Data Processing Agreement (DPA)

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.

Data Protection Laws: All applicable laws and regulations relating to privacy and data protection, including:

• EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
• UK Data Protection Act 2018 and UK GDPR
• French Data Protection Act (Loi Informatique et Libertés)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Other applicable privacy laws in your jurisdiction

Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.

Data Subject: An individual whose Personal Data is processed.

Sub-processor: Any third party engaged by Processor to process Personal Data on behalf of Controller.

Controller: The entity that determines the purposes and means of processing Personal Data (you, the developer using our Services).

Processor: The entity that processes Personal Data on behalf of the Controller (we, BillAI).

Services: The BillAI platform and related services as described in the Terms of Service.

2. Scope and Relationship

2.1 Application

This DPA applies when and to the extent that we process Personal Data on your behalf as a Processor while you act as the Controller. This typically includes:

• Information about your end-users who purchase through your applications
• Transaction data related to your business
• Analytics data about usage of your applications

2.2 Controller Responsibilities

As Controller, you are responsible for:

• Determining the purposes and means of processing Personal Data
• Ensuring lawful basis exists for all processing activities
• Providing privacy notices to Data Subjects
• Obtaining necessary consents from Data Subjects
• Responding to Data Subject rights requests
• Ensuring accuracy of Personal Data provided to us
• Compliance with all Data Protection Laws

2.3 Processor Responsibilities

As Processor, we are responsible for:

• Processing Personal Data only according to your documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting with Data Subject rights requests (to the extent feasible)
• Assisting with data breach notifications
• Making available information to demonstrate compliance
• Engaging Sub-processors in accordance with this DPA

2.4 Stripe as Separate Processor

3. Processing Details

3.1 Subject Matter

Processing of Personal Data necessary to provide the BillAI platform services, including monetization infrastructure, access control, analytics, and transaction processing.

3.2 Duration

Processing will continue for the term of the Terms of Service and as necessary to fulfill legal retention obligations (typically 7 years for transaction records under French law).

3.3 Nature and Purpose of Processing

We process Personal Data for the following purposes:

• Providing the BillAI platform services
• Managing access control and entitlements for your applications
• Processing and recording transactions
• Calculating and distributing commissions
• Providing analytics and reporting
• Fraud detection and prevention
• Customer support
• Compliance with legal obligations

3.4 Categories of Data Subjects

• Developers (our direct customers - you)
• End-users of developer applications
• Developer employees and representatives
• Customer support contacts

3.5 Types of Personal Data

We may process the following categories of Personal Data:

Identity Data:

• Names
• Usernames
• Email addresses

Transaction Data:

• Purchase history
• Transaction amounts and dates
• Payment status
• Refund information

Technical Data:

• IP addresses
• Device information
• Browser type and version
• Usage patterns

Business Data:

• Company information
• Business addresses
• Tax identification numbers (not card data - handled exclusively by Stripe)

4. Processor Obligations

4.1 Processing Instructions

Documented Instructions:

We will process Personal Data only according to your documented instructions, which include:

• These Terms of Service and this DPA
• Your use of platform features and functionality
• Your configuration settings in the dashboard
• Additional written instructions you may provide

Unlawful Instructions:

If we believe any instruction violates Data Protection Laws, we will inform you immediately. We are not obliged to follow instructions that we reasonably believe to be unlawful.

4.2 Confidentiality

Personnel:

We ensure that all persons authorized to process Personal Data:

• Are bound by confidentiality obligations (contractual or statutory)
• Receive appropriate training on data protection
• Have access to Personal Data only to the extent necessary for their role

Access Controls:

We implement role-based access controls to ensure the principle of least privilege.

