⚠️ Placeholder document. This Data Processing Agreement template is provisional. Enterprise customers must execute a finalized DPA reviewed by counsel before production data processing begins.

Data Processing Agreement (DPA)

Version: 0.1-placeholder · Last updated: 2026-05-20

1. Parties

This DPA is between Customer (Data Controller) and Beesiness (Data Processor) as a supplement to the Terms of Service.

2. Scope

Beesiness processes personal data on behalf of the Customer to provide meeting recording, transcription, and AI summary services as described in the main Terms.

3. Categories of data subjects

  • Customer employees
  • Meeting participants (may include third parties such as prospects, candidates, vendors)
  • K12 deployments: students and parents (subject to additional safeguards)

4. Categories of personal data

  • Identity: name, email, organizational role
  • Audio recordings of meetings
  • Transcripts (text content of conversations)
  • Metadata: timestamps, meeting participants, durations
  • Usage analytics (aggregated, no individual identifiers)

5. Processor obligations

  1. Process personal data only on documented instructions from the Controller (i.e., as necessary to provide the service per ToS)
  2. Ensure persons authorized to process data are subject to confidentiality obligations
  3. Implement technical and organizational security measures (see Annex II — security measures)
  4. Assist Controller with data subject requests (access, erasure, portability)
  5. Notify Controller of personal data breaches within 72 hours of becoming aware
  6. Provide audit rights (subject to confidentiality and reasonable notice)
  7. Delete or return all personal data after termination per Controller's choice

6. Sub-processors

Beesiness uses the sub-processors listed in our Privacy Policy §4. Customer hereby authorizes the use of these sub-processors. Beesiness will notify Customer of any new sub-processor with 30 days' advance notice; Customer may object and Beesiness will provide an alternative or work in good faith to resolve.

7. International transfers

To the extent personal data is transferred outside the EEA/UK, the EU Standard Contractual Clauses (SCCs) shall apply. For US sub-processors, Beesiness relies on SCCs and additional safeguards.

8. Training data — Enterprise guarantee

Beesiness does NOT use Enterprise Customer data to train AI models under any circumstances. This is a contractual guarantee independent of in-product settings. Audit logs maintained for compliance verification.

9. Liability and indemnification

[Placeholder — counsel to finalize liability cap. Standard SaaS practice: cap at 12 months of fees paid.]

10. Term

This DPA is effective from the Subscription start date and continues until the Subscription is terminated and all personal data has been deleted.

11. Governing law

[Placeholder — counsel to finalize.]

Annex I — Subject matter and processing details

[Placeholder — Controller-specific details inserted per Enterprise contract.]

Annex II — Security measures

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Authentication: OAuth (Google/Microsoft) + Clerk; optional SSO/SAML/SCIM (Enterprise)
  • Access controls: Role-based (admin/member/guest), Postgres Row-Level Security
  • Audit logs: All data access and modifications logged, retained 1 year
  • Backups: Daily, 30-day retention, restore tested quarterly
  • Vulnerability management: Dependabot, Trivy container scans, annual pentest (post-MVP)
  • Personnel: Background checks, NDAs, security training annually
  • Incident response: 72-hour breach notification, dedicated security@beesiness.com channel

Annex III — Sub-processor list

See current list at Privacy Policy §4. Beesiness maintains a versioned public log of sub-processor changes.

Contact

DPA execution requests + compliance questions: legal@beesiness.com · dpo@beesiness.com

Data Processing Agreement · Beesiness