Data Processing Addendum

Last updated: March 20, 2026

Effective: April 20, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Terms of Service (“Agreement”) between Baponi, Inc. (“Baponi”, “Processor”) and the entity accepting the Agreement (“Customer”, “Controller”). This DPA governs Baponi’s processing of Personal Data on behalf of Customer in connection with the Services.

This DPA applies only to Baponi’s cloud-hosted Services (SaaS). It does not apply to self-hosted Enterprise deployments where Baponi does not receive, store, or process any Customer data. See Section 14.3 of the Terms of Service.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act and the California Privacy Rights Act (“CCPA/CPRA”); and (e) any other applicable data protection or privacy law.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.

“Personal Data” means any information relating to a Data Subject that is processed by Baponi on behalf of Customer through the Services, as described in Schedule 1.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Baponi under this DPA.

“Standard Contractual Clauses” or “SCCs” means: (a) for transfers from the EEA, the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914; (b) for transfers from the UK, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office; and (c) for transfers from Switzerland, the SCCs as recognized under the FADP.

“Subprocessor” means any third party engaged by Baponi to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Roles

Customer is the Controller. Baponi is the Processor. Each party shall comply with its respective obligations under Applicable Data Protection Law.

2.2 Scope of Processing

Baponi processes Personal Data solely to provide the Services as described in the Agreement and as further specified in Schedule 1. The categories of Personal Data, categories of Data Subjects, nature and purposes of processing, and duration of processing are set out in Schedule 1.

2.3 Customer Obligations

Customer represents and warrants that: (a) it has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects for the processing described in this DPA; (b) its instructions to Baponi comply with Applicable Data Protection Law; and (c) it has assessed the appropriateness of the security measures described in this DPA for the types of Personal Data it submits to the Services.

3. Processing Instructions

3.1 Documented Instructions

Baponi shall process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. Customer’s instructions are documented in: (a) this DPA; (b) the Agreement; and (c) Customer’s configuration and use of the Services (including sandbox settings, API calls, retention period selections, and connector configurations). If Baponi becomes aware that an instruction from Customer infringes Applicable Data Protection Law, Baponi shall promptly notify Customer.

3.2 Processing Prohibition

Baponi shall not: (a) process Personal Data for any purpose other than providing the Services under Customer’s documented instructions; (b) sell Personal Data; (c) retain, use, or disclose Personal Data for any commercial purpose other than providing the Services; or (d) combine Personal Data with data collected from other sources, except as permitted by Applicable Data Protection Law for the purpose of detecting data security incidents.

4. Confidentiality

Baponi shall ensure that all personnel authorized to process Personal Data under this DPA: (a) are bound by appropriate confidentiality obligations, whether contractual or statutory; and (b) process Personal Data only as necessary to perform their duties in connection with the Services.

5. Security

5.1 Security Measures

Baponi shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. The current security measures are described in Section 8 of the Privacy Policy and include encryption in transit and at rest, access controls, execution isolation, credential isolation, immutable audit logging, and incident response procedures.

5.2 Updates to Security Measures

Baponi may update its security measures from time to time, provided that the updated measures do not materially decrease the overall level of protection afforded to Personal Data.

6. Subprocessors

6.1 Authorization

Customer provides general authorization for Baponi to engage Subprocessors to process Personal Data. The current list of Subprocessors is available to Customer upon request and is described by category in Section 5.2 of the Privacy Policy.

6.2 Notification of Changes

Baponi shall notify Customer at least ten (10) business days before engaging a new Subprocessor or replacing an existing Subprocessor. Notification will be provided via email to the address on Customer’s account and by updating the Subprocessor list.

6.3 Objection Right

If Customer has a reasonable, good-faith objection to a new Subprocessor based on documented data protection concerns, the parties shall discuss the objection in good faith. If unresolved, Customer may terminate the affected Services upon written notice.

6.4 Subprocessor Obligations

Baponi shall impose data protection obligations on each Subprocessor that are no less protective than those in this DPA. Baponi’s liability for the acts and omissions of its Subprocessors is subject to the limitation of liability in Section 10 of the Agreement.

7. Data Subject Rights

7.1 Assistance

Baponi shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. The rights and exercise mechanisms available to Data Subjects are described in Section 9 of the Privacy Policy.

7.2 Direct Requests

If Baponi receives a request from a Data Subject directly, Baponi shall promptly redirect the Data Subject to Customer, unless Baponi is legally required to respond directly. Baponi shall not independently respond to a Data Subject request without Customer’s prior written authorization, except to confirm that the request relates to Customer’s use of the Services.

8. Security Incidents

8.1 Notification

Baponi shall notify Customer of a Security Incident without undue delay, and in any event within seventy-two (72) hours of confirming the incident. Notification shall be provided to the email address on Customer’s account and through the Services dashboard.

8.2 Notification Content

The notification shall include, to the extent known at the time: (a) the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the incident; (c) the measures taken or proposed to address the incident and mitigate its effects; and (d) the identity and contact details of Baponi’s point of contact for further information.

8.3 Ongoing Updates

Baponi shall provide Customer with timely updates as additional information about the Security Incident becomes available. Baponi shall cooperate with Customer in Customer’s fulfillment of its own breach notification obligations under Applicable Data Protection Law.

8.4 Limitations

Baponi’s notification of a Security Incident is not an acknowledgment of fault or liability. The obligation to notify applies only to confirmed Security Incidents, not to unsuccessful attempts such as failed login attempts, port scans, denial-of-service attacks that do not result in unauthorized access, or similar events that do not compromise the confidentiality, integrity, or availability of Personal Data.

