Effective July 1, 2026.
BOTDOC DATA PROCESSING ADDENDUM
Signature Block Schedule 1 — Authorized Subprocessors Schedule 2 — Information Security Measures Schedule 3 — EU Standard Contractual Clauses (SCCs), UK Addendum, and Swiss Adaptations
This Data Processing Addendum (this “DPA”) is entered into between ShortSave, Inc., a Colorado corporation doing business as Botdoc (“Botdoc”), with offices at 1909 Woodmoor Drive, Monument, Colorado 80132, and the customer named on the Order Form (“Customer”), as of the Effective Date of the Order Form. This DPA supplements and forms part of the Botdoc Master SaaS Agreement, Corporate Terms of Service, User Terms of Service, and/or API Terms of Service between the Parties, as applicable (collectively, the “Agreement”), and governs the Processing of Personal Data by Botdoc in connection with Customer’s use of the Services. Capitalized terms used and not defined in this DPA have the meanings set forth in the Agreement.
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls, except as provided in § 13.
For purposes of this DPA, the following terms have the meanings set forth below. Defined terms not defined in this DPA have the meanings set forth in the Agreement or, where indicated, in the corresponding Applicable Privacy Law.
1.1 “Applicable Privacy Laws” means all laws and regulations applicable to Botdoc’s or Customer’s Processing of Personal Data under this DPA, including without limitation:
the U.S. Gramm-Leach-Bliley Act (“GLBA”) and the FTC Safeguards Rule (16 C.F.R. Part 314);
the Health Insurance Portability and Accountability Act of 1996 and the HITECH Act of 2009 (“HIPAA”), where a Business Associate Agreement between the Parties is in effect;
the Family Educational Rights and Privacy Act (“FERPA”), where a Student Data Addendum between the Parties is in effect;
the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and its implementing regulations;
the Colorado Privacy Act (“CPA”) and the rules of the Colorado Attorney General;
the Connecticut Data Privacy Act (“CTDPA”), Virginia Consumer Data Protection Act (“VCDPA”), Utah Consumer Privacy Act (“UCPA”), Texas Data Privacy and Security Act (“TDPSA”), Oregon Consumer Privacy Act (“OCPA”), Florida Digital Bill of Rights (“FDBR”), Tennessee Information Protection Act (“TIPA”), Iowa Consumer Data Protection Act (“ICDPA”), Indiana Consumer Data Protection Act (“Indiana CDPA”), Montana Consumer Data Privacy Act (“Montana CDPA”), and other state comprehensive privacy laws as applicable;
the EU General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”); the UK General Data Protection Regulation (“UK GDPR”); and the Swiss Federal Act on Data Protection (“Swiss FADP”);
the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“SCCs”), the UK International Data Transfer Addendum to the SCCs (“UK Addendum” or “UK IDTA”), the Swiss equivalents, and the EU-U.S., UK-U.S., and Swiss-U.S. Data Privacy Framework (“DPF”), each to the extent applicable;
Canadian PIPEDA and provincial equivalents, where applicable; and
any other Applicable Law concerning the Processing of Personal Data and applicable to a Party’s performance under the Agreement.
1.2 “Authorized Affiliates” means any of Customer’s Affiliates that are permitted to or otherwise receive the benefit of the Services pursuant to the Agreement.
1.3 “CCPA Service Provider” has the meaning given in Cal. Civ. Code § 1798.140 (as amended by the CPRA).
1.4 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data; for purposes of the CCPA/CPRA this term corresponds to “Business,” and for purposes of the CPA and other state comprehensive privacy laws it corresponds to “Controller.”
1.5 “Customer Personal Data” means Personal Data contained within Customer Data or Customer Content that is Processed by Botdoc in connection with the Services on behalf of Customer.
1.6 “Customer Account Data” means Personal Data relating to Customer’s relationship with Botdoc, including names and contact information of Authorized Users and billing information.
1.7 “Customer Usage Data” means data Processed by Botdoc for the purposes of transmitting, distributing, or exchanging Customer Personal Data, including metadata such as telephone numbers, IP addresses, and communication timestamps. Customer Usage Data does not include the contents of Customer Personal Data.
1.8 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes a “Consumer” under the CCPA/CPRA, CPA, and other state privacy laws.
