Bespokely

Data Processing Agreement

Last updated: 20 May 2026 Version: 1.0 Permanent link to this version: bespokely.io/legal/dpa/v1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Bespokely Inc. ("Bespokely", "Processor") and the customer identified in the relevant Order Confirmation ("Customer", "Controller") for the provision of Bespokely's products (the "Services").

By accepting Bespokely's Terms of Service, the Customer also accepts this DPA. The DPA applies whenever Bespokely processes personal data on behalf of the Customer in connection with the Services.

Note for Customer: this DPA is offered as Bespokely's standard form. A Customer who requires a counter-signed copy for their records may request one by emailing privacy@bespokely.io with the subject line "DPA counter-signature request — [Customer name]". Counter-signed copies do not change the substantive terms of this DPA.

§1 Definitions

Capitalised terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679), the EU Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 ("SCCs"), or — where defined here — in this DPA.

  • Personal Data means any information relating to an identified or identifiable natural person that Bespokely processes on behalf of the Customer in providing the Services.
  • Data Subject means a natural person to whom Personal Data relates.
  • Sub-processor means a third party engaged by Bespokely to process Personal Data on behalf of the Customer.
  • Sub-processor List means the list of Sub-processors maintained at bespokely.io/legal/sub-processors, as updated from time to time.
  • TOMs means the technical and organisational measures published at bespokely.io/legal/security, as updated from time to time.
  • Applicable Data Protection Law means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act / California Privacy Rights Act, and any other data-protection law applicable to the Customer's use of the Services.

§2 Subject matter, nature, and duration of processing

§2.1 Subject matter

Bespokely processes Personal Data on behalf of the Customer solely to provide the Services described in the Order Confirmation.

§2.2 Nature and purpose

The nature and purpose of processing are described in Annex 1 to this DPA. Examples include: hosting the Customer's website, operating the Customer's client portal, operating an AI assistant on the Customer's behalf, sending transactional emails on the Customer's behalf.

§2.3 Categories of Data Subjects and Personal Data

Categories of Data Subjects and types of Personal Data are described in Annex 1.

§2.4 Duration

Processing lasts for the duration of the Services, plus any period required for return or deletion of Personal Data under §13.

§3 Roles of the parties

  • The Customer is the Controller (or Processor on behalf of its own controllers in the case of B2B downstream relationships) of the Personal Data.
  • Bespokely acts as the Processor.
  • Where the Customer is itself a Processor for an upstream controller, the Customer warrants that it has authority to engage Bespokely as a Sub-processor.

§4 Customer instructions

§4.1 General instruction

The Customer instructs Bespokely to process Personal Data only as necessary to provide the Services, and only as documented in the Order Confirmation, this DPA, the Customer's configuration within Bespokely's products, and any additional written instructions the Customer provides.

§4.2 Compliance with law

Bespokely will notify the Customer if it considers an instruction to infringe Applicable Data Protection Law. Bespokely is not obliged to follow an instruction it reasonably believes would cause it to breach Applicable Data Protection Law.

§4.3 Legal disclosure

Where Bespokely is required by law to process Personal Data outside the Customer's instructions, Bespokely will inform the Customer before processing unless the relevant law prohibits such notice.

§5 Confidentiality

Bespokely ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations. Confidentiality obligations survive termination of employment or engagement.

§6 Security of processing

§6.1 TOMs

Bespokely implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The current TOMs are published at bespokely.io/legal/security and are incorporated into this DPA by reference (Annex 3).

§6.2 Updates to TOMs

Bespokely may update its TOMs from time to time, provided the updates do not materially reduce the level of security. Material reductions require the Customer's prior written consent.

§6.3 Pseudonymisation and encryption

TOMs include — without limitation — encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+), pseudonymisation where feasible, and access controls based on the principle of least privilege.

§7 Sub-processors

§7.1 General authorisation

The Customer grants Bespokely a general authorisation to engage the Sub-processors listed in the Sub-processor List at the time of conclusion of this DPA. The Sub-processor List is incorporated into this DPA by reference (Annex 2).

§7.2 Changes

Bespokely will provide at least 30 days' notice before engaging a new Sub-processor or replacing an existing one, by email to the Customer's notification contact and by updating the Sub-processor List.

§7.3 Right to object

The Customer may object to a new Sub-processor within 30 days of notification by emailing privacy@bespokely.io with the subject line "Sub-processor objection". If Bespokely cannot accommodate the objection by reasonable means (e.g., the new Sub-processor delivers functionality that has no alternative), the Customer may terminate the affected Services with no early-termination penalty, and Bespokely will refund pre-paid fees for unused months pro-rata.

§7.4 Flow-down

Bespokely imposes on each Sub-processor data-protection obligations no less protective than those in this DPA, by way of a written contract that includes SCCs where applicable.

