This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between CINNIMON T/A BoldPiq (Reg. 2015/193038/07) (“Processor”, “BoldPiq”) and the customer (“Controller”, “Client”) and applies where BoldPiq processes Client Personal Data on behalf of the Client.

1. Definitions

“Personal Data”: information relating to an identified or identifiable natural person.

“Controller”: the Client who determines the purposes and means of processing.

“Processor”: BoldPiq, acting on behalf of the Client.

“Sub-Processor”: third parties engaged by BoldPiq to process Personal Data in connection with the Services.

“Applicable Law”: includes, as applicable, the South African Protection of Personal Information Act (POPIA), EU/UK General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Brazilian LGPD, and any other relevant data protection laws.

“Data Subject”: the individual to whom Personal Data relates.

“Security Incident”: a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by BoldPiq.

“SCCs”: the EU Standard Contractual Clauses (2021/914, Modules 2 and/or 3, as applicable), including any UK Addendum/IDTA and Swiss addendum where relevant.

2. Roles and Scope

The Client is the Controller.
BoldPiq acts as a Processor for the limited purpose of providing services under the Agreement (e.g., CRM, website hosting, marketing automation, communication campaigns).
BoldPiq shall only process Personal Data in accordance with documented instructions from the Client, unless required by law. Client instructs BoldPiq to process Personal Data solely as necessary to provide the Services and as further documented in this DPA and the Agreement. BoldPiq will promptly inform Client if, in its opinion, an instruction infringes Applicable Law. Client is responsible for the lawfulness of its instructions and for required notices/consents.

3. Processing Details

Subject Matter: processing of Client Personal Data to provide BoldPiq services.

Duration: for the term of the Agreement, unless retention is required by law.

Nature and Purpose: storage, transmission, and management of Personal Data for CRM, marketing, communications, and business automation.

Types of Data: contact details, communications, transactional and engagement data, and other data input by the Client.

Categories of Data Subjects: Client’s customers, leads, prospects, employees, and contractors as determined by the Client.

4. Security Measures

BoldPiq shall implement and maintain appropriate technical and organizational measures (TOMs) designed to protect Personal Data, including at a minimum:
(a) access controls (role-based, least-privilege, unique accounts);
(b) authentication (password policies; support for 2FA on staff accounts);
(c) encryption (TLS in transit; encryption at rest as provided by GoHighLevel);
(d) confidentiality obligations for personnel;
(e) logging and monitoring of access;
(f) vulnerability management and patching on a risk-prioritized basis;
(g) business continuity and disaster recovery proportional to the Services;
(h) data minimization and retention controls; and
(i) a documented incident response program.

Security Incident Notice. BoldPiq shall notify Client without undue delay and no later than 72 hours after becoming aware of a Security Incident affecting Client Personal Data, and provide information reasonably available for Client to meet its breach-notification obligations.

5. Sub-Processors

BoldPiq may engage Sub-Processors for delivery of its services, including but not limited to:

GoHighLevel (Zip360) – CRM and automation platform.

Email/SMS communication partners – delivery of client communications.

Payment processors – billing and transaction handling.

BoldPiq will ensure each Sub-Processor provides data protection at least equivalent to this DPA.

A list of current Sub-Processors is available upon written request to [email protected].

Client consents to BoldPiq’s use of such Sub-Processors.

6. Data Subject Rights

BoldPiq will assist the Client in fulfilling obligations to respond to Data Subject requests, including rights of access, correction, deletion, objection, and portability.
Requests may be directed to the Client, and BoldPiq shall support with reasonable cooperation.
Data Subject requests sent directly to BoldPiq will be forwarded to the Client without undue delay.

7. International Data Transfers

Personal Data may be processed in jurisdictions where BoldPiq or its Sub-Processors operate, including the United States. Where such processing involves a restricted transfer under Applicable Law, the parties agree the SCCs (2021/914, Module 2 and/or 3 as applicable) are incorporated by reference and apply; for UK transfers, the UK Addendum/IDTA applies; and for Switzerland, the SCCs apply as adapted by the Swiss FDPIC guidance. Where required, BoldPiq will execute the SCCs upon Client request.

8. Audits and Compliance

Upon written request, BoldPiq will make available information reasonably necessary to demonstrate compliance with this DPA.
Once per 12-month period, Client may conduct (at Client’s cost) an audit limited to systems and processes relevant to BoldPiq’s Processing of Client Personal Data, on 30 days’ prior written notice, during normal business hours, and without undue disruption.
BoldPiq may satisfy audit requests by providing independent third-party audit reports or certifications (where available).
The annual limitation does not apply where required by law or following a verified Security Incident.
Audit findings constitute BoldPiq Confidential Information.

9. Return and Deletion of Data

Upon termination or expiry of the Services, Client may request a machine-readable export of Personal Data processed by BoldPiq.
Within 30 days of termination (or as otherwise required by law), BoldPiq will delete Personal Data from active systems and complete scheduled deletion from backups within 90 days thereafter, unless retention is legally required.
Assistance beyond standard export/deletion tooling may incur reasonable fees.

10. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set out in the Agreement, except where prohibited by Applicable Law.

11. Governing Law

This DPA shall be governed by and construed in accordance with the governing law set forth in the Agreement, subject to mandatory data protection law.

12. CCPA/CPRA (U.S.)

To the extent BoldPiq processes Personal Information (as defined by CCPA/CPRA) on behalf of Client, BoldPiq acts as a Service Provider/Contractor and shall:
(a) process Personal Information solely to provide the Services and as permitted by CCPA/CPRA;
(b) not sell or share Personal Information;
(c) not retain, use, or disclose Personal Information outside the direct business relationship with Client;
(d) not combine Personal Information received from Client with other data except as permitted by CCPA/CPRA; and
(e) notify Client of any legally binding request for disclosure unless prohibited by law.
BoldPiq will provide reasonable assistance for Client to meet its CCPA/CPRA obligations.

13. Contact Information

Questions or requests relating to this DPA, Sub-Processors, or Data Subject rights should be directed to:

BoldPiq – Data Protection Contact
[email protected]

14. Order of Precedence; Amendments

In the event of conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding Processing of Personal Data. The parties may update this DPA by mutual written agreement or as required by changes in Applicable Law.