1.9 “Personal Data” has the meaning set forth in the Agreement, and includes “Personal Information,” “Personally Identifiable Information,” “Nonpublic Personal Information,” “Protected Health Information,” “Consumer Information,” “Education Records,” and similar terms as defined in the Applicable Privacy Laws.
1.10 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Botdoc; for purposes of state breach-notification laws, the term has the meaning given in the applicable state’s breach-notification statute as applied to the Customer Personal Data.
1.11 “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.12 “Processor” means an entity that Processes Personal Data on behalf of a Controller; for purposes of the CCPA/CPRA this term corresponds to “Service Provider.”
1.13 “Sale” and “Share” have the meanings given in the CCPA/CPRA.
1.14 “Sensitive Personal Information” or “Sensitive PI” has the meaning given to that term (or its functional equivalent — e.g., “Sensitive Data,” “Special Category Data”) under the applicable Applicable Privacy Law, including without limitation CCPA/CPRA § 1798.140(ae), CPA § 6-1-1303(24), VCDPA § 59.1-575, and EU GDPR Article 9.
1.15 “Subprocessor” means a third party engaged by Botdoc that Processes Customer Personal Data on behalf of Botdoc in connection with the Services.
1.16 “Supervisory Authority” means an independent public authority established under EU GDPR Article 51, the UK Information Commissioner’s Office, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), the U.S. Federal Trade Commission, a U.S. state attorney general or privacy regulator, or any other regulator with jurisdiction over a Party’s Processing of Personal Data.
2.1 Scope. This DPA applies to the Processing of Customer Personal Data by Botdoc in connection with the provision of the Services to Customer, including under any Order Form, SOW, or Affiliate Order Form.
2.2 Roles of the Parties — Customer Personal Data (Two-Track Framing). The Parties acknowledge and agree:
Customer Personal Data / Customer Content. With respect to the Processing of Customer Personal Data and Customer Content that Customer transmits through the Services, Customer is the Controller (and, where applicable, a “Business” under CCPA/CPRA, or a Processor acting on behalf of its own customers), and Botdoc is the Processor (and, where applicable, a “Service Provider” under CCPA/CPRA and a “Processor” under the CPA, EU GDPR, UK GDPR, Swiss FADP, and other Applicable Privacy Laws).
Customer Account Data and Customer Usage Data. With respect to the Processing of Customer Account Data and Customer Usage Data, Customer acts as Controller in respect of its own Authorized Users and Botdoc acts as an independent Controller (not a joint controller with Customer) for its limited business purposes of account administration, billing, fraud and abuse prevention, security, and service-operation telemetry. Each Party shall comply with Applicable Privacy Laws in respect of its own controller activities. Botdoc Processes Customer Account Data and Customer Usage Data consistent with its Privacy Policy at https://botdoc.io/privacy-policy/.
Customer-as-Processor Scenarios. Where Customer is itself a Processor or Service Provider on behalf of a third-party Controller, Customer warrants that it has the authority of the relevant Controller to engage Botdoc as a Subprocessor / sub-Service Provider and to bind such Controller to this DPA.
HIPAA Conduit. With respect to HIPAA, where Protected Health Information (“PHI”) is transmitted through the Services, Botdoc functions as a HIPAA Conduit as recognized in the HHS Office for Civil Rights “Conduit Exception” guidance (78 Fed. Reg. 5566, 5571–5572 (Jan. 25, 2013)), given the nature of the Services as an encrypted secure-transmission conduit with no routine access to unencrypted content (see § 4.2). If Customer (or a Customer client) determines that the Conduit Exception is not applicable to a particular use case, the Parties will execute Botdoc’s standard Business Associate Agreement (available at https://botdoc.io/business-associate-agreement/) before such use case is enabled, in which case the BAA controls over this DPA with respect to PHI as provided in § 13.2.
2.3 No Sale or Share. Botdoc does not Sell, Share, retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services for Customer as set forth in the Agreement and this DPA, including for any commercial purpose other than providing the Services. Botdoc does not combine Customer Personal Data with personal information that Botdoc receives from or on behalf of another person, or that Botdoc collects from its own interaction with the Data Subject, except where expressly permitted under CCPA/CPRA § 1798.140(ag)(1) (e.g., security incident detection, compliance with law, providing the services as instructed by the Business).
