Data Processing Addendum

Version 1.0 · Last updated: May 12, 2026 · Effective: May 12, 2026

This Data Processing Addendum (the "DPA") forms part of and is incorporated into the BHmetrics Terms of Service (the "Agreement") between you ("Customer", "you", "Controller") and Choclement LLC, doing business as BHmetrics("Choclement", "we", "BHmetrics", "Processor"). This DPA governs the Processing of Personal Data by Choclement on Customer's behalf in the course of providing the Service (as defined in the Agreement).

This DPA reflects the parties' agreement on the Processing of Personal Data in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data-protection laws (collectively, "Data Protection Laws").

By using the Service after the effective date of this DPA, Customer accepts and agrees to be bound by this DPA. To request a counter-signed copy, email [email protected].

1. Definitions

Capitalized terms not defined here have the meanings in the Agreement or Data Protection Laws.

"Personal Data" means any information that relates to an identified or identifiable natural person, including "personal information" under the CCPA/CPRA, "personal data" under the GDPR, and "pseudonymized" identifiers where they remain capable of identification.
"Customer Personal Data" means Personal Data contained within Customer Data (as defined in the Agreement) that Customer (or its end customers, vendors, or affiliates) submits to or generates through the Service and that Choclement Processes on Customer's behalf.
"Process" / "Processing" has the meaning given in Article 4(2) GDPR.
"Controller", "Processor", "Data Subject", "Supervisory Authority", "Personal Data Breach" have the meanings given in Article 4 GDPR (or the equivalent under other Data Protection Laws — e.g., "Business", "Service Provider", and "Consumer" under the CCPA/CPRA).
"Subprocessor" means any third party engaged by Choclement to Process Customer Personal Data.
"SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs, version B1.0, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
"Swiss FDPIC" means the Swiss Federal Data Protection and Information Commissioner.
"Restricted Transfer" means a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not benefiting from an adequacy decision.

2. Scope, roles, and duration

2.1 Roles

With respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself a Processor for a third-party Controller, a Processor) and Choclement is the Processor (or, as applicable, a Subprocessor). Under the CCPA/CPRA, Customer is the "Business" and Choclement is a "Service Provider". The parties also acknowledge that, in relation to certain Personal Data that Choclement Processes for its own purposes (such as account-management, billing, security, fraud-prevention, and product-improvement data described in our Privacy Policy), Choclement is an independent Controller and this DPA does not apply to that Processing.

2.2 Customer's instructions

Choclement will Process Customer Personal Data only on documented instructions from Customer, as set out in the Agreement, this DPA, Customer's configuration of the Service, and any additional written instructions Customer gives. Choclement will inform Customer if it believes an instruction violates Data Protection Laws.

2.3 Service Provider obligations (CCPA/CPRA)

Choclement will: (a) Process Customer Personal Data only for the limited and specified purposes set out in the Agreement and this DPA; (b) comply with applicable obligations under the CCPA/CPRA, including providing the same level of privacy protection as required of Businesses; (c) not Sell or Share (as those terms are defined under the CCPA/CPRA) Customer Personal Data; (d) not retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties or for any commercial purpose other than the Business Purpose, except as permitted by the CCPA/CPRA; (e) not combine Customer Personal Data with Personal Data from other sources except as permitted under CCPA Regulation § 7050(b); (f) notify Customer if Choclement determines it can no longer meet its obligations under the CCPA/CPRA; and (g) grant Customer the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

2.4 Duration

This DPA applies for as long as Choclement Processes Customer Personal Data under the Agreement.

2.5 Details of Processing

The subject matter, nature, purpose, categories of Data Subjects, and categories of Personal Data are described in Schedule 1 (Details of Processing).

3. Confidentiality of Processing

Choclement will ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under appropriate statutory obligations of confidentiality, and have received appropriate data-protection training. Access is restricted to those personnel who need it to perform the Agreement.

4. Security of Processing

Choclement will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Customer Personal Data, including the measures specified in Schedule 2 (Technical and Organizational Measures). Choclement may update these measures from time to time, provided that the updated measures continue to provide at least an equivalent level of protection.