4.3 Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

• Encryption in transit using TLS 1.3
• Encryption at rest using AES-256
• Secure authentication and session management
• Network security and firewalls
• Intrusion detection and prevention systems
• Regular security testing and vulnerability assessments
• Secure API access with authentication
• Regular security updates and patches

Organizational Measures:

• Information security policies and procedures
• Access control procedures and authorization systems
• Employee data protection training programs
• Vendor management and due diligence program
• Incident response and data breach procedures
• Business continuity and disaster recovery planning
• Regular security reviews and audits
• Documented security standards and guidelines

Compliance:

• ISO 27001 aligned practices
• Regular security assessments
• Third-party security audits (annual)

4.4 Sub-processors

Current Sub-processors:

We currently engage the following Sub-processors:

General Authorization:

You provide general authorization for us to engage Sub-processors, subject to the requirements below.

Sub-processor Requirements:

We will:

• Conduct appropriate due diligence before engaging Sub-processors
• Impose data protection obligations equivalent to this DPA via written contract
• Ensure Sub-processors provide sufficient guarantees for security and protection
• Remain fully liable to you for Sub-processor performance

Changes to Sub-processors:

• We will provide 30 days advance notice of new Sub-processors or changes
• Notice will be provided via email and/or dashboard notification
• You may object on reasonable grounds within 30 days
• If you object and we cannot accommodate, either party may terminate the affected Services

Objection Process:

To object to a Sub-processor, email contact@billai.com with:

• Specific Sub-processor you object to
• Reasonable grounds for objection (security, jurisdiction, compliance concerns)
• We will work with you to find an alternative solution

4.5 Data Subject Rights

We will assist you in responding to Data Subject rights requests to the extent feasible:

Assistance Provided:

• Access: Providing copies of Personal Data in our possession
• Rectification: Correcting inaccurate data in our systems
• Erasure: Deleting data (subject to legal retention requirements)
• Restriction: Limiting processing as instructed
• Portability: Exporting data in machine-readable format (JSON, CSV)
• Objection: Ceasing processing activities as directed

Process:

• You remain responsible for responding to Data Subjects
• We will not respond directly to Data Subjects without your authorization
• We will respond to your assistance requests within 10 business days
• We may charge reasonable fees for extensive or repetitive requests

Limitations:

We cannot assist with rights requests where:

• We do not have the Personal Data (e.g., data held only by Stripe)
• Legal obligations require us to retain the data
• The request is technically impossible to fulfill

Contact: Send assistance requests to contact@billai.com with subject "Data Subject Rights Assistance"

4.6 Data Breach Notification

Notification Obligations:

In the event of a Personal Data breach, we will:

Timeline:

• Notify you without undue delay
• Initial notification within 48 hours of becoming aware
• Provide follow-up information as it becomes available

Notification Contents:

• Nature of the breach (unauthorized access, loss, disclosure, etc.)
• Categories and approximate number of affected Data Subjects
• Categories and approximate number of affected Personal Data records
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

Method:

• Email to your registered address
• Dashboard notification
• Phone call for critical incidents

Your Responsibilities:

You remain responsible for:

• Determining whether notification to supervisory authorities is required
• Notifying Data Subjects as required by Data Protection Laws
• Documenting the breach
• Reporting to authorities within 72 hours (GDPR requirement)

Assistance:

We will cooperate with your breach response efforts and provide reasonable assistance with:

• Investigation and root cause analysis
• Mitigation measures
• Regulatory notifications
• Communication to Data Subjects

4.7 Data Protection Impact Assessments (DPIAs)

We will assist you with Data Protection Impact Assessments where required:

Information Provided:

• Description of our processing activities
• Technical and organizational security measures
• Sub-processor information
• Data flows and transfers
• Security certifications and audits
• Risk assessments

Limitations:

We cannot conduct DPIAs on your behalf - you remain responsible as Controller. We provide information only.