2.4 Compliance Certification. Botdoc certifies that it understands, and will comply with, the restrictions set forth in CCPA/CPRA § 1798.140(ag) and the corresponding restrictions imposed on Processors by the CPA, VCDPA, CTDPA, UCPA, TDPSA, OCPA, FDBR, TIPA, ICDPA, Indiana CDPA, Montana CDPA, and other state comprehensive privacy laws. Botdoc will notify Customer if Botdoc determines it can no longer meet its obligations under any such law.
3.1 Documented Instructions. Botdoc will Process Customer Personal Data only on Customer’s documented instructions, including with respect to transfers to third countries, except where required to do so by Applicable Law; in such case, Botdoc will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA, the Order Form(s), and the Documentation) constitutes Customer’s complete and final instructions to Botdoc, and additional or alternative instructions must be agreed in writing.
3.2 Customer’s Responsibilities. Customer is responsible for (a) the accuracy, quality, integrity, and legality of Customer Personal Data, (b) the lawful basis for Customer’s collection and Processing of Customer Personal Data under Applicable Privacy Laws (including providing required notices and obtaining required consents from Data Subjects), (c) determining whether the Services are appropriate for the categories of Personal Data and the use cases Customer enables, (d) configuring the Services in accordance with the Documentation, and (e) compliance with Customer’s obligations as a Controller under Applicable Privacy Laws.
3.3 No Special Category / Sensitive Personal Information. Customer will not Process or transmit through the Services any categories of Personal Data that fall within “special category” data under the EU GDPR (Article 9), or that fall within “Sensitive Personal Information” or its equivalent under the CCPA/CPRA, the CPA, or other Applicable Privacy Laws, unless (a) Customer has confirmed in writing that the Services are appropriate for such categories, and (b) Customer has complied with the heightened consent, notice, and security requirements applicable to such categories.
The Parties acknowledge that paystub data, financial-account information, and similar financial documents are “Personal Information” but are not “Sensitive Personal Information” under CCPA/CPRA (which excludes financial-account information from Sensitive PI in most contexts under § 1798.140(ae)); Customer is responsible for confirming the applicability of similar exclusions under other Applicable Privacy Laws. This carve-out is intended to preserve Customer’s lawful transmission of paystubs, payoff documents, deal jackets, financial disclosures, and similar documents typical in the financial services, automotive, and lending verticals.
4.1 Confidentiality of Personnel. Botdoc will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations (whether by contract or by law) and have received privacy and security training. Botdoc agrees not to disclose Personal Data Processed under this DPA except: (a) at the direction of Customer; (b) as required to perform Botdoc’s obligations under the Agreement; or (c) as required by applicable law, in which case Botdoc shall notify Customer to the extent legally permitted.
4.2 Conduit Posture; Minimization; Routine Deletion. Botdoc operates the Services as an encrypted secure-transmission conduit. Customer Personal Data is encrypted in transit, transmitted to the recipient designated by Customer, and is not persisted on Botdoc’s systems following successful delivery (or, if Customer has elected a different retention period in the applicable Order Form, following the elected retention period). Botdoc does not, in the ordinary course of providing the Services, access, read, scan, mine, monitor, profile, or sell Customer Personal Data, and no Botdoc personnel have routine access to the unencrypted content of Customer Personal Data. Botdoc retains only Customer Usage Data and Service Metadata necessary to operate the Services, investigate security incidents, comply with Applicable Law, and meet its audit obligations. This conduit posture is the basis for Botdoc’s HIPAA Conduit framing in § 2.2(d).
4.3 Security Measures. Botdoc has implemented and will maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Schedule 2 (Information Security Measures) to this DPA and in the corresponding Exhibit / Schedule to the Agreement. Such measures meet or exceed the requirements of (a) the GLBA and FTC Safeguards Rule, (b) EU GDPR Article 32, (c) CCPA/CPRA § 1798.100(e), (d) the CPA’s security requirements, (e) the HIPAA Security Rule (where applicable), and (f) industry-standard frameworks including the NIST Cybersecurity Framework 2.0 and SOC 2 Type II.
