Data Processing Agreement

1. Scope

This Data Processing Agreement ("DPA") supplements the B2ARocket Terms of Service and applies when B2ARocket processes personal data on behalf of the Customer as a data processor under GDPR, CCPA, and applicable data protection laws.

2. Data Processing

B2ARocket processes personal data solely for providing the services described in the Terms of Service, including: lead discovery and enrichment, email campaign execution, reply handling, and analytics.

3. Sub-Processors

B2ARocket uses the following sub-processors:

• Supabase (US) — Database hosting and authentication
• Anthropic (US) — AI language model processing
• Resend (US) — Email delivery
• Stripe (US) — Payment processing
• Cloudflare (US) — Domain registration and DNS
• Vercel (US) — Application hosting
• Upstash (US) — Redis caching and job queues
• Sentry (US) — Error tracking

4. Data Security

B2ARocket implements appropriate technical and organizational measures including: AES-256-GCM field-level encryption for PII, TLS 1.3 for data in transit, role-based access control, audit logging with HMAC tamper detection, and regular security assessments.

5. Data Subject Rights

B2ARocket supports data subject requests including access, rectification, erasure (via GDPR Article 17 erasure API), restriction of processing, and data portability (via CSV export).

6. Data Retention

Customer data is retained for the duration of the service agreement plus 30 days. Customers can configure automated data retention policies. Data erasure is available on request.

7. Breach Notification

B2ARocket will notify the Customer of any personal data breach within 72 hours of becoming aware, in accordance with GDPR Article 33.

Execute This DPA

To execute a signed copy of this DPA, contact us at hello@b2arocket.com.