5. Subprocessors

5.1 General authorization

Customer grants Choclement a general authorization to engage Subprocessors to Process Customer Personal Data, subject to this Section 5. A current list of Subprocessors is published at /legal/subprocessors and incorporated by reference.

5.2 Notice and objection

Choclement will give Customer at least thirty (30) days' advance notice (by in-product banner, email, or update to the Subprocessors page) before authorizing any new Subprocessor to Process Customer Personal Data, or before replacing a Subprocessor with another. Customer may, within fifteen (15) days after receipt of notice, object on reasonable data-protection grounds by emailing [email protected]. The parties will discuss the objection in good faith. If Choclement cannot accommodate the objection without materially affecting the Service, Customer may terminate the affected portion of the Service on written notice; Choclement will refund any prepaid, unused fees attributable to the terminated portion on a pro-rata basis.

5.3 Flow-down

Choclement will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA, including by incorporating the SCCs and UK Addendum where required by a Restricted Transfer. Choclement remains liable to Customer for the acts and omissions of its Subprocessors with respect to Customer Personal Data, to the extent set out in this DPA and the Agreement.

6. Data Subject Rights

Choclement will, taking into account the nature of the Processing, provide reasonable assistance — by appropriate technical and organizational measures, insofar as possible — to enable Customer to respond to Data Subject requests to exercise rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making under Data Protection Laws.

If Choclement receives a Data Subject request relating to Customer Personal Data, Choclement will not respond directly (except to acknowledge receipt and to inform the Data Subject that the request must be made to Customer) and will forward the request to Customer without undue delay.

Customer is responsible for verifying and responding to Data Subject requests; Customer will reimburse Choclement for reasonable costs of any extraordinary assistance Choclement provides beyond what is available through self-service in the Service.

7. Personal Data Breach

Choclement will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known: (a) describe the nature of the Personal Data Breach, the categories and approximate number of Data Subjects, and the categories and approximate number of records concerned; (b) provide the name and contact details of a point of contact; (c) describe the likely consequences; and (d) describe measures taken or proposed to address and mitigate the Personal Data Breach. Choclement will provide reasonable assistance to Customer in fulfilling Customer's notification and communication obligations under Data Protection Laws. Choclement's notification or response to a Personal Data Breach is not an acknowledgement of fault or liability.

8. Data Protection Impact Assessments and prior consultation

Choclement will provide Customer with reasonable assistance, taking into account the nature of Processing and the information available to Choclement, with any data protection impact assessment ("DPIA") and prior consultation with Supervisory Authorities that Customer is required to carry out under Data Protection Laws (GDPR Articles 35–36 and equivalents). Choclement may charge Customer reasonable fees for material assistance beyond making available standard product documentation.

9. International data transfers

9.1 General

Customer authorizes Choclement to transfer and Process Customer Personal Data in the United States and other countries in which Choclement or its Subprocessors operate, subject to the safeguards in this Section 9.

9.2 EU SCCs

Where Choclement Processes Customer Personal Data originating from the European Economic Area in a Restricted Transfer, the SCCs are incorporated into this DPA by reference and completed as follows:

Module Two (Controller-to-Processor) applies where Customer is a Controller of Customer Personal Data.
Module Three (Processor-to-Processor) applies where Customer is itself a Processor of Customer Personal Data on behalf of a third-party Controller.
Clause 7 (Docking Clause) is included.
Clause 9 (Subprocessors): Option 2 (general authorization) with the notice period in Section 5.2 of this DPA.
Clause 11 (Independent dispute resolution): the optional language is not included.
Clause 17 (Governing law): the laws of the Republic of Ireland.
Clause 18 (Forum and jurisdiction): the courts of Ireland.
Annexes I and II are populated by Schedules 1 and 2 of this DPA. Annex III is populated by the Subprocessors page at /legal/subprocessors.

9.3 UK Addendum

Where Choclement Processes Customer Personal Data originating from the United Kingdom in a Restricted Transfer, the UK Addendum is incorporated into this DPA by reference and the EU SCCs are modified by the UK Addendum. In Table 4 of the UK Addendum, the "Importer" and "Exporter" may end the UK Addendum as set out in Section 19 of the UK Addendum.