4.4 Subprocessors. Botdoc’s engagement of Subprocessors is governed by Section 7 below.
4.5 Assistance with Data Subject Requests. Taking into account the nature of the Processing, Botdoc will assist Customer through appropriate technical and organizational measures (including, where reasonably practicable, the Service Metadata and configuration controls made available through the Services) to enable Customer to fulfill its obligations under Applicable Privacy Laws to respond to Data Subject Requests, including requests to access, rectify, restrict, port, or delete Personal Data, and to opt out of Sale, Share, targeted advertising, or profiling. Customer acknowledges that, because Botdoc does not retain Customer Personal Data following successful transmission (see § 4.2), Botdoc’s principal mode of assistance is providing Service Metadata, transmission logs, and configuration documentation; Botdoc does not maintain Data Subject-addressable copies of Customer Personal Data that could be returned, corrected, or deleted in response to a Data Subject Request directed to Botdoc.
4.6 Data Subject Requests Directed to Botdoc. If Botdoc receives a Data Subject Request, inquiry, or complaint from a Data Subject, regulator, or third party directed to Customer’s data, Botdoc will, except where prohibited by Applicable Law, (a) promptly inform the Data Subject that the request should be made to Customer, (b) provide Customer’s general contact information if publicly known, and (c) inform Customer of the request so that Customer may respond. Botdoc will not respond directly to such Data Subject Requests except as instructed by Customer or as required by Applicable Law.
4.7 Assistance with DPIAs / PIAs and Regulator Consultation. Where required by Applicable Privacy Laws, Botdoc will, at Customer’s reasonable expense, provide Customer with the information reasonably available to Botdoc and necessary for Customer to (a) conduct data protection impact assessments and privacy impact assessments, and (b) consult with Supervisory Authorities.
4.8 Personal Data Breach Notification. Botdoc will notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation, after Botdoc becomes aware of a Personal Data Breach affecting Customer Personal Data. The notification will be sent to the notice contact in Customer’s Order Form and will contain, to the extent known at the time and consistent with Botdoc’s ongoing investigation, (a) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and records concerned, (b) the likely consequences of the Personal Data Breach, (c) the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate possible adverse effects, and (d) the name and contact details of the Botdoc data protection point of contact from whom further information can be obtained. Botdoc will provide updates as additional information becomes available and will reasonably cooperate with Customer’s investigation. Botdoc’s notification of a Personal Data Breach is not, and may not be construed as, Botdoc’s admission of fault or liability.
4.9 Records of Processing. Botdoc maintains records of Processing activities on behalf of Customer to the extent required by EU GDPR Article 30(2) and other Applicable Privacy Laws. Botdoc will make these records available to Customer or, where required, to a competent Supervisory Authority, upon reasonable written request, subject to Botdoc’s confidentiality and security requirements.
5.1 Prohibition. Botdoc will not use Customer Personal Data, Customer Content, Customer Account Data, or Customer Usage Data to train, develop, fine-tune, evaluate, validate, benchmark, or improve any artificial intelligence, machine learning, large language, generative, foundation, or similar model — whether internally developed by Botdoc or provided by a third party — for the benefit of any party other than Customer.
5.2 Subprocessor Flow-Down. Botdoc will impose this prohibition contractually on its Subprocessors that have any access to Customer Personal Data or Customer Content, and Botdoc will not authorize any Subprocessor to use Customer Personal Data, Customer Content, Customer Account Data, or Customer Usage Data for AI/ML training purposes.
5.3 Permitted Aggregated / De-Identified Analytics. Notwithstanding § 5.1, Botdoc may use aggregated, anonymized, or de-identified usage statistics derived from operation of the Services for product improvement, security, fraud detection, and analytics purposes, provided that such data (a) cannot reasonably be used, alone or in combination, to identify Customer, any Authorized User, any Data Subject, or any Customer Content, and (b) does not include the contents of Customer Personal Data or Customer Content. Botdoc will maintain reasonable technical and organizational safeguards against re-identification consistent with CCPA/CPRA § 1798.140(m) and the EDPB’s guidance on anonymization.
6.1 Customer is responsible for (a) maintaining a lawful basis for the Processing of Customer Personal Data through the Services, (b) providing required notices to Data Subjects (including any notice that Personal Data will be Processed by a Service Provider / Processor), (c) responding to Data Subject Requests directed to Customer, (d) maintaining accuracy of recipient identifiers (e.g., phone numbers and email addresses for Service delivery), (e) suppressing recipients on Customer’s “do not contact” or opt-out lists, and (f) configuring the Services in accordance with the Documentation.
6.2 Customer will not knowingly transmit through the Services any Personal Data that (a) it does not have a lawful basis to Process, (b) is subject to a Data Subject’s exercised opt-out or deletion request, or (c) is prohibited by Applicable Privacy Laws.
