Data Processing Agreement
Effective: April 21, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between BentoCS, Inc. (“Processor”) and the customer entity that has agreed to those Terms (“Controller”). It governs the processing of personal data by BentoCS on behalf of the Controller in connection with the BentoCSplatform (the “Service”).
Where the Controller is established in the European Economic Area (“EEA”) or the United Kingdom, this DPA incorporates the Standard Contractual Clauses for Controller-to-Processor transfers as adopted by the European Commission (Module 2). Questions may be directed to team@bentocs.com.
1. Definitions
“Personal Data”, “Controller”, “Processor”, “Processing”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR (Regulation (EU) 2016/679) or the applicable local privacy law of the Controller's jurisdiction.
2. PHI Prohibition
BentoCSis not a HIPAA covered entity or business associate and does not sign BAAs. The Controller must not upload, store, or process Protected Health Information (“PHI”) — as defined under 45 CFR §160.103 — through the Service under any circumstances. BentoCS reserves the right to suspend access immediately if PHI is detected within Customer Data.
3. Processing Particulars
| Item | Detail |
|---|---|
| Subject matter | Customer success operations — account health monitoring, playbooks, QBRs |
| Duration | For the term of the Controller's subscription plus any statutory retention period |
| Nature of processing | Storage, retrieval, display, AI analysis, and automated decision-support |
| Purpose of processing | Provision of the Service as described in the Terms of Service |
| Types of personal data | Business contact details (name, work email, job title) of the Controller's customers and employees. No special-category data or PHI is permitted. |
| Categories of data subjects | The Controller's end-customers; the Controller's employees who use the Service |
4. Processor Obligations
BentoCS shall, as Processor:
- Process Personal Data only on documented instructions from the Controller (which include these Terms and this DPA), except where required by applicable law.
- Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
- Implement and maintain technical and organisational security measures appropriate to the risk, including encryption of data in transit (TLS 1.2+) and at rest (AES-256), strict multi-tenant isolation via Postgres Row-Level Security, and access controls with audit logging.
- Not engage a sub-processor without informing the Controller. The current list of approved sub-processors is maintained at /legal/sub-processorsand updated with at least 10 days’ notice before any change.
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests, including rights of access, rectification, erasure, restriction, and portability.
- Notify the Controller of a Personal Data breach without undue delay and in any event within 72 hours of becoming aware of it.
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires storage.
- Provide all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated third-party auditor, subject to reasonable prior notice and confidentiality obligations.
5. Controller Obligations
The Controller shall:
- Have a lawful basis for processing Personal Data and for instructing BentoCS to process it on its behalf.
- Not upload PHI, special-category data, or data relating to children under 16.
- Promptly notify BentoCS if the Controller believes any processing instruction infringes applicable data protection law.
6. Security Measures
BentoCS's current technical and organisational security measures include, but are not limited to: TLS 1.2+ for all data in transit; AES-256 encryption at rest via Supabase (hosted on AWS us-east-1); Postgres Row-Level Security ensuring strict tenant isolation; role-based access controls; automated daily backups with point-in-time recovery; and structured audit logging for all privileged operations.
A detailed security overview is available at /security.
7. International Transfers
Personal Data is stored and processed in the United States (AWS us-east-1). Transfers from the EEA or UK to the United States are governed by the Standard Contractual Clauses (Controller-to-Processor, Module 2) published by the European Commission, which are incorporated herein by reference. A copy is available on request.
8. Sub-processors
BentoCS uses the sub-processors listed at /legal/sub-processors. BentoCS will inform the Controller of any intended changes to sub-processors at least 10 days in advance, giving the Controller the opportunity to object. If the Controller objects and the parties cannot reach a reasonable resolution, the Controller may terminate the Service without penalty within 30 days of notification.
9. Term and Termination
This DPA is effective from the date the Controller first accepted the Terms of Service and continues until all Personal Data held by BentoCS on behalf of the Controller has been deleted or returned under clause 4.
10. Governing Law
This DPA is governed by the same law and jurisdiction as the Terms of Service, unless applicable data protection law requires otherwise.
11. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail.
For questions about this DPA or to request a countersigned copy, contact team@bentocs.com.