Data Processing Addendum (DPA)
Effective Date: March 1, 2026
Introduction
This Data Processing Addendum ("DPA") is entered into by and between BaseMonkeys LLC, doing business as BaseQR.ai ("Company" or "Processor"), and the client ("Client" or "Controller"). This DPA forms part of and supplements the Master Services Agreement ("MSA") between the parties. In the event of conflict, the order of precedence is: DPA → MSA → Order.
1. Roles and Scope
Client is the Data Controller and bears sole legal responsibility for the lawfulness of all data collection, processing instructions, and compliance with applicable data protection laws. Company is the Data Processor and processes Personal Data solely as directed by Client and only to the extent necessary to provide the Services. Company assumes no data protection obligations beyond those expressly stated in this DPA.
2. Nature and Purpose of Processing
Company provides a platform for dynamic QR code routing, campaign management, and analytics. Processing activities are strictly limited to: Routing users to Client-defined destinations Generating aggregated analytics and reporting Supporting platform functionality and performance Company does not process Personal Data for any purpose outside the scope of the Services.
3. Categories of Personal Data
Processing may incidentally involve: IP address Device and browser information Approximate geolocation (city/region level only) Timestamp of interactions Referrer or source data (where available) Company does not intentionally collect sensitive personal data (as defined under applicable law). Client shall not submit sensitive personal data through the Services. If Client does so, Client assumes all associated legal liability.
4. Data Subjects
Personal Data may relate to end users interacting with Client's QR codes and Client personnel using the Services. Client is solely responsible for ensuring all data subjects have been properly notified and, where required, have consented to such processing.
5. Client Responsibilities
Client is solely and exclusively responsible for: Establishing and maintaining a valid lawful basis for all processing Providing all required privacy notices to data subjects Obtaining and documenting consent where required by applicable law Ensuring all content, destinations, and data submitted through the Services comply with applicable data protection laws Ensuring Client's instructions to Company are lawful Any fines, penalties, or claims arising from Client's failure to comply with applicable law Company shall not be liable for any regulatory action, fine, or claim arising from Client's failure to meet its obligations as Data Controller.
6. Processor Obligations
Company will: Process Personal Data only as necessary to provide the Services Implement commercially reasonable technical and organizational safeguards appropriate to the nature of the data processed Ensure relevant personnel are subject to confidentiality obligations Company will not: Sell Personal Data to third parties Use Personal Data for its own marketing or advertising purposes All other data handling decisions remain at Company's operational discretion to the extent permitted by applicable law.
7. Subprocessors
Client hereby provides general authorization for Company to engage subprocessors to support the delivery of the Services, including cloud infrastructure, content delivery, analytics, and payment processing providers. Company will apply reasonable diligence in selecting subprocessors. A list of current subprocessors is available upon written request. Company may update its subprocessor list at any time and will make reasonable efforts to notify Client of material changes. Client's continued use of the Services following any such change constitutes acceptance. Client has no right to veto subprocessor appointments. If Client objects to a subprocessor change and the parties cannot resolve the matter within thirty (30) days, Client's sole remedy is to terminate the Services.
8. International Data Transfers
Personal Data may be processed in the United States or in any other jurisdiction where Company or its subprocessors operate. By using the Services, Client expressly consents to such transfers. Company makes no representation that the Services are appropriate or available for use in jurisdictions where such transfers are restricted. Client is solely responsible for determining whether use of the Services is lawful in Client's jurisdiction and for implementing any required transfer mechanisms on Client's end.
9. Data Subject Requests
Client is solely responsible for receiving, evaluating, and responding to all data subject requests (including requests for access, deletion, correction, or portability). Where Company has direct access to the relevant Personal Data and it is technically feasible, Company will provide reasonable assistance to Client in fulfilling such requests. Company reserves the right to charge reasonable fees for assistance that requires material effort. Company is under no obligation to respond directly to data subjects.
10. Data Retention and Deletion
Company retains Personal Data only as necessary to provide the Services and to satisfy applicable legal, security, compliance, or audit obligations. Upon termination of the Agreement: Personal Data will be permanently deleted within seven (7) days Company has no obligation to export, transfer, or preserve data on Client's behalf Client is solely responsible for exporting its data prior to termination Limited data may be retained beyond the deletion period solely for security, legal compliance, or audit purposes, not to exceed twelve (12) months, unless a longer retention period is required by applicable law Company shall not be liable for any loss resulting from the deletion of data following termination.
11. Security
Company implements commercially reasonable technical and organizational safeguards to protect Personal Data against unauthorized access, loss, or disclosure. Client acknowledges that no security system is impenetrable and that Company cannot guarantee absolute security. Client is responsible for securing its own account credentials, API keys, and access controls. Company shall not be liable for breaches or losses attributable to Client's failure to maintain adequate account security.
12. Data Breach Notification
In the event of a confirmed breach of Personal Data under Company's direct control, Company will notify Client within seventy-two (72) hours of becoming aware of the confirmed breach, to the extent practicable. Notification will be provided to the email address on file for Client's account. Company's notification obligation is limited to confirmed breaches under its direct control. Company is not responsible for breaches caused by Client, Client's users, third-party systems outside Company's control, or Client's own security failures. Company's notification does not constitute an admission of fault or liability. Client is solely responsible for any regulatory reporting obligations triggered by a breach, including notifications to supervisory authorities or data subjects.
13. Audit Rights
Upon Client's written request, no more than once per calendar year, Company will provide information reasonably necessary to demonstrate compliance with this DPA. Such information may be provided in the form of documentation, certifications, or a written summary at Company's discretion. On-site audits are not permitted. Any third-party audit engagement requires Company's prior written consent and shall be conducted at Client's sole expense, subject to reasonable confidentiality obligations, and shall not disrupt Company's operations.
14. GDPR, CCPA, and Applicable Law
This DPA is intended to satisfy commonly applicable data processing requirements. To the extent that applicable data protection law (including GDPR, CCPA, or similar regulation) imposes obligations not expressly addressed herein, Client is solely responsible for determining whether the Services meet Client's legal requirements before use. Company makes no warranty that this DPA satisfies the requirements of any specific jurisdiction or regulation. The parties agree to cooperate in good faith to address any specific legal requirements that become applicable during the term, provided that Company shall not be obligated to assume any obligation beyond what is commercially reasonable and consistent with the Services as offered.
15. Limitation of Liability
This DPA is subject in all respects to the limitations of liability set forth in the MSA. Company's aggregate liability arising out of or related to this DPA shall not exceed the liability cap specified in the MSA. Company shall not be liable for any indirect, incidental, consequential, or punitive damages arising from data processing activities, including regulatory fines imposed on Client.
16. Modifications
Company may update this DPA at any time. Notice will be provided by updating the effective date and posting the revised DPA at the applicable URL. Continued use of the Services constitutes acceptance of the updated DPA.
17. Contact
BaseQR.ai A subsidiary of BaseMonkeys LLC Raleigh, North Carolina