6.3 Customer will ensure that its instructions to Botdoc comply with Applicable Privacy Laws, and that Botdoc’s Processing of Customer Personal Data in accordance with those instructions will not cause Botdoc to violate any Applicable Law.
7.1 Authorization. Customer authorizes Botdoc to engage the Subprocessors listed in Schedule 1 (Authorized Subprocessors) for the Processing of Customer Personal Data in connection with the Services. The current Subprocessor list is also published at https://botdoc.io/botdoc-subprocessors/ and is updated as Subprocessors change.
7.2 New Subprocessors. Botdoc will provide at least thirty (30) days’ prior notice of any new Subprocessor that will Process Customer Personal Data (the “Subprocessor Notice”). Notice may be given by updating the published Subprocessor list and providing email notification to Customer’s Account Manager or notice contact. Customer may, within fifteen (15) days of receipt of the Subprocessor Notice, object to the engagement of the new Subprocessor on reasonable data-protection grounds. The Parties will work in good faith to address Customer’s objection, including by Botdoc proposing alternative measures or, in the absence of a mutually acceptable resolution, by Customer’s right to terminate the affected Order Form for the affected Services without further liability (other than payment of Fees accrued through the date of termination). Where the new Subprocessor is engaged as an emergency replacement for an existing Subprocessor (e.g., due to bankruptcy, security incident, or non-performance of the existing Subprocessor), the notice period may be shortened to a commercially reasonable timeframe.
7.3 Subprocessor Obligations. Botdoc will enter into a written agreement with each Subprocessor that imposes data-protection obligations on the Subprocessor that are no less protective than those imposed on Botdoc under this DPA, in compliance with EU GDPR Article 28(4) and equivalent Applicable Privacy Laws, including the AI/ML training prohibition in § 5.
7.4 Botdoc Liability for Subprocessors. Botdoc remains liable to Customer for the performance of its Subprocessors’ obligations under this DPA, to the same extent as if Botdoc had performed the relevant Processing directly, subject to the limitations of liability in § 11.
8.1 Geographic Location of Processing. Botdoc Processes Customer Personal Data primarily in data centers located within the United States (Microsoft Azure, US region; Central US by default with alternative US regions available for redundancy, disaster recovery, and customer-specific deployments).
8.2 Transfer Mechanism — DPF First. Where Customer Personal Data subject to the EU GDPR, UK GDPR, or Swiss FADP is transferred from the European Economic Area, the United Kingdom, or Switzerland to Botdoc in the United States, the Parties agree to rely on the following transfer mechanisms, in the following order of precedence:
EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (the “DPF”) — Primary Mechanism. Botdoc is self-certified under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, as administered by the U.S. Department of Commerce’s International Trade Administration. Botdoc’s active certification is maintained on the Data Privacy Framework List at https://www.dataprivacyframework.gov/list. To the extent the DPF applies as a lawful transfer mechanism for the relevant transfer, Botdoc will comply with the applicable DPF Principles with respect to such Personal Data, and this mechanism takes precedence over the SCCs and UK Addendum.
EU Standard Contractual Clauses (SCCs) — Fallback. Where the DPF is, in respect of the relevant transfer, invalidated, suspended, or otherwise unavailable, or where a transfer is not within the scope of Botdoc’s DPF certification, the EU SCCs (Commission Implementing Decision (EU) 2021/914) attached as Schedule 3 to this DPA apply. Module Two (Controller-to-Processor) is the default; Module Three (Processor-to-Processor) applies where Customer is itself a Processor on behalf of a third-party Controller. SCC governing law and forum are locked to the law of Ireland and the courts of Ireland (see Schedule 3) regardless of where the data exporter is established, in order to provide a single, predictable forum.
UK Addendum / IDTA — UK Transfers Fallback. For transfers from the United Kingdom not covered by the UK Extension to the EU-U.S. DPF (or where that mechanism is unavailable or invalidated), the UK International Data Transfer Addendum to the EU SCCs (the “UK Addendum” or “UK IDTA”) applies, with the EU SCCs (as configured in Schedule 3) forming the Approved EU SCCs for the purposes of the UK Addendum.
Swiss Adaptations — Swiss Transfers Fallback. For transfers from Switzerland not covered by the Swiss-U.S. DPF, the SCCs apply with the Swiss adaptations described in Schedule 3.
