Data Processing Addendum (DPA) - Beotela

Effective Date: 06 June 2026

This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions between:

Beotela OOD, VAT Number BG130389067, Ul. Gurgulyat 33, Sofia, Bulgaria (“Beotela”, “Processor”, “we”, “us”), and

the customer using Beotela (“Customer”, “Controller”).

This DPA applies whenever Beotela processes Personal Data on behalf of the Customer in connection with the Services.

In the event of a conflict between this DPA and the Terms & Conditions, this DPA shall prevail with respect to Personal Data processing.

1. Definitions

For purposes of this DPA:

Controller means the entity that determines the purposes and means of processing Personal Data.

Processor means the entity that processes Personal Data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, transmission, or analysis.

Data Subject means the individual to whom Personal Data relates.

Applicable Data Protection Laws means all applicable privacy and data protection laws, including Regulation (EU) 2016/679 (GDPR).

2. Scope

This DPA applies to Personal Data processed by Beotela on behalf of the Customer when providing the Services.

The Customer acts as Controller.

Beotela acts as Processor.

The Customer is responsible for ensuring that it has a lawful basis for processing and providing Personal Data to Beotela.

3. Nature and Purpose of Processing

Beotela processes Personal Data solely to provide the Services requested by the Customer.

Processing activities may include:

Hosting and storage of Customer data.
User authentication and account management.
AI-powered operational features.
Customer support.
Security monitoring.
Backup and disaster recovery.

4. Categories of Personal Data

Depending on how the Services are used, Beotela may process:

Names.
Email addresses.
User account information.
Uploaded files and documents.
Business and operational information provided for assessment or services.
Communications data.
Technical and usage data.
Any Personal Data submitted by the Customer through the Services.

Beotela does not intentionally require the processing of special category data as defined under Article 9 GDPR.

Customers should avoid submitting special category data unless strictly necessary and legally permitted.

5. Customer Instructions

Beotela shall process Personal Data only:

On documented instructions from the Customer.
As necessary to provide the Services.
As required by applicable law.

The Terms & Conditions, user configuration settings, API requests, and platform functionality constitute the Customer’s documented instructions.

6. Confidentiality

Beotela shall ensure that authorised individuals, including contractors authorised to process Personal Data:

Are subject to confidentiality obligations.
Receive appropriate training regarding data protection.
Access Personal Data only where necessary.

7. Security Measures

Beotela shall implement appropriate technical and organisational measures designed to protect Personal Data.

Such measures may include:

Encryption in transit.
Encryption at rest where appropriate.
Access controls.
Authentication mechanisms.
Audit logging.
Infrastructure monitoring.
Backup and recovery procedures.
Security testing and vulnerability management.

Beotela may update security measures from time to time provided the overall level of protection is not materially reduced.

8. Sub-Processors

The Customer authorises Beotela to engage sub-processors as necessary to provide the Services.

Current sub-processors may include:

Provider	Purpose
Supabase	Hosting, database, authentication
Stripe	Payment processing
Anthropic	AI processing
Google	Authentication services
Resend	Email delivery

Beotela shall ensure that sub-processors are subject to data protection obligations substantially similar to those set forth in this DPA.

Beotela remains responsible for the performance of its sub-processors.

9. International Transfers

Some sub-processors listed in Section 8 are located outside the European Economic Area, including in the United States. Where Personal Data is transferred to such sub-processors, Beotela relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism in accordance with GDPR Article 46. Each sub-processor outside the EEA is required to maintain their own appropriate transfer safeguards. Customers may request information on the specific transfer mechanisms applicable to individual sub-processors.

10. Assistance to the Customer

Taking into account the nature of processing and information available to Beotela, Beotela shall provide reasonable assistance to the Customer regarding:

Data Subject requests.
Security obligations.
Data Protection Impact Assessments.
Regulatory inquiries.
GDPR compliance obligations.

Beotela may charge reasonable fees for extensive assistance beyond standard support obligations.

11. Personal Data Breaches

If Beotela becomes aware of a confirmed or reasonably suspected Personal Data Breach affecting Customer Personal Data, Beotela shall:

Notify the Customer without undue delay and no later than 48 hours after becoming aware of the breach. Provide, to the extent available at the time of notification: a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Take reasonable steps to mitigate adverse effects and prevent recurrence. Cooperate with the Customer regarding any required regulatory notifications.

Where full information is not available within 48 hours, Beotela shall provide an initial notification within that period and follow up with additional detail as it becomes available. Notification of a breach does not constitute an admission of fault or liability by Beotela.

12. Data Subject Requests

If Beotela receives a request directly from a Data Subject relating to Customer Personal Data, Beotela shall:

Notify the Customer where legally permitted.
Not respond directly except as instructed by the Customer or required by law.

The Customer remains responsible for responding to Data Subject requests.

13. Audits and Information Rights

Upon reasonable written request, Beotela shall make available information reasonably necessary to demonstrate compliance with this DPA.

Any audit:

Must be conducted during normal business hours.
Must not unreasonably interfere with operations.
Must be subject to confidentiality obligations.
May be satisfied through security certifications, reports, or questionnaires where appropriate.

The Customer shall bear its own audit costs.

14. Deletion and Return of Data

Upon termination of the Services, Beotela shall, upon request:

Return Customer Personal Data, where technically feasible; or
Delete Customer Personal Data.

Beotela may retain data where required by law, regulatory obligations, or legitimate security and backup requirements.

Any retained data shall remain protected under this DPA.

15. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability contained within the Terms & Conditions, except where prohibited by applicable law.

16. Governing Law

This DPA shall be governed by the laws of the Republic of Bulgaria.

Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the competent courts of Sofia, Bulgaria.

17. Contact

For privacy and data processing matters:

Beotela OOD
VAT Number: BG130389067
Ul. Gurgulyat 33
Sofia, Bulgaria

Email: privacy@beotela.biz

Website: https://beotela.biz