§7.5 Liability

Bespokely remains liable to the Customer for the performance of its Sub-processors in respect of their data-protection obligations.

§8 Assistance with data subject rights

§8.1 Data subject requests received by Bespokely

If a Data Subject contacts Bespokely directly with a request to exercise rights under Articles 15–22 GDPR (or equivalent), Bespokely will route the request to the Customer without undue delay and will not respond to the Data Subject except to confirm receipt and to refer them to the Customer.

§8.2 Assistance to Customer

Bespokely will provide reasonable assistance to the Customer in responding to Data Subject requests, including by providing tooling within the Services for the Customer to access, export, correct, and delete Personal Data. Where Bespokely provides assistance beyond what is reasonably available through the Services, Bespokely may charge a reasonable fee at its standard hourly rate.

§8.3 SLA

Bespokely will respond to a Customer assistance request within 14 days of receipt for a documented Data Subject request.

§9 Assistance with controller obligations

Bespokely will provide reasonable assistance to the Customer with the Customer's obligations under Articles 32–36 GDPR (security of processing, breach notification, data protection impact assessment, prior consultation), taking into account the nature of processing and the information available to Bespokely.

§10 Personal data breaches

§10.1 Notification timeline

Bespokely will notify the Customer of any confirmed Personal Data Breach affecting the Customer's Personal Data without undue delay and in any case within 24 hours after Bespokely becomes aware of the breach.

§10.2 Notification content

The notification will include, to the extent then known: (a) the nature of the breach, (b) categories and approximate number of Data Subjects and records concerned, (c) likely consequences, (d) measures taken or proposed.

§10.3 No admission

Notification under this §10 is not an admission of fault or liability by Bespokely.

§11 International transfers

§11.1 Transfer mechanism

Where Bespokely processes Personal Data outside the EEA/UK/Switzerland on behalf of the Customer, the transfer is safeguarded by: (a) the EU-US Data Privacy Framework adequacy decision, where the recipient (Bespokely or a Sub-processor) is DPF-certified and the certification covers the relevant data; or (b) the SCCs (Module 2 — Controller-to-Processor or Module 3 — Processor-to-Processor as applicable), incorporated by reference into this DPA (Annex 4); or (c) another transfer mechanism permitted under Chapter V GDPR.

§11.2 SCC incorporation

Where the SCCs apply, the SCCs are deemed entered into between the parties on the following terms:

  • Module: Module 2 (Controller to Processor) by default; Module 3 (Processor to Processor) where the Customer is itself a Processor.
  • Docking clause (Clause 7): opted in.
  • Sub-processor clause (Clause 9): option 2 (general written authorisation) per §7.1 above with 30 days' notice.
  • Redress (Clause 11): independent dispute resolution mechanism not selected.
  • Liability (Clause 12): as agreed in the underlying Master Services Agreement.
  • Supervisory authority (Clause 13): [TBD per Customer's establishment — typically the supervisory authority of the Member State where the Customer is established].
  • Governing law (Clause 17): law of the Member State where the Customer is established.
  • Forum (Clause 18): courts of the Member State where the Customer is established.
  • Annex I.A (Parties) = Annex 1.A of this DPA.
  • Annex I.B (Description of transfer) = Annex 1.B of this DPA.
  • Annex II (TOMs) = bespokely.io/legal/security.
  • Annex III (Sub-processors) = bespokely.io/legal/sub-processors.

§11.3 Transfer Impact Assessment

Bespokely maintains a Transfer Impact Assessment (TIA) for each Sub-processor where the transfer is not covered by DPF. The TIA is provided to the Customer on request.

§12 Audit and inspection

§12.1 Audit by certification

The Customer's audit right under Art. 28(3)(h) GDPR is satisfied primarily through Bespokely's third-party certifications and reports (e.g., SOC 2 Type II reports of Bespokely or its Sub-processors). Bespokely will provide such reports under NDA on the Customer's reasonable request.

§12.2 Customer audit

Where the certifications in §12.1 do not address a specific control the Customer reasonably requires to be audited, the Customer may conduct an audit by way of a written questionnaire. On-site audits are permitted only (i) where the questionnaire and certifications are insufficient, (ii) following 30 days' written notice, (iii) during business hours, (iv) without disrupting Bespokely's operations, (v) no more than once per 12 months except where required by supervisory authority order or following a confirmed Personal Data Breach, and (vi) at the Customer's expense.

§12.3 Cooperation with supervisory authorities

Bespokely will cooperate with supervisory authorities as required by law.

§13 Return or deletion of personal data

§13.1 End of Services

At the choice of the Customer expressed in writing within 30 days after the end of the Services, Bespokely will either: (a) return the Personal Data in a structured, commonly used, machine-readable format (JSON, CSV, or comparable), or (b) delete the Personal Data.