8.3 Transfer Impact Assessment. Botdoc will provide Customer, upon reasonable written request, with information necessary for Customer to conduct a transfer impact assessment.
8.4 Onward Transfers. Onward transfers by Botdoc to Subprocessors located outside the United States, where applicable, are subject to (a) the DPF onward-transfer principles, and (b) Botdoc’s contractual obligations to the relevant Subprocessor under § 7.3.
Botdoc’s audit obligations under the Agreement apply to this DPA. Customer’s audit rights with respect to this DPA are exercised through the following tiered structure:
SOC 2 Type II. Botdoc’s current SOC 2 Type II report, made available under NDA upon written request to support@botdoc.io.
Annual Security Questionnaire. Botdoc’s responses to Customer’s annual vendor risk / security questionnaire, completed within a commercially reasonable time after Customer’s written request.
Compliance Portfolio. Botdoc’s published Botdoc Compliance Portfolio (the 20-document due-diligence package), made available under NDA upon written request to support@botdoc.io.
Customer-Conducted Audit. Where (a)–(c) are reasonably determined by Customer to be insufficient for an audit obligation imposed on Customer by Applicable Privacy Law or by a Supervisory Authority with direct jurisdiction over Customer, a Customer-conducted audit subject to the following conditions: (i) no more than once per twelve (12) months; (ii) thirty (30) days’ prior written notice; (iii) conducted during normal business hours; (iv) limited to information reasonably necessary to verify Botdoc’s compliance with this DPA; (v) conducted in a manner that does not unreasonably interfere with Botdoc’s business operations; (vi) subject to appropriate confidentiality controls and Botdoc’s reasonable security and access policies; (vii) at Customer’s expense, including reimbursement to Botdoc for personnel time at Botdoc’s then-current professional services rates, except that Botdoc will reimburse Customer’s reasonable, documented audit costs (and waive its own personnel-time charges) only where the audit identifies a material breach by Botdoc of this DPA; and (viii) audit reports are treated as Botdoc Confidential Information under the Agreement.
Regulator-Directed Audits. Audits triggered by a Supervisory Authority’s lawful directive may be conducted without regard to the frequency limitation in (d)(i), but remain subject to the remaining conditions in (d)(ii)–(viii) to the extent consistent with the regulator’s directive.
The Parties acknowledge that the SCCs and the UK Addendum (where applicable) include separate audit cooperation obligations that apply directly to those instruments.
10.1 Routine Deletion. As described in § 4.2 of this DPA and the corresponding data-handling provisions of the Agreement, Customer Personal Data is deleted from Botdoc’s systems in the ordinary course of providing the Services, generally immediately following successful transmission. As a result, the Parties acknowledge that the Personal Data Processed by Botdoc is, in most cases, already deleted at the time of termination of the Agreement. Botdoc does not persistently store Customer Personal Data in the ordinary course of providing the Services.
10.2 End-of-Service Deletion. Upon termination or expiration of the Agreement (or upon Customer’s earlier written request), Botdoc will, within sixty (60) days, delete or, at Customer’s election, return all then-existing Customer Personal Data (which will, in the ordinary course, consist solely of any optional-retention transmissions still within their elected retention window and any Service Metadata or Customer Usage Data that contains Personal Data). Botdoc will ensure that Subprocessors are subject to equivalent return or deletion obligations.
10.3 Exceptions. Notwithstanding § 10.2, Botdoc may retain Customer Personal Data to the extent required by Applicable Law, in connection with a litigation hold or pending or threatened legal matter, or in routine backup and disaster-recovery systems pending overwrite in the ordinary cycle. Such retained Customer Personal Data remains subject to this DPA’s confidentiality and security obligations.
11.1 Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Limitation of Liability section of the Agreement, including the General Cap (trailing twelve (12) months of Fees), the Data Security Super-Cap (two times (2×) the General Cap), and the uncapped exclusions (Customer payment obligations; Customer’s indemnification obligations; either Party’s willful misconduct or fraud; either Party’s gross negligence; and liability that cannot be limited by law). For clarity, the Data Security Super-Cap is the aggregate cap on each Party’s liability for breaches of the Agreement’s data-security obligations and this DPA; the Data Security Super-Cap is not additive to the General Cap.