9.4 Switzerland

Where Choclement Processes Customer Personal Data originating from Switzerland in a Restricted Transfer, the EU SCCs apply with the following adjustments to accommodate the FADP: (a) references to the GDPR are interpreted as references to the FADP where the transfer is subject only to the FADP; (b) the Swiss FDPIC is the competent supervisory authority; (c) references to "Member States" include Switzerland; and (d) until the FADP's protections apply to legal persons, this DPA also protects Personal Data of legal persons in Switzerland.

9.5 Alternative mechanisms

If Choclement and Customer can rely on an adequacy decision (including the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework) or another approved transfer mechanism, the parties may rely on that mechanism instead of, or in addition to, the SCCs. Choclement may, upon notice, replace the SCCs with any successor or replacement mechanism approved under Data Protection Laws.

9.6 Transfer Impact Assessment

The parties acknowledge that they have conducted a transfer impact assessment in respect of the Restricted Transfers contemplated under this DPA and have agreed that the safeguards described herein are adequate. Choclement will, on request, provide Customer with the information reasonably necessary to update Customer's transfer impact assessment.

10. Return or deletion of Customer Personal Data

On termination or expiration of the Agreement, Choclement will, at Customer's choice expressed during the Extraction Window (defined in the Agreement), delete or return to Customer all Customer Personal Data Processed on Customer's behalf, and delete existing copies, except to the extent applicable law requires longer retention or the data is held in routine back-ups that are deleted in our ordinary retention cycle and not accessed during that cycle for any other purpose. The parties acknowledge that Aggregated Data (as defined in the Agreement) is not Customer Personal Data and may be retained by Choclement.

11. Audits

Choclement will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing on request: (a) summaries of the most recent third-party security audits, penetration tests, SOC 2 Type II reports, or ISO 27001 certificates that Choclement has obtained; and (b) responses to Customer's reasonable security and privacy questionnaires.

If the materials in (a) and (b) above are not sufficient to enable Customer to comply with Data Protection Laws, Customer (or an independent third-party auditor mandated by Customer and not a competitor of Choclement) may conduct an audit, subject to: (i) at least thirty (30) days' written notice; (ii) not more than once per twelve-month period (except where a Supervisory Authority requires more frequent audit or Choclement has suffered a material Personal Data Breach affecting Customer Personal Data); (iii) confidentiality obligations protecting Choclement's confidential information and other customers' data; (iv) audits conducted during business hours, in a manner that does not unreasonably interfere with Choclement's operations; and (v) Customer bearing the costs of the audit, including reimbursing Choclement for its reasonable time at standard rates if the audit reveals no material breach.

12. Liability

The liability of each party under or in connection with this DPA (including the SCCs and UK Addendum) is subject to the limitations and exclusions of liability in the Agreement (including Section 16 of the Terms of Service). Multiple claims under the Agreement and this DPA do not enlarge the cap. To the extent the SCCs impose liability obligations that cannot be limited or excluded by contract, those obligations apply notwithstanding the preceding sentence, but only in respect of Personal Data subject to the SCCs.

13. Order of precedence

In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict and only with respect to the Processing of Customer Personal Data. In the event of a conflict between the SCCs and any other term of this DPA or the Agreement, the SCCs prevail to the extent of the conflict and only in respect of Restricted Transfers governed by the SCCs.

14. General

Modifications. Choclement may update this DPA from time to time to reflect changes in Data Protection Laws or its Processing operations. Material changes will be communicated to Customer by email or in-product notice at least thirty (30) days before they take effect.
Severability. If any provision is held unenforceable, the remaining provisions remain in force.
Governing law. The governing law of the Agreement applies, except where Data Protection Laws or the SCCs prescribe otherwise.
Notices. Notices under this DPA are governed by the notice provisions of the Agreement; data-protection-specific notices may also be sent to [email protected].
No third-party beneficiaries, except as expressly stated in the SCCs or required by law.