Request Process: Email contact@billai.com with subject "DPIA Assistance Request"

4.8 Deletion and Return of Data

Upon termination of Services or at your request:

Options:

1. Deletion: We will securely delete all Personal Data
2. Return: We will return Personal Data in commonly used format (JSON, CSV)
3. Combination: Delete some data and return other data as specified

Timeline:

• Within 30 days of termination or request
• Except where retention is required by law (e.g., 7 years for transaction records under French law)

Method:

• Return via secure download link
• Deletion with certificate of destruction upon request

Retained Data:

We will document any Personal Data retained for legal compliance, including:

• Legal basis for retention
• Categories of data retained
• Retention period

Backups:

Personal Data in backup systems will be deleted in accordance with our backup retention schedule (typically within 90 days).

Certificate: We will provide a certificate confirming deletion upon request.

4.9 Audits and Inspections

Audit Rights:

You have the right to audit our compliance with this DPA:

Frequency: Once per calendar year (unless required more frequently by supervisory authority or in response to a breach)

Scope:

• Review of security measures and controls
• Inspection of processing activities
• Review of Sub-processor agreements
• Assessment of GDPR compliance

Process:

1. Provide 30 days advance written notice
2. Schedule audit at mutually convenient time
3. Agree on scope and duration
4. Execute confidentiality agreement
5. Conduct audit during business hours
6. Receive audit report within 30 days

Costs:

• First audit per year: No charge
• Additional audits: Reasonable costs may apply
• You bear your own costs (auditor fees, travel, etc.)

Alternative:

In lieu of on-site audit, we may provide:

• Annual SOC 2 Type II report (when available)
• ISO 27001 certification
• Third-party security assessment reports
• Detailed compliance questionnaire responses

Limitations:

Audits must not:

• Disrupt our business operations
• Access other customers' data
• Exceed reasonable scope
• Violate our confidentiality obligations to others

Contact: To request an audit, email contact@billai.com with subject "Audit Request"

5. Controller Obligations

As Controller, you agree to:

Lawfulness:

• Comply with all Data Protection Laws
• Ensure lawful basis exists for all processing
• Obtain necessary consents from Data Subjects
• Provide adequate privacy notices

Data Quality:

• Ensure Personal Data provided to us is accurate and up-to-date
• Not provide more Personal Data than necessary
• Update or correct data as needed

Instructions:

• Provide clear, lawful instructions for processing
• Not instruct us to process data in violation of laws
• Document all processing instructions

Records:

• Maintain records of processing activities
• Document legal basis for processing
• Keep records of consents obtained

Data Subject Rights:

• Respond to Data Subject rights requests
• Request our assistance when needed
• Not hold us liable for your failures to respond

Breach Notification:

• Notify supervisory authorities as required (within 72 hours under GDPR)
• Notify Data Subjects as required
• Document all breaches

DPIA:

• Conduct Data Protection Impact Assessments where required
• Consult with supervisory authority if necessary

6. International Data Transfers

6.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside your jurisdiction. We use approved transfer mechanisms:

European Commission Standard Contractual Clauses (SCCs):

• For transfers from EEA to non-adequate countries
• 2021 SCCs (Commission Implementing Decision 2021/914)
• Module Two: Controller to Processor

UK International Data Transfer Agreement (IDTA):

• For transfers from UK to non-adequate countries
• UK Addendum to EU SCCs

Adequacy Decisions:

• Where the European Commission has recognized adequate protection
• Currently includes: Switzerland, Canada (commercial), Japan, UK, others

Other Mechanisms:

• Binding Corporate Rules (if applicable)
• Explicit consent (for specific transfers)
• Performance of contract

6.2 Standard Contractual Clauses

Where SCCs apply, the following terms are incorporated:

Module: Module Two (Controller to Processor)

Parties:

• Data Exporter: You (the Controller)
• Data Importer: Intellex SAS (the Processor)

Annexes:

• Annex I.A (Parties): As identified in this DPA
• Annex I.B (Processing Details): As described in Section 3
• Annex I.C (Competent Authority): CNIL (France) or your local authority
• Annex II (Technical and Organizational Measures): As described in Section 4.3

Optional Clauses:

• Clause 7 (Docking): Available
• Clause 9 (Sub-processors): General authorization
• Clause 11 (Redress): Full redress to Data Subjects
• Clause 17 (Governing Law): Laws of France
• Clause 18 (Jurisdiction): Courts of Paris, France

Supplementary Measures:

In addition to SCCs, we implement:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments
• Data minimization practices
• Documented security procedures

6.3 Transfer Impact Assessment

We have conducted transfer impact assessments for relevant transfers and implemented appropriate safeguards. Transfer impact assessment documentation is available upon request.

