← All legal documents

Data Processing Addendum

Birdseye Views, Inc. — a Delaware corporation. Last updated: June 29, 2026 · v1.0

This Data Processing Addendum ("DPA") forms part of the agreement between Birdseye Views, Inc. ("Birdseye Views", "Processor", "Service Provider") and the customer that has accepted the Terms of Service ("Customer", "Controller", "Business") (together, the "Agreement"), and governs Birdseye Views' processing of personal data contained in Customer Data on Customer's behalf. If there is a conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA controls.


1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. "Personal Data", "Controller", "Processor", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given under applicable data-protection law, including the EU/UK General Data Protection Regulation ("GDPR") and U.S. state privacy laws. Under U.S. state privacy laws, "Business", "Service Provider", "Sell", and "Share" have the meanings given in those laws. "Customer Personal Data" means Personal Data within Customer Data that Birdseye Views processes on Customer's behalf.

2. Roles and instructions

For Customer Personal Data, Customer is the Controller / Business and Birdseye Views is the Processor / Service Provider. Birdseye Views will process Customer Personal Data only to provide the Service and only on Customer's documented instructions (including those in the Agreement and as configured through the Service), unless required by law, in which case Birdseye Views will inform Customer unless legally prohibited.

3. Duration and scope

Birdseye Views will process Customer Personal Data for the duration of the Agreement and as otherwise stated in this DPA. The subject matter, nature and purpose of processing, categories of Data Subjects, and types of Personal Data are described in Annex I.

4. Confidentiality

Birdseye Views ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Service.

5. Security measures

Birdseye Views will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex II and in our Information Security Policy, taking into account the state of the art, the costs of implementation, and the nature, scope, and risks of the processing.

6. Sub-processors

Customer provides general authorization for Birdseye Views to engage sub-processors to process Customer Personal Data. Birdseye Views will: (a) impose data-protection obligations on each sub-processor that are no less protective than those in this DPA; (b) remain responsible for each sub-processor's performance; and (c) maintain the current list of sub-processors in Annex III. Birdseye Views will provide notice of any intended addition or replacement of a sub-processor and give Customer a reasonable opportunity to object on reasonable data-protection grounds.

7. Assistance to Customer

Taking into account the nature of the processing, Birdseye Views will provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, to help Customer: (a) respond to requests from Data Subjects to exercise their rights; (b) ensure the security of processing; (c) notify and communicate Personal Data Breaches; and (d) carry out data-protection impact assessments and related consultations.

8. Personal Data Breach notification

Birdseye Views will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its own notification obligations.

9. Deletion or return of data

Upon termination or expiration of the Agreement, Birdseye Views will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies unless retention is required by law. Deletion will occur within a commercially reasonable period.

10. Audits and information

Birdseye Views will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, scheduling, scope, and frequency limitations. Where available, Birdseye Views may satisfy this obligation by providing relevant third-party reports or certifications.

11. International data transfers

The Service is operated in the United States. To the extent Birdseye Views processes Personal Data subject to the GDPR and transfers it from the European Economic Area, Switzerland, or the United Kingdom to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses are incorporated into this DPA by reference: Module Two (Controller-to-Processor) where Customer is a controller, and Module Three (Processor-to-Processor) where Customer acts as a processor on behalf of a third-party controller. For transfers subject to UK law, the UK International Data Transfer Addendum to the Standard Contractual Clauses applies. The parties will complete the relevant clauses consistent with Annexes I–III.

12. U.S. state privacy law terms (Service Provider / Processor)

With respect to Personal Data subject to U.S. state privacy laws (including the CCPA/CPRA, VCDPA, CPA, and the Texas Data Privacy and Security Act), Birdseye Views acts as a Service Provider / Processor and will:

  • process Customer Personal Data only to perform the Service and the business purposes specified in the Agreement, and not for any other purpose;
  • not Sell and not Share Customer Personal Data, as those terms are defined under applicable law;
  • not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or except as permitted by law;
  • not combine Customer Personal Data with Personal Data from other sources, except as permitted for a Service Provider under applicable law;
  • comply with applicable obligations and provide the level of privacy protection required of a Service Provider / Processor; and
  • assist Customer in responding to verifiable consumer requests as required.

Customer may take reasonable steps to ensure Birdseye Views uses Customer Personal Data consistent with Customer's obligations.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.


Annex I — Details of processing

  • Subject matter: Birdseye Views' provision of the operational-intelligence Service to Customer.
  • Duration: the term of the Agreement, plus any period required to return or delete data.
  • Nature and purpose: hosting, storing, organizing, analyzing, and displaying Customer Data to provide operational analytics, reporting, and related features.
  • Categories of Data Subjects: Customer's personnel and authorized users; and individuals referenced within Customer Data (for example, the Customer's own customers or prospects).
  • Categories of Personal Data: identifiers and contact details, business and transaction records, and other data Customer chooses to submit or connect, which may include consumer financial information ("nonpublic personal information") associated with sales and financing activity. Customer controls what data it submits.
  • Special categories: the Service is not intended for special-category data; Customer should not submit it unless agreed.

Annex II — Technical and organizational measures

The measures are described in our Information Security Policy and include, at a minimum: encryption in transit (TLS 1.2+) and at rest; role-based access control and least privilege; logical multi-tenant isolation; multi-factor authentication support; logging and monitoring; regular backups; vulnerability and patch management; secure development practices; vendor oversight; and an incident-response process.

Annex III — Sub-processors

Sub-processorPurposeLocation
WorkOS, Inc.Authentication, identity, and session managementUnited States
Stripe, Inc.Payment processing and subscription billingUnited States
Amazon Web Services, Inc.Cloud hosting, database, and object storageUnited States (us-east-2)
Anthropic, PBCAI-powered product featuresUnited States

Third-party systems that Customer chooses to connect as data sources (for example, dealer management, CRM, inventory, website-analytics, or accounting systems) are integrations authorized and controlled by Customer, not Birdseye Views sub-processors.


Questions about this DPA or data protection? Contact us at info@birdseyeviews.com.