Schedule 1 — Details of Processing (SCC Annex I)

A. List of parties

Data exporter: Customer, as identified in the Agreement (acting as Controller or, where applicable, Processor). Contact: as provided by Customer in account profile. Activities: use of the Service for advertising performance measurement, attribution, automation, and conversion-event dispatch.
Data importer: Choclement LLC d/b/a BHmetrics, a Delaware limited-liability company. Contact: [email protected]. Role: Processor (or Subprocessor where Customer is itself a Processor). Activities: providing the Service to Customer.

B. Description of transfer

Categories of Data Subjects:
- Customer's end consumers and website visitors who initiate orders, conversions, or other tracked events on Customer's storefront(s);
- Customer's personnel (account administrators, billing contacts, Authorized Users);
- Recipients of Customer's marketing audiences (where Customer chooses to upload audience seed lists).
Categories of Personal Data:
- Hashed identifiers: SHA-256 hashes of normalized email, phone (E.164), and customer ID;
- Online identifiers: click identifiers (fbclid, gclid, ttclid, epik, scclid, fbp, _fbc), first-party pixel session ID, device identifiers, hashed IP address, user-agent string;
- Transactional / commercial: order ID, order value (in cents), currency, line-item count, timestamp, country, region, postal code, landing URL, referrer;
- Account / professional (for Customer personnel): name, work email, role, employer, billing contact details, authentication metadata;
- Inferences: usage-derived aggregated inferences used internally to operate the Service.
Sensitive data: none. Customer is contractually prohibited from submitting Sensitive Data (as defined in the Agreement and the Acceptable Use Policy). Choclement does not request, store, or knowingly process Sensitive Data.
Frequency of transfer: continuous, for the duration of the Agreement.
Nature of Processing: hosting, transmission, storage, deduplication, hashing, normalization, aggregation, analytics, statistical modeling, anomaly detection, AI-assisted recommendation, and onward transmission to Connected Platforms (Meta, Google, TikTok, Pinterest, Snap) at Customer's direction.
Purpose of Processing: to provide the Service to Customer in accordance with the Agreement — namely, advertising performance measurement, attribution, automated optimization, conversion-event dispatch, audience management, AI Copilot, and related functions.
Retention period: as set out in the Privacy Policy, Section 11.
For onward transfers to Subprocessors: as set out at /legal/subprocessors, with the categories above and the retention periods stated.

C. Competent supervisory authority

Where Customer is established in the EEA, the supervisory authority designated by Article 51 GDPR. Where Customer is not established in the EEA but Processing falls within Article 3(2) GDPR, the supervisory authority of the Member State in which Customer's EU representative is established. For UK transfers, the UK Information Commissioner's Office. For Swiss transfers, the Swiss FDPIC.

Schedule 2 — Technical and Organizational Measures (SCC Annex II)

Choclement implements and maintains the following technical and organizational measures. Customer acknowledges that security measures evolve and that Choclement may modify these measures provided the modifications continue to provide an equivalent level of protection.

A. Measures of pseudonymization and encryption of Personal Data

SHA-256 hashing of end-consumer identifiers (email, phone, IP, customer ID) at the point of capture in the browser or storefront; plaintext is not transmitted to Choclement.
Encryption at rest using AES-256-GCM for application data, secrets, and OAuth tokens. Encryption in transit using TLS 1.2 or higher for all client-server and inter-service communication.
Hardware-backed key management with provider-managed key rotation.

B. Measures for ensuring confidentiality, integrity, availability, and resilience of processing systems

Role-based access control with least-privilege provisioning; SSO and mandatory two-factor authentication for all production access; just-in-time access for sensitive operations.
Network isolation between production and non-production environments; private networking between application tier and database; firewalled environments with deny-by-default ingress.
Continuous vulnerability scanning of code dependencies and container images; quarterly penetration testing.
Application monitoring, error monitoring (Sentry), and structured log retention (Axiom) with anomalous-behavior alerting.
Immutable audit logs of administrative actions, automation mutations, and authentication events.
High availability across multiple availability zones; automated failover; rate limiting and DDoS protection at the edge.

C. Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Encrypted, automated backups with a thirty-five (35) day rolling retention; documented restoration procedures.
Disaster-recovery and business-continuity plans with periodic restoration testing.
Documented incident-response plan covering detection, containment, eradication, recovery, and post-incident review.

D. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

Periodic security reviews, internal audits, and tabletop exercises.
Third-party penetration testing at least annually.
Vendor security review of Subprocessors before onboarding and on a recurring basis.
Annual review of this DPA, the Privacy Policy, and the Acceptable Use Policy.

E. Measures for user identification and authorization

Customer authentication managed by Clerk Inc., including support for SSO (Google, Microsoft), passkeys, and multi-factor authentication.
Session management with rotation, idle expiry, and absolute expiry; CSRF protection.
Workspace-scoped authorization with role-based access (owner, operator, viewer) and brand-context enforcement on every request.

F. Measures for the protection of data during transmission

TLS 1.2+ for all in-flight traffic, including connections to Subprocessors and Connected Platforms; HSTS on public endpoints; webhook HMAC validation for inbound storefront events.

G. Measures for the protection of data during storage

AES-256-GCM for data at rest; secrets and refresh tokens encrypted at the application layer with separate keys.
Logical separation of customer workspaces; row-level scoping enforced at the application and database layers.

H. Measures for ensuring physical security of locations at which Personal Data are processed

All Processing takes place in cloud data centers operated by Subprocessors (Vercel, Neon, Upstash, Cloudflare, Anthropic, OpenAI, Stripe, Clerk, Resend, Sentry, Axiom) that maintain enterprise-grade physical security (SOC 2, ISO 27001, or equivalent), as documented in their respective compliance pages.

I. Measures for ensuring events logging

Application, security, and audit events are logged to centralized log management (Axiom) and retained as described in the Privacy Policy, Section 11.
Authentication and authorization events are logged for thirteen (13) months as a security baseline.

J. Measures for ensuring system configuration, including default configuration

Infrastructure as code; configuration changes are version-controlled, peer-reviewed, and audited.
Secrets are stored in a managed secret store, never in code or logs.
Default settings privilege security and privacy (e.g., end-consumer identifiers are hashed by default; AI subprocessors are configured for "no training on Customer Data").

K. Measures for internal IT and IT security governance and management

Information-security policies and procedures; data-protection-by-design and by-default principles applied to product changes.
Personnel onboarded with background checks where lawful, signed confidentiality undertakings, and required security and privacy training; offboarding revokes access promptly.
Incident-response runbook with escalation paths and a designated incident commander.

L. Measures for certification / assurance of processes and products

Choclement is working toward SOC 2 Type II attestation. Subprocessors are selected to align with SOC 2 / ISO 27001 / equivalent assurances; current evidence is available on request.

M. Measures for ensuring data minimization

Only data necessary to provide the Service is collected; raw email, phone, IP, names, shipping addresses, and payment instruments are not stored on Choclement systems.
OAuth scopes are constrained to the minimum required by each Connected Platform.

N. Measures for ensuring data quality

Deduplication of conversion events via a key/value ledger; normalization of identifiers prior to hashing; validation of webhook signatures.
Operator-facing diagnostics (Event Match Quality scoring, dispatch result, error log) to support data-quality review.

O. Measures for ensuring limited data retention

Retention is enforced as described in the Privacy Policy, Section 11; OAuth tokens are deleted on disconnect; usage telemetry rotates at ninety (90) days.

P. Measures for ensuring accountability

Records of Processing activities are maintained; Subprocessor agreements include data-protection terms; this DPA, the Privacy Policy, and the Acceptable Use Policy are published and versioned.

Q. Measures for allowing data portability and ensuring erasure

In-product export available from Settings → Brand → Export / Delete; on request, Choclement provides additional assistance as described in Section 6.

Schedule 3 — Subprocessors (SCC Annex III)

The current list of Subprocessors authorized to Process Customer Personal Data is published at /legal/subprocessors and is incorporated into this DPA by reference. The Subprocessors page includes, for each Subprocessor: name, role (e.g., hosting, database, email delivery, LLM inference), categories of Personal Data Processed, location of Processing, and the legal basis for any Restricted Transfer.

Adding or replacing a Subprocessor follows the notice and objection process in Section 5.2.

Contact

Choclement LLC, doing business as BHmetrics
c/o registered agent on file with the Delaware Secretary of State
Data Protection: [email protected]
Service URL: bhmetrics.com