Data Processing Addendum

Last updated: April 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies to Enterprise customers who require a formal data processing agreement for regulatory or institutional compliance purposes. Data handling practices are described in our Privacy Policy.

1. Scope

This DPA governs the processing of personal data that you (the "Controller") submit to or make accessible through Blue Belmont (the "Processor") in connection with the Service.

2. Data Processing

• We process personal data only on your documented instructions and for the purposes described in our Privacy Policy.
• We do not process personal data for any purpose other than providing the Service unless required by law.
• We maintain records of all processing activities as required by applicable regulation.

3. Sub-processors

We use the following sub-processors:

• Stripe, Inc. (San Francisco, CA), Payment processing
• Cloud infrastructure provider (US-based), Data hosting and compute

We will notify you at least 30 days before adding a new sub-processor. You may object by contacting support.

4. Security Measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls with least-privilege enforcement
• Quarterly access reviews and annual penetration testing
• SOC 2 Type II audit in progress (target: Q4 2026)
• Incident response plan with 72-hour breach notification

5. Data Subject Rights

We will assist you in fulfilling data subject requests (access, correction, deletion, portability) within the timeframes required by applicable law.

6. Data Retention and Deletion

Upon termination of your subscription, we will delete or return all personal data within 90 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).

7. Audit Rights

Enterprise customers may request documentation of our security controls and compliance posture. On-site audits are available by arrangement for customers with annual contract values above $25,000.

8. Governing Law

This DPA is governed by the laws of the State of Indiana, United States.

9. Contact

To execute this DPA or request a signed copy, contact james@bluebelmont.com.