11.2 Indemnification. The indemnification provisions of the Agreement apply to Claims arising out of or related to this DPA. For clarity, Customer’s indemnification obligations under the Agreement include Claims arising out of Customer’s breach of its obligations under this DPA (including §§ 3, 6, and 8), and Botdoc’s indemnification obligations under the Agreement extend to Claims arising out of Botdoc’s breach of its obligations under this DPA only insofar as they fall within the scope of an indemnity expressly set forth in the Agreement.
To the extent Applicable Privacy Laws include the CPA, VCDPA, CTDPA, UCPA, TDPSA, OCPA, FDBR, TIPA, ICDPA, Indiana CDPA, Montana CDPA, or any other comprehensive U.S. state privacy law imposing duties on Processors, Botdoc, as a Processor on behalf of Customer:
Purpose Limitation. Will Process Customer Personal Data covered by such laws only for the purposes specified in this DPA and the Agreement, and only in accordance with Customer’s documented instructions, consistent with the duties imposed on processors under, among others, Colorado Privacy Act § 6-1-1305 and Virginia Consumer Data Protection Act § 59.1-579.
Deletion / Return on Instruction. Will, at Customer’s direction, delete or return Customer Personal Data covered by such laws on completion of the Processing, subject to the routine-deletion regime in § 10 and the exceptions in § 10.3.
Confidentiality / Personnel. Will ensure that personnel with access to Customer Personal Data are subject to a duty of confidentiality consistent with § 4.1.
Subcontracting / Flow-Down. Will engage Subprocessors only in accordance with § 7, and will impose contractual data-protection obligations on each Subprocessor that are no less protective than those in this DPA, including the obligations specific to processors under the applicable state laws.
Cooperation and Assessment. Will provide reasonable cooperation and information to Customer (at Customer’s reasonable expense where the request goes beyond Botdoc’s standard tooling) to enable Customer to (i) respond to Data Subject Requests; (ii) conduct data protection assessments / impact assessments where required (e.g., CPA § 6-1-1309, VCDPA § 59.1-580); and (iii) demonstrate compliance with applicable processor duties.
Availability of Information. Will make available to Customer information reasonably necessary to demonstrate Botdoc’s compliance with its obligations as a Processor under the applicable state law, consistent with the audit regime in § 9.
Audit / Assessment Cooperation. Will, on reasonable request, allow for and contribute to assessments or audits conducted by Customer (or Customer’s designated assessor) of Botdoc’s policies and technical and organizational measures relevant to the Processing, subject to the conditions in § 9(d).
CCPA/CPRA Service Provider Obligations. To the extent Botdoc Processes Personal Data of California residents as a “Service Provider” or “Contractor” under CCPA/CPRA on behalf of Customer, Botdoc will not: (i) Sell or Share such Personal Data; (ii) retain, use, or disclose such Personal Data for any purpose other than the specific business purposes set forth in this DPA and the Agreement; (iii) retain, use, or disclose such Personal Data outside the direct business relationship between Botdoc and Customer; or (iv) combine such Personal Data with Personal Data received from or on behalf of another person or persons, or collected from its own interaction with consumers, except as expressly permitted by CCPA/CPRA § 1798.140(ag)(1). Botdoc certifies it understands these restrictions and will comply.
13.1 Term. This DPA is effective from the Effective Date of the Order Form to which it relates (or, where this DPA is incorporated into a click-through or general-terms posture, from the Effective Date of the Agreement) and continues until all such Order Forms or Agreements have terminated or expired, except that provisions that by their nature should survive (including obligations regarding confidentiality, security of retained Personal Data, post-termination deletion, and limitations of liability) survive termination.
13.2 Order of Precedence — General. The order of precedence is: (1) any executed Business Associate Agreement (with respect to PHI only); (2) the Master SaaS Agreement, where applicable; (3) this DPA; (4) the applicable Order Form; (5) the applicable Terms of Service; and (6) the Acceptable Use Policy and other policies. In the event of a conflict between this DPA and the Agreement (including any Order Form) with respect to the Processing of Personal Data, this DPA controls with respect to the matters it addresses, except as follows:
SCCs / UK Addendum. The SCCs and UK Addendum (and Swiss adaptations, as applicable) control over inconsistent provisions of this DPA with respect to the transfers they govern.
BAA. With respect to HIPAA-covered Processing, the Business Associate Agreement, if executed, controls over this DPA.
