Data Processing Addendum