6.4 Data Localization

Primary Data Storage: European Union (France)

Backup Storage: European Union

Sub-processor Locations: As listed in Section 4.4

6.5 Your Authorization

By accepting this DPA, you authorize:

• Transfers to Sub-processors listed in Section 4.4
• Transfers necessary to provide the Services
• Use of transfer mechanisms described above

7. Liability and Indemnification

7.1 Processor Liability

We are liable for damages caused by processing Personal Data where:

• We have not complied with Data Protection Laws
• We have acted outside or contrary to your lawful instructions
• The damage is caused by our breach of this DPA

We are not liable where we prove we are not responsible for the event giving rise to the damage.

7.2 Liability Limitations

Subject to applicable law:

• Our liability under this DPA is subject to limitations in the Terms of Service
• These limitations do not apply to liability that cannot be limited by law
• Each party is separately liable for its own violations of Data Protection Laws

Cap on Liability:

Total liability for data protection breaches shall not exceed the amounts specified in the Terms of Service, except where such limitation is prohibited by law.

7.3 Indemnification

We indemnify you against:

• Fines or penalties imposed due to our breach of this DPA
• Third-party claims arising from our breach of this DPA

Conditions:

• You provide prompt written notice
• You provide reasonable cooperation
• You grant us sole control of defense (subject to your approval of settlement)

You indemnify us against:

• Your violations of Data Protection Laws as Controller
• Your failure to comply with your obligations under this DPA
• Third-party claims arising from your unlawful processing instructions

8. Term and Termination

8.1 Term

This DPA takes effect on the date you accept the Terms of Service and continues while we process Personal Data on your behalf.

8.2 Termination

This DPA automatically terminates:

• Upon termination of the Terms of Service
• When we no longer process Personal Data on your behalf
• Upon written agreement of both parties

8.3 Survival

The following provisions survive termination:

• Data deletion/return obligations (Section 4.8)
• Liability provisions (Section 7)
• Confidentiality obligations
• Audit rights (for reasonable period after termination)

8.4 Effect of Termination

Upon termination:

• Processing instructions cease
• Personal Data will be deleted or returned per Section 4.8
• Sub-processor agreements relating to your data terminate
• Assistance obligations continue as necessary to fulfill legal requirements

9. General Provisions

9.1 Precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails on matters of data protection.

9.2 Amendments

We may update this DPA to:

• Reflect changes in Data Protection Laws
• Incorporate regulatory guidance
• Add or remove Sub-processors
• Improve security measures
• Clarify provisions

Material changes require 30 days advance notice via email or dashboard notification.

9.3 Severability

If any provision is invalid or unenforceable, it will be modified to the minimum extent necessary to make it valid and enforceable. Remaining provisions continue in full force.

9.4 Governing Law

This DPA is governed by the laws of France (for data protection matters), consistent with the Terms of Service.

9.5 Jurisdiction

Disputes will be resolved in accordance with the dispute resolution provisions of the Terms of Service.

9.6 Languages

This DPA is executed in English. Any translation is for convenience only. In case of inconsistency, the English version prevails.

9.7 Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding data processing.

10. Standard Contractual Clauses (Full Text)

For international data transfers requiring Standard Contractual Clauses, the complete text of the European Commission's Standard Contractual Clauses (Decision 2021/914/EU) is incorporated by reference and available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Selected Provisions:

• Module 2: Controller to Processor
• General authorization for Sub-processors
• Governing law: France
• Jurisdiction: Paris, France

11. Contact Information

For questions or concerns regarding this DPA: