Bouncebeam Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Bouncebeam Terms of Service and applies when Bouncebeam processes Customer Data on your behalf. Capitalized terms mirror those in the Terms unless defined here.

Bouncebeam Ltd is a company registered in England and Wales under company number 15714718, with its registered office at 20 Wenlock Road, London, N1 7GU, United Kingdom. For controller-level processing of personal data (for example, marketing and product analytics), please refer to the Bouncebeam Privacy Policy.

Customer acts as the data controller and determines the purposes and means of processing. Bouncebeam acts as the data processor, following documented instructions and implementing appropriate safeguards.

Bouncebeam will only process Customer Data (a) to deliver the Services, (b) per written instructions, or (c) as required by law. We will notify you if an instruction conflicts with applicable law unless legally prohibited.

Bouncebeam may engage vetted subprocessors for infrastructure, storage, analytics, payments, outbound email, and AI processing. Each subprocessor is bound by written agreements ensuring equivalent security and confidentiality.

The core subprocessors currently include, without limitation:

• Vercel, Inc. – hosting, CDN, and edge infrastructure for https://www.bouncebeam.co and related applications.
• Supabase – managed database, authentication, and storage for workspace data.
• Stripe, Inc. – billing, subscription management, and payment processing.
• PostHog – product analytics and event telemetry for usage and funnel insights.
• OpenAI – language model inference used to generate and transform content within workspaces.
• Amazon Web Services (including SES) – infrastructure and email delivery for system and diagnostic emails.
• Google services – integrations such as Google Ads and related analytics, where enabled by the customer.

This list may evolve over time as we add or replace providers. Customers can request the latest subprocessor list or change notifications at yigittabel@bouncebeam.co.

• Encryption in transit (TLS 1.2+) and at rest for production databases.
• Network segmentation, zero-trust access, and MFA for privileged systems.
• Regular vulnerability scans, penetration tests, and dependency monitoring.
• Audit logging, anomaly detection, and documented incident response runbooks.

In the event of a confirmed security incident involving Customer Data, Bouncebeam will notify you without undue delay, share remediation steps, and provide a post-incident summary once containment is complete.

When transferring personal data outside the UK or EEA, Bouncebeam relies on Standard Contractual Clauses and the UK International Data Transfer Addendum. Additional safeguards (encryption, access controls) are layered on for sensitive data.

Bouncebeam will assist with responding to data subject requests or regulator inquiries by providing tools or reasonable cooperation, provided such requests are legally valid and verifiable.

Customers may review Bouncebeam’s documentation (security controls, penetration-test summaries, compliance reports) once per year. On-site audits can be arranged with reasonable notice and subject to confidentiality and cost-reimbursement terms.

Upon termination or written request, Bouncebeam will delete or return Customer Data within 30 days, unless retention is required by law. Backups are purged per our retention schedule.