1.Purpose
This Data Processing Addendum ("DPA") governs how Digital Business Partners ("DBP," "Processor") processes personal data on behalf of the Client ("Controller") in connection with delivering a purchased Audit. This DPA is incorporated into and forms part of the Terms of Service.
2.Data Processed
- Contact information of the Client's authorized representatives (name, email, phone, company)
- Client website content, configuration, and web-analytics data
- Advertising-account data (e.g., Meta Ads) and Google Business Profile data, which may include personal data of the Client's own end customers contained within those platforms
- Order and billing metadata (excluding card/banking credentials, which are handled by the payment provider)
DBP processes end-customer personal data only to the extent incidentally present in the advertising/analytics sources required to produce the deliverable, and not for any independent purpose.
3.Processing Instructions
DBP processes data solely on the Client's documented instructions — namely, to perform the purchased Audit and produce the report and implementation assets. DBP will not process Client data for any other purpose, including marketing, profiling, or sale to third parties.
4.Data Security
- Encrypted connections (TLS 1.2+) for all data in transit
- Access controls limiting data access to authorized DBP personnel only
- Read-only or least-privilege access to Client properties — no write/publish permissions
- Access reviews and prompt revocation of credentials upon Audit completion
5.Sub-processors
| Sub-processor | Function |
|---|---|
| Zoho Corporation (Commerce, CRM, Flow, Forms, Analytics, hosting) | Storefront, order & engagement management, intake, automation, data hosting |
| Stripe | Payment processing |
| PayPal | Payment processing |
DBP ensures sub-processors maintain equivalent data-protection standards. The Client will be notified of material sub-processor changes with at least fourteen (14) days' advance notice posted on this page.
6.Data Retention & Deletion
DBP retains Client data for up to twenty-four (24) months after delivery to support post-delivery questions and disputes [confirm with finance/legal]. Access credentials to Client properties are revoked promptly upon Audit completion. Upon the Client's written request, DBP will delete or return Client data within thirty (30) days, subject to legal retention obligations.
7.Cross-Border Transfers
Client data may be processed in the United States and, for Zoho sub-processors, in Zoho's designated data centers. Where data originates from the EU/EEA or UK, DBP ensures adequate safeguards consistent with GDPR Chapter V (e.g., Standard Contractual Clauses where applicable).
8.Data Subject Rights
To the extent DBP processes personal data subject to GDPR, CCPA, or equivalent laws, DBP will assist the Client in fulfilling data-subject requests (access, correction, deletion) within reasonable timelines. Requests: care@dbpgrowth.com.
9.Breach Notification
In the event of a confirmed data breach affecting Client data, DBP will notify the Client within seventy-two (72) hours of discovery, describing the breach, the data affected, and remediation steps taken.