13.3 Updates to DPA. Botdoc may update this DPA from time to time (a) to reflect changes in Applicable Privacy Laws, (b) to incorporate updates to the SCCs, UK Addendum, or other approved transfer mechanisms, or (c) to reflect changes in industry practice, provided that any update will not materially diminish Customer’s rights or Botdoc’s obligations with respect to the protection of Customer Personal Data without Customer’s prior written consent. For non-material updates (e.g., administrative corrections, URL updates, Subprocessor list changes), Botdoc will post the updated DPA at https://botdoc.io/data-processing-addendum/ and update the effective date. For material changes, Botdoc will provide at least thirty (30) days’ prior email notice to Customer’s Account Manager or notice contact; if Customer objects to a material change, Customer’s sole remedy is to terminate the affected Order Form effective on the change date.
13.4 Governing Law. Without prejudice to the SCCs, UK Addendum, or Swiss adaptations (which are governed as set forth in Schedule 3), this DPA is governed by the law of the State of Colorado, consistent with the Agreement, with venue in El Paso County, Colorado (or in arbitration in Denver, Colorado) as provided in the Agreement.
13.5 General. All other provisions of the Agreement (including assignment, notices, dispute resolution, and general provisions) apply to this DPA. This DPA, together with the SCCs and UK Addendum (where applicable), constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior data processing addenda between the Parties.
SHORTSAVE, INC., a Colorado corporation doing business as BOTDOC
Signature: _____________________________________ Name: Karl Falk Title: Chief Executive Officer Address: 1909 Woodmoor Drive, Monument, Colorado 80132 Email: support@botdoc.io Date: _____________________
CUSTOMER
Signature: _____________________________________ Name: _____________________________________ Title: _____________________________________ Company: _____________________________________ Date: _____________________
The following Subprocessors are authorized as of the Effective Date. The current list is also maintained at https://botdoc.io/botdoc-subprocessors/.
| Subprocessor | Function | Country of Processing |
|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Cloud infrastructure: compute, storage, networking, database, backup | United States (multiple US regions) |
| Twilio Inc. | SMS delivery (US local, US toll-free) | United States |
| Auth0 (Okta, Inc.) | Identity, single sign-on, and access management | United States |
| Authorize.Net (Visa) | Payment processing (where Customer elects payment workflows) | United States |
| Stripe, Inc. | Payment processing (where Customer elects payment workflows) | United States |
Subprocessors for international SMS, short code, identity verification, e-signature, and similar use-case-specific functions are engaged as use cases are enabled; new Subprocessors are notified per § 7.2.
The technical and organizational measures set forth in the Agreement (and any Security Exhibit / Schedule thereto) are incorporated into this DPA by reference and constitute Botdoc’s technical and organizational measures for purposes of EU GDPR Article 32 and equivalent Applicable Privacy Laws. The Parties acknowledge in particular:
3.1 EU SCCs. Where required by EU GDPR for transfers of Customer Personal Data from the European Economic Area to Botdoc in the United States and the DPF is unavailable or inapplicable, the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “SCCs”) apply. Module Two (Controller-to-Processor) is the default; Module Three (Processor-to-Processor) applies where Customer is itself a Processor on behalf of a third-party Controller. The following selections apply:
3.2 UK Addendum. Where required by UK GDPR for transfers of Customer Personal Data from the United Kingdom to Botdoc in the United States and the UK Extension to the EU-U.S. DPF is unavailable or inapplicable, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the “UK Addendum” or “UK IDTA”) applies, with Table 1 (Parties), Table 2 (Selected SCCs, Modules, and Selected Clauses, as in § 3.1 above), Table 3 (Appendix Information, as in Annexes I–III above), and Table 4 (which Party may end the Addendum: Importer and Exporter) completed accordingly.
3.3 Swiss Adaptations. For transfers subject to the Swiss FADP and not covered by the Swiss-U.S. DPF, the SCCs apply with the modifications recognized by the Swiss FDPIC: references to EU GDPR are read as also referring to the FADP; references to EU Member State Supervisory Authorities and courts include the Swiss FDPIC and Swiss courts; and the Clauses protect Data Subjects whose data is transferred from Switzerland.
3.4 Order of Precedence. The SCCs (and UK Addendum and Swiss adaptations, as applicable) prevail over any inconsistent provisions of this DPA or the Agreement with respect to the transfers they govern.
— END OF DATA PROCESSING ADDENDUM —