1. Definitions

Capitalized terms not defined here have the meanings set out in the BidRise Terms of Service or, where applicable, the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”).

• “Controller” means the customer entity that uses the BidRise Service and determines the purposes and means of processing Personal Data.
• “Processor” means Live Lead Solutions LLC, operating BidRise.
• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
• “Subprocessor” means a third party engaged by the Processor to process Personal Data.
• “Sub-Data Subject” means a customer of the Controller (e.g. the homeowner who receives a bid).

2. Roles and Scope

With respect to Personal Data the Controller submits to the Service (such as customer names, email, phone, address, bid content, and recordings of customer interactions), the Controller is the Controller and BidRise is the Processor. With respect to BidRise account data of the Controller’s personnel (such as login email, name, and audit-log records), BidRise is an independent Controller for the limited purpose of operating the Service.

Under CCPA/CPRA, BidRise acts as a “Service Provider” and is contractually prohibited from (a) selling or sharing Personal Data, (b) retaining, using, or disclosing Personal Data outside the direct business relationship, and (c) combining Personal Data received from the Controller with data from any other source except as permitted by § 7050(b) of the CCPA Regulations.

3. Subject Matter, Duration, Nature, and Purpose

• Subject matter: Provision of the BidRise platform — AI-powered bid generation, customer management, e-signature, and related services.
• Duration: The term of the Controller’s active subscription plus the 30-day deletion grace period and any retention period required by law (e.g. tax retention).
• Nature of processing: Storage, transmission, transcription, AI inference, email delivery, and other operations necessary to operate the Service.
• Purpose: To enable the Controller to generate, manage, and deliver bids to its own customers.
• Categories of Sub-Data Subjects: The Controller’s customers, prospects, and team members.
• Categories of Personal Data: Identifiers (name, email, phone, address); commercial information (bid content, totals); audio and video recordings of customer interactions; e-signature records (name, IP, timestamp); device push tokens.

4. Processor Obligations

BidRise will:

• Process Personal Data only on the Controller’s documented instructions, including the use of the Service in accordance with the Terms of Service and the Privacy Policy.
• Ensure that personnel authorized to process Personal Data are bound by confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 6.
• Assist the Controller, by appropriate means and taking the nature of processing into account, in responding to data-subject requests under applicable law.
• Make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.
• Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting the Controller’s data.

5. Subprocessors

The Controller authorizes BidRise to engage Subprocessors. The current list is published in Section 11 of the Privacy Policy and is updated as Subprocessors are added or replaced. BidRise will:

• Provide at least 30 days’ advance notice before engaging a new Subprocessor that processes Personal Data;
• Bind each Subprocessor by a written agreement imposing data-protection obligations no less protective than those in this DPA;
• Remain liable for the acts and omissions of each Subprocessor in the same manner and to the same extent as for its own.

If the Controller objects in writing to a new Subprocessor on reasonable data-protection grounds within the 30-day notice period, the Controller’s sole remedy is to terminate the affected portion of the Service for convenience.

6. Security Measures

• Encryption: TLS 1.2+ in transit; AES-256 at rest for stored objects (database and storage buckets).
• Access control: Role-based access in the application layer; production credentials limited to the founder; SSO + 2FA on all subprocessor accounts.
• Network security: Service-role keys are server-side only and never exposed to the browser; security headers (HSTS, X-Frame-Options, CSP) are enforced.
• Application security: Input validation on public endpoints; UUID format checks; webhook timeouts; idempotency on payment events.
• Logging: Tamper-evident audit log retained per Section 10 of the Privacy Policy.
• Backups: Daily encrypted backups retained by the database subprocessor.
• Personnel: Confidentiality obligations and need-to-know access.

7. International Transfers

Personal Data is processed in the United States. Where the Controller transfers Personal Data of EEA, UK, or Swiss data subjects to BidRise, the parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission (EU 2021/914), Module Two (controller-to-processor), with BidRise as “data importer.” The optional docking clause is included; the governing-law option is the law of the Republic of Ireland. The UK International Data Transfer Addendum (or, at the Controller’s option, the UK IDTA standalone) and the Swiss FDPIC adaptations apply where the relevant data subjects are located in those jurisdictions.

8. Data-Subject Requests

BidRise will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising the data subject’s rights of access, rectification, erasure, restriction, portability, and objection. The Controller can fulfill most requests directly using the Service’s self-service tools (export, delete, edit). Where assistance is required, contact kaden@liveleadsolutions.com.

9. Audits

The Controller may, no more than once per twelve-month period and on at least 30 days’ written notice, request that BidRise complete a reasonable security questionnaire or provide summary results of its most recent vulnerability scan or third-party audit, subject to confidentiality. On-site audits are not provided; the Controller’s information rights are satisfied by the foregoing and by the documentation referenced in the Privacy Policy and Terms of Service.

10. Return and Deletion

Upon termination of the Service, the Controller may export Personal Data using the Service’s built-in tools at any time before deletion. After the 30-day deletion grace period elapses, BidRise will permanently delete or anonymize all Personal Data in its possession or control, except for (a) data BidRise is legally required to retain (e.g. tax and billing records for at least 7 years under IRS § 6001), (b) Personal Data retained in routine encrypted backups for the standard backup-retention period (after which it is overwritten), and (c) electronic-signature records described in Section 13 of the Privacy Policy.

11. Liability

The aggregate liability of each party arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits the parties’ obligations under applicable data-protection law.

12. Order of Precedence; Changes

If any provision of this DPA conflicts with the Terms of Service, this DPA prevails to the extent of the conflict and only with respect to the processing of Personal Data. BidRise may amend this DPA where required by changes to applicable law; material changes will be notified at least 30 days before they take effect.

13. Acceptance

By creating or maintaining a paying BidRise account, the Controller is deemed to have accepted this DPA on behalf of the entity it represents. A countersigned copy is available on request to kaden@liveleadsolutions.com.