Data Processing Addendum
Effective date: April 25, 2026
This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the agreement between Banche Labs, Inc. (“Banche Labs,” “we,” “us,” or “our”) and the entity or individual who has entered into the Terms of Service with Banche Labs (“Customer,” “you,” or “your”) governing Customer’s use of the Bounce House service available at bouncehouse.cloud (the “Service”). This DPA sets forth the parties’ obligations with respect to the processing of Customer Personal Data in connection with the Service.
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
The parties agree as follows:
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Terms of Service. The following definitions apply to this DPA:
1.1 “Aggregate Data” has the meaning given in the Terms of Service. Aggregate Data is de-identified and aggregated data that does not identify any individual or Customer. For the avoidance of doubt, Aggregate Data is not Customer Personal Data and is outside the scope of this DPA.
1.2 “Applicable Data Protection Laws” means all laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, or the processing of Personal Data, to the extent applicable to the processing of Customer Personal Data under the Agreement, including where applicable: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the United Kingdom General Data Protection Regulation as defined by the UK Data Protection Act 2018 (“UK GDPR”); and (c) the California Consumer Privacy Act, Cal. Civ. Code Section 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”), in each case as amended or superseded from time to time.
1.3 “Controller” means the natural or legal person that determines the purposes and means of the processing of Personal Data. Where Applicable Data Protection Laws use the term “business,” such term shall be read as equivalent to Controller for the purposes of this DPA.
1.4 “Customer Personal Data” means any Personal Data that Customer submits to, or that is collected through, the Service on Customer’s behalf and that Banche Labs processes as a Processor in connection with the Agreement. Customer Personal Data does not include: (a) Aggregate Data; or (b) Personal Data that Banche Labs processes as a Controller in its own right (such as account registration information, billing data, and usage analytics), which is governed by the Banche Labs Privacy Policy.
1.5 “Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
1.6 “Personal Data” means any information relating to an identified or identifiable natural person, or as otherwise defined under Applicable Data Protection Laws (including “personal information” as defined in the CCPA).
1.7 “Processing” (including “process,” “processed,” and “processes”) has the meaning given in Article 4 of the GDPR, or the equivalent meaning under other Applicable Data Protection Laws.
1.8 “Processor” means the entity that processes Personal Data on behalf of the Controller. Where Applicable Data Protection Laws use the term “service provider,” such term shall be read as equivalent to Processor for the purposes of this DPA.
1.9 “Security Incident” means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Banche Labs. Security Incidents do not include unsuccessful access attempts, routine security scans, brute-force attempts, denial-of-service attacks, or other events that do not result in a compromise of the security of Customer Personal Data.
1.10 “Standard Contractual Clauses” or “SCCs” means: (a) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”); and (b) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office (“UK IDTA”).
1.11 “Subprocessor” means any third party engaged by Banche Labs to process Customer Personal Data on Customer’s behalf in connection with the Service.
2. Scope and Roles
2.1 Applicability. This DPA applies to the processing of Customer Personal Data by Banche Labs in connection with the provision of the Service under the Agreement.
2.2 Roles. As between the parties: (a) Customer is the Controller (or, where Customer itself acts as a Processor on behalf of its own clients, the Processor) of Customer Personal Data; and (b) Banche Labs is the Processor (or Subprocessor, as applicable) of Customer Personal Data. For the purposes of the Standard Contractual Clauses, Customer is the data exporter and Banche Labs is the data importer.
2.3 Aggregate Data Exclusion. The parties acknowledge and agree that Aggregate Data, as defined in the Terms of Service, is de-identified and falls outside the scope of this DPA. Banche Labs may create, collect, and use Aggregate Data in accordance with the Terms of Service without restriction under this DPA.
2.4 CCPA Classification. For purposes of the CCPA, Banche Labs acts as a service provider (and not as a “third party” or “business”) with respect to Customer Personal Data. Banche Labs does not receive Customer Personal Data as consideration for any services or other items provided by Banche Labs.
3. Processing of Customer Personal Data
3.1 Processing Instructions. Banche Labs shall process Customer Personal Data only in accordance with Customer’s documented instructions. Customer’s instructions are defined by: (a) the Agreement (including the Terms of Service and this DPA); (b) Customer’s configuration and use of the Service; and (c) any additional documented instructions agreed in writing between the parties. The Agreement constitutes Customer’s complete and final instructions to Banche Labs for the processing of Customer Personal Data as of the effective date of this DPA.
3.2 Compliance with Instructions. If Banche Labs reasonably believes that a Customer instruction infringes Applicable Data Protection Laws, Banche Labs shall promptly notify Customer and may suspend the relevant processing until the parties agree on a lawful course of action.
3.3 Compliance with Laws. Each party shall comply with its respective obligations under Applicable Data Protection Laws. Customer is responsible for: (a) the accuracy, quality, integrity, and legality of Customer Personal Data; (b) providing all required notices to, and obtaining all necessary consents from, Data Subjects; and (c) ensuring that its instructions to Banche Labs comply with Applicable Data Protection Laws.
3.4 CCPA Restrictions. With respect to Customer Personal Data subject to the CCPA, Banche Labs shall not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than performing the Service under the Agreement, or as otherwise permitted by the CCPA for service providers; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Banche Labs and Customer; or (d) combine Customer Personal Data with personal information received from or on behalf of a third party, or collected from Banche Labs’s own interactions with consumers, except as permitted by the CCPA for service providers. For the avoidance of doubt, Aggregate Data that has been de-identified in compliance with the CCPA is outside the scope of these restrictions.
3.5 Certification. Banche Labs certifies that it understands and will comply with the restrictions and obligations set forth in this DPA, including the requirements applicable to service providers under the CCPA.
4. Confidentiality
4.1 Banche Labs shall ensure that all personnel authorized to process Customer Personal Data: (a) have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality; and (b) process Customer Personal Data only as necessary to perform Banche Labs’s obligations under the Agreement and in accordance with Customer’s documented instructions.
5. Security Measures
5.1 Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects, Banche Labs shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures are described in Annex II to this DPA.
5.2 Updates to Security Measures. Banche Labs may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Customer Personal Data.
5.3 Customer Acknowledgment. Customer acknowledges that the security measures are subject to technical progress and development and that Banche Labs may update them in accordance with Section 5.2. Customer is responsible for independently determining whether the security measures meet Customer’s requirements and for ensuring that Customer’s use of the Service and its instructions to Banche Labs are consistent with Customer’s obligations under Applicable Data Protection Laws.
6. Security Incident Notification
6.1 Notification. Banche Labs shall notify Customer of a Security Incident without undue delay after becoming aware of such Security Incident. Such notification shall be delivered to the email address associated with Customer’s account or such other address as Customer has designated in writing.
6.2 Content of Notification. Banche Labs shall provide Customer with the following information, to the extent reasonably available at the time of notification, with further details provided as they become known:
(a) a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Customer Personal Data records concerned;
(b) a description of the likely consequences of the Security Incident; and
(c) a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.
6.3 No Acknowledgment of Fault. Banche Labs’s notification of, or response to, a Security Incident under this Section 6 shall not be construed as an acknowledgment by Banche Labs of any fault or liability with respect to the Security Incident.
6.4 Customer Obligations. Customer is solely responsible for its obligations under applicable incident notification laws, including determining whether to provide notice to Data Subjects, supervisory authorities, or other third parties.
7. Subprocessors
7.1 General Authorization. Customer grants Banche Labs general written authorization to engage Subprocessors for the processing of Customer Personal Data. The current list of Subprocessors is maintained at the URL specified in Annex III to this DPA.
7.2 Subprocessor Obligations. Banche Labs shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set forth in this DPA. Banche Labs shall remain liable for the acts and omissions of its Subprocessors to the same extent as if the acts or omissions were performed by Banche Labs directly, subject to the limitations of liability set forth in the Agreement.
7.3 Notification of New Subprocessors. Banche Labs shall notify Customer before authorizing any new Subprocessor to process Customer Personal Data. Notification shall be provided via email or by update to the Subprocessor list referenced in Annex III, with a mechanism for Customer to subscribe to notifications of changes.
7.4 Acceptance of Subprocessors. Customer’s continued use of the Service after notification of a new Subprocessor constitutes acceptance of the new Subprocessor.
8. Data Subject Rights
8.1 Assistance. Taking into account the nature of the processing, Banche Labs shall provide reasonable assistance to Customer, by appropriate technical and organizational measures, in fulfilling Customer’s obligation to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, portability, restriction, and objection).
8.2 Referral. If Banche Labs receives a request from a Data Subject directly, Banche Labs shall promptly notify Customer and refer the Data Subject to Customer, unless otherwise instructed by Customer in writing. Banche Labs shall not respond to a Data Subject request directly except upon Customer’s documented instruction.
9. Audit
9.1 Compliance Information. Upon Customer’s written request, made no more than once per twelve (12) month period, Banche Labs shall make available to Customer information reasonably necessary to demonstrate compliance with Banche Labs’s obligations under this DPA.
9.2 Third-Party Certifications and Reports. Where Banche Labs has obtained third-party certifications or audit reports (such as SOC 2 Type II), Banche Labs shall make summaries or copies of such reports available to Customer upon request. The parties agree that such reports shall satisfy Customer’s audit rights under this DPA and under Clause 8.9 of the EU SCCs (where applicable), provided that Banche Labs makes such reports available in a timely manner and the reports are current and relevant.
9.3 Confidentiality. Any information provided by Banche Labs under this Section 9, including audit reports, certifications, and questionnaire responses, constitutes Banche Labs’s confidential information under the Agreement and may not be disclosed to any third party without Banche Labs’s prior written consent, except as required by law or by a supervisory authority with jurisdiction over Customer.
10. Data Retention and Deletion
10.1 Deletion on Termination. Upon the expiration or termination of the Agreement, Banche Labs shall delete all Customer Personal Data within a commercially reasonable period, except to the extent that applicable law requires Banche Labs to retain some or all of such data. Where retention is required by law, Banche Labs shall isolate and protect the retained Customer Personal Data from further processing except to the extent required by such law, and shall delete the data once the retention obligation expires.
10.2 Aggregate Data. For the avoidance of doubt, Aggregate Data (which is de-identified and outside the scope of this DPA) is not subject to the deletion obligations of this Section 10 and survives termination in accordance with the Terms of Service.
10.3 Certification. Upon Customer’s written request following deletion, Banche Labs shall certify in writing that it has deleted Customer Personal Data in accordance with this Section 10.
11. International Transfers
11.1 General. Banche Labs shall not transfer Customer Personal Data from the European Economic Area (“EEA”), United Kingdom, or Switzerland to any country outside such territory unless appropriate safeguards are in place as required by Applicable Data Protection Laws.
EU Standard Contractual Clauses
11.2 To the extent that the processing of Customer Personal Data involves a transfer from the EEA to a country that has not been recognized by the European Commission as providing an adequate level of data protection, the parties agree that such transfer shall be subject to the EU SCCs (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference into this DPA and completed as set forth in this Section 11 and Annex I.
11.3 The EU SCCs shall apply as follows:
(a) Module 2 (Controller to Processor) shall apply where Customer is a Controller transferring Customer Personal Data to Banche Labs as Processor.
(b) Module 3 (Processor to Processor) shall apply where Customer is itself a Processor (for example, an agency or managed service provider processing its clients’ data) transferring Customer Personal Data to Banche Labs as Subprocessor.
11.4 With respect to the optional provisions of the EU SCCs:
(a) Clause 7 (Docking Clause): The optional docking clause shall apply, permitting additional parties to accede to the SCCs.
(b) Clause 9(a) (Use of Subprocessors): Option 2 (general written authorization) shall apply. Notification of Subprocessor changes shall be as set forth in Section 7 of this DPA.
(c) Clause 11(a) (Redress): The optional language shall not apply.
(d) Clause 17 (Governing Law): Option 1 shall apply. The EU SCCs shall be governed by the laws of Ireland.
(e) Clause 18(b) (Choice of Forum and Jurisdiction): Disputes arising under the EU SCCs shall be resolved before the courts of Ireland.
11.5 The governing law selection in Section 11.4(d) applies only to the EU SCCs themselves. The remainder of the Agreement, including this DPA (other than the EU SCCs), is governed by the governing law provision in the Terms of Service.
11.6 Annex I to the EU SCCs is completed as set forth in Annex I to this DPA. Annex II to the EU SCCs is completed as set forth in Annex II to this DPA. Annex III to the EU SCCs (list of Subprocessors) is completed as set forth in Annex III to this DPA.
11.7 The execution of the Agreement by both parties shall constitute execution of the EU SCCs, and each party is duly authorized to execute the EU SCCs on behalf of itself as data exporter or data importer, as applicable.
UK International Data Transfer Addendum
11.8 To the extent that the processing of Customer Personal Data involves a transfer from the United Kingdom to a country that has not been recognized by the UK Secretary of State as providing an adequate level of data protection, the EU SCCs as set forth in Sections 11.2 through 11.7 shall be supplemented by the UK IDTA (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018).
11.9 With respect to the UK IDTA:
(a) Table 1 (Parties): The Exporter is Customer and the Importer is Banche Labs, as identified in Annex I to this DPA. By entering into the Agreement, each party is deemed to have signed the UK IDTA.
(b) Table 2 (Selected SCCs, Modules and Selected Clauses): The EU SCCs as specified in Sections 11.3 and 11.4 of this DPA shall apply, including Module 2 and Module 3 as applicable.
(c) Table 3 (Appendix Information): The appendix information is as set forth in Annexes I, II, and III to this DPA.
(d) Table 4 (Ending the Addendum): Either party may end the UK IDTA as set forth in Section 19 of the UK IDTA if the UK ICO issues changes to the Approved Addendum.
Other Transfer Mechanisms
11.10 Nothing in this DPA restricts Banche Labs from relying on any other legally valid transfer mechanism for the transfer of Customer Personal Data outside the EEA, United Kingdom, or Switzerland, including adequacy decisions or the EU-U.S. Data Privacy Framework (or any successor framework), as applicable and as an alternative to or in addition to the Standard Contractual Clauses.
12. Cooperation and Assistance
12.1 Data Protection Impact Assessments. To the extent required under Applicable Data Protection Laws, Banche Labs shall provide reasonable assistance to Customer in conducting data protection impact assessments and, where necessary, consulting with supervisory authorities, in each case solely in relation to the processing of Customer Personal Data by Banche Labs under the Agreement.
12.2 Government Access Requests. Banche Labs shall, to the extent legally permitted, promptly notify Customer of any legally binding request from a law enforcement or government authority for disclosure of Customer Personal Data.
13. Liability
13.1 Each party’s liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Terms of Service. For the avoidance of doubt, Banche Labs’s total aggregate liability under the Agreement, including this DPA, shall not exceed the limitation of liability set forth in the Terms of Service.
13.2 Any reference in the Terms of Service to the liability of a party means the aggregate liability of that party under the Terms of Service and this DPA together.
14. General Provisions
14.1 Term. This DPA shall become effective upon the effective date of the Agreement and shall remain in effect until the later of: (a) the expiration or termination of the Agreement; or (b) the completion of Banche Labs’s deletion of all Customer Personal Data in accordance with Section 10.
14.2 Precedence. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict as it relates to the processing of Customer Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
14.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be amended to the minimum extent necessary to render it valid and enforceable while preserving the parties’ original intent, or, if such amendment is not possible, it shall be deemed severed from this DPA.
14.4 Amendments. Banche Labs may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, or Banche Labs’s processing activities. If Banche Labs makes changes that materially affect the parties’ rights or obligations under this DPA, Banche Labs shall provide notice in accordance with the Agreement. Continued use of the Service after the effective date of any such update constitutes acceptance of the updated DPA.
14.5 Entire Agreement. This DPA, together with the Agreement and the Standard Contractual Clauses (as applicable), constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data and supersedes all prior agreements, representations, and understandings relating to such subject matter.
Annex I — Processing Details
This Annex I serves as Annex I to the EU SCCs (where applicable).
A. List of Parties
Data Exporter:
- Name: As specified in the Agreement.
- Address: As specified in the Agreement.
- Contact person: As specified in Customer’s account or as otherwise provided in the Agreement.
- Activities relevant to the data transferred: Data exporter is a customer of the data importer and uses the data importer’s Service (Bounce House) as described in the Agreement.
- Role: Controller; or Processor (where Customer itself processes data on behalf of its own clients).
Data Importer:
- Name: Banche Labs, Inc.
- Address: As specified at bouncehouse.cloud/legal or in the Agreement.
- Contact person: Privacy Team — privacy@bouncehouse.cloud
- Activities relevant to the data transferred: Data importer provides the Bounce House email operations service to the data exporter, as described in the Agreement.
- Role: Processor; or Subprocessor (where data exporter is itself a Processor).
B. Description of Transfer
Categories of Data Subjects:
Customer’s employees, end users, clients, and any other individuals whose Personal Data Customer submits to or directs through the Service.
Categories of Personal Data:
As determined by Customer’s configuration and use of the Service. Categories may include names, email addresses, IP addresses, email message metadata (headers, timestamps, routing information), email message content (where submitted by Customer to the Service), and other data that Customer elects to process through the Service.
Sensitive Data (if applicable):
None transferred by default. Customer shall not submit sensitive data or special categories of data to the Service unless Customer has ensured that all necessary safeguards and legal bases are in place under Applicable Data Protection Laws.
Frequency of Transfer:
Continuous, for the duration of the Agreement.
Nature of Processing:
Receipt, routing, storage, analysis, and delivery of email data and associated metadata as necessary to provide the Service. Processing includes webhook reception, email parsing, event routing, and the generation of analytics and reporting.
Purpose of Processing:
Providing the Service as described in the Agreement, including email receiving, processing, routing, delivery, monitoring, and analytics.
Duration of Processing:
For the term of the Agreement, plus the deletion period described in Section 10 of this DPA.
For transfers to Subprocessors:
Banche Labs engages Subprocessors for cloud infrastructure, data storage, email delivery, and operational support services. Subprocessors process Customer Personal Data only as necessary to enable Banche Labs to provide the Service. The subject matter, nature, and duration of Subprocessor processing are consistent with this Annex I.
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs, based on the data exporter’s establishment in the EEA. Where the data exporter is not established in the EEA, the supervisory authority of the EEA member state in which the data exporter’s EU representative is established shall serve as the competent authority, or, where no representative is required, the Data Protection Commission of Ireland.
Annex II — Technical and Organizational Security Measures
This Annex II serves as Annex II to the EU SCCs (where applicable).
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects, Banche Labs implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
Banche Labs reserves the right to update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Customer Personal Data.
Annex III — Subprocessor List
This Annex III serves as Annex III to the EU SCCs (where applicable).
The current list of Banche Labs Subprocessors authorized to process Customer Personal Data is maintained at:
https://bouncehouse.cloud/legal/subprocessors
This list includes each Subprocessor’s name, description of processing activities, and location. Customer may subscribe to notifications of updates to the Subprocessor list at the URL above.
Changes to the Subprocessor list are subject to the notification process described in Section 7 of this DPA.