§13.2 Default

If the Customer makes no choice within the 30-day window, Bespokely will delete the Personal Data within a further 30 days.

§13.3 Retention by law

This §13 does not apply where Bespokely is required to retain Personal Data by Union or Member State law.

§13.4 Backups

Personal Data may persist in encrypted backups for up to 30 days after deletion; such backups are not restored except for disaster recovery, in which case re-deletion is re-applied promptly.

§14 Liability

Liability under this DPA is subject to the limitations and exclusions in the underlying Master Services Agreement and the Bespokely Terms of Service, except where Applicable Data Protection Law (in particular Articles 82–83 GDPR) requires otherwise. Nothing in this DPA limits a Data Subject's rights under Applicable Data Protection Law.

§15 Term and termination

This DPA enters into force on the effective date of the Master Services Agreement and continues for as long as Bespokely processes Personal Data on behalf of the Customer. The provisions of §13 (Return or deletion), §10 (Breaches relating to events during the term), §12 (Audit relating to events during the term), and §14 (Liability) survive termination.

§16 Order of precedence

In the event of conflict:

  1. The SCCs (where applicable) prevail over this DPA.
  2. This DPA prevails over the Master Services Agreement and the Terms of Service in respect of the processing of Personal Data.
  3. The Master Services Agreement and Terms of Service govern all other matters.

§17 Governing law

This DPA is governed by the law of the State of Delaware, USA, except where mandatory provisions of Applicable Data Protection Law in the Customer's jurisdiction prevail. Where the SCCs apply, the governing law for the SCCs is as specified in §11.2.

§18 Updates to this DPA

Bespokely may update this DPA from time to time. Material updates are notified to active Customers by email at least 30 days before they take effect. Updates that tighten Bespokely's obligations or strengthen Customer protections take effect immediately and are notified within 30 days of publication.

Annex 1 — Processing details

A. Parties

Controller (data exporter): the Customer identified in the Order Confirmation.

Processor (data importer): Bespokely Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA. Contact: privacy@bespokely.io · +1 (512) 348-6588.

B. Description of the transfer

Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed depend on the Customer's use of the Services and may include:

  • visitors to the Customer's website,
  • registered users of the Customer's client portal,
  • the Customer's clients, prospects, contacts, and employees,
  • recipients of transactional communications sent by the Customer.

Categories of Personal Data

  • identifiers (name, email, phone, account credentials),
  • profile attributes the Customer chooses to collect (job title, company, jurisdiction, language),
  • content data submitted via forms, portal, or AI assistant (messages, documents, files),
  • usage data (login timestamps, page views, interaction logs),
  • technical data (IP address, user agent, session metadata).

Special categories of data

Bespokely's Services are not designed to process special categories of Personal Data under Art. 9 GDPR. Where the Customer's use of the Services would result in processing of such categories, the Customer is responsible for the lawfulness of that processing and must inform Bespokely so that additional safeguards can be agreed.

Frequency

Continuous, for the duration of the Services.

Nature of processing

Hosting, storage, structured and unstructured data processing, transmission, display, search and retrieval, AI inference (where the Services include an AI assistant), backup, deletion.

Purpose

Provision of the Services as described in the Order Confirmation.

Retention period

For the duration of the Services. After termination, see §13 of this DPA.

Sub-processors

As listed in the Sub-processor List at bespokely.io/legal/sub-processors.

C. Competent supervisory authority

The supervisory authority of the Member State (or country) in which the Customer is established, except where another supervisory authority has primary competence under Art. 56 GDPR.

Annex 2 — Sub-processors

The current Sub-processor List is published and maintained at:

bespokely.io/legal/sub-processors

This Annex is dynamically incorporated into the DPA. Each version of the Sub-processor List has a permanent versioned URL (e.g., /v1.0) preserved for evidentiary reference.

Annex 3 — Technical and organisational measures

The current TOMs are published and maintained at:

bespokely.io/legal/security

This Annex is dynamically incorporated into the DPA. Each version has a permanent versioned URL (e.g., /v1.0).

Annex 4 — Standard Contractual Clauses

Where applicable under §11 of this DPA, the SCCs adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference. The current authoritative text is published at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Module 2 (Controller-to-Processor) applies by default. Module 3 (Processor-to-Processor) applies where the Customer is itself a Processor.

Annexes I, II, and III of the SCCs are populated by reference to Annex 1, Annex 3, and Annex 2 of this DPA respectively, as set out in §11.2.

Contact for DPA questions: Bespokely Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA · privacy@bespokely.io · +1 (512) 348-6588

This DPA is a template. It does not replace independent legal advice. Bespokely recommends that Customers seek their own counsel before relying on the terms of this DPA to satisfy specific regulatory requirements applicable to their business.