in force from 21 March 2022 (the “UK Addendum”), as published by the Information Commissioner’s Office.

The UK Addendum is incorporated by reference and completed as follows:

Table 1 — Parties

  • Start date: The Effective Date of the Agreement.
  • The Parties: Data Exporter is the Customer (as described in Annex I.A of Exhibit 1); Data Importer is r15s Technologies Limited (trading as Because).
  • Key Contact: security@becausehq.com for the Data Importer; Customer’s notice contact under the Agreement for the Data Exporter.

Table 2 — Selected SCCs, Modules and Selected Clauses

The Approved EU SCCs referenced in Exhibit 1 of this DPA, Module 2 (Controller to Processor), apply.

Table 3 — Appendix Information

  • Annex 1A (List of Parties): As set out in Annex I.A of Exhibit 1.
  • Annex 1B (Description of Transfer): As set out in Annex I.B of Exhibit 1.
  • Annex II (Technical and organisational measures): As set out in Annex II of Exhibit 1.
  • Annex III (List of Sub-processors): Available on request from security@becausehq.com.

Table 4 — Ending this Addendum when the Approved Addendum Changes

Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

For any question about this DPA, please contact security@becausehq.com.