9. Audits

9.1 Audit Information

Upon Customer’s written request (no more than once per twelve-month period, unless a Security Incident has occurred or a supervisory authority requires an audit), Baponi shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

9.2 Audit Mechanism

Baponi’s primary audit mechanism is its third-party certifications and audit reports, when available. Baponi shall, upon request, provide Customer with: (a) a copy of its most recent third-party security audit report or certification (such as SOC 2 Type II), if one has been obtained; (b) responses to a reasonable security questionnaire (no more than 150 questions); and (c) a summary of any penetration test findings relevant to Customer’s data. Customer agrees that these materials satisfy Customer’s audit rights under Article 28(3)(h) GDPR in the absence of specific, documented concerns about non-compliance.

9.3 On-Site Audits

If the information provided under Section 9.2 is insufficient and Customer has documented, reasonable grounds for concern, Customer may request an on-site audit at Customer’s sole expense, no more than once per twenty-four (24) months. The audit shall be conducted by a mutually agreed independent third-party auditor, scoped to the specific concern, with at least sixty (60) days’ advance notice, and completed within two (2) business days. Baponi may object to an auditor that is a competitor. Audit findings are Confidential Information of both parties.

10. Data Protection Impact Assessments

Upon Customer’s reasonable request, Baponi shall provide Customer with information about the Services reasonably necessary to assist Customer in conducting a Data Protection Impact Assessment (DPIA) or prior consultation with a supervisory authority, to the extent that such information is available to Baponi and not already provided through the Agreement, this DPA, or the Privacy Policy.

11. International Data Transfers

To the extent that Baponi’s processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country without an adequate level of data protection, Baponi relies on the Standard Contractual Clauses (Module Two, Controller to Processor) as the primary transfer mechanism, supplemented by the technical and organizational measures described in Section 5. For transfers from the UK, the UK International Data Transfer Addendum applies. For transfers from Switzerland, the SCCs apply with modifications required under the FADP.

12. Return and Deletion of Data

12.1 During the Subscription

Customer may export and delete Personal Data from the Services at any time through the APIs and dashboard. Execution data (code, output) is automatically deleted when the per-sandbox retention period expires, as described in Section 7 of the Privacy Policy.

12.2 Upon Termination

Upon termination or expiration of the Agreement, Customer has the export period specified in Section 12.5 of the Agreement to export Personal Data. After the export period, Baponi shall delete Personal Data in the ordinary course of its data lifecycle operations, except: (a) to the extent Baponi is required to retain the data by applicable law (such as billing records required for tax compliance); (b) data in automated backup and disaster recovery systems, which shall be overwritten in the ordinary course of those systems’ retention cycles; and (c) anonymized, aggregated data that cannot identify any individual. Upon Customer’s written request, Baponi shall confirm in writing that deletion has been initiated in accordance with this Section, to the best of Baponi’s knowledge and excluding automated backup systems that operate on independent retention schedules.

12.3 Immutable Audit Logs

Customer acknowledges that audit logs are immutable by design and cannot be selectively deleted prior to expiration of the plan-tier retention period. Audit log data is permanently and automatically deleted when the retention period expires. This design serves the legitimate interest of both parties in maintaining tamper-proof security and compliance records.

13. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in Section 10 of the Agreement. Nothing in this DPA limits either party’s liability to Data Subjects under Applicable Data Protection Law to the extent such limitation would be prohibited by law.

14. Conflict

In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall prevail. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

15. Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate when Baponi ceases to process Personal Data on behalf of Customer, including completion of all deletion obligations under Section 12.

Schedule 1: Details of Processing

Categories of Data Subjects

  • Customer’s employees, contractors, and agents who are Authorized Users of the Services
  • Individuals whose Personal Data is included in Customer Code, Execution Output, or files submitted to the Services by Customer or Customer’s AI agents

Categories of Personal Data

As described in Section 1 of the Privacy Policy:

  • Account data: Name, email address, organization name, role, membership status
  • Authentication data: External user identifier from identity provider
  • Execution data: Customer Code, Execution Output (stdout, stderr), environment variables, thread identifiers, and user-provided metadata -to the extent these contain Personal Data
  • Audit data: Actor email address, IP address, user agent, action details
  • Configuration data: Connector credentials (encrypted at rest), webhook URLs, and sandbox settings -to the extent these contain Personal Data

Sensitive Data

Customer may submit sensitive or special category data to the Services only if Customer has conducted an appropriate risk assessment and implemented suitable safeguards. Baponi does not distinguish between sensitive and non-sensitive Personal Data in its processing; all Personal Data receives the same technical and organizational protections described in Section 5.

Nature and Purpose of Processing

Processing Personal Data as necessary to provide the Services under the Agreement, including:

  • Executing Customer Code in sandboxed Execution Environments
  • Storing and retrieving execution data (code, output, metadata) for the configured retention period
  • Authenticating Authorized Users and managing access permissions
  • Maintaining immutable audit logs for security and compliance
  • Injecting encrypted credentials into Execution Environments at runtime
  • Mounting Customer’s BYOB Storage into Execution Environments
  • Providing the APIs and dashboard for Customer’s use of the Services

Duration of Processing

For the term of the Agreement, plus any post-termination retention period as described in Section 12 of this DPA and Section 7 of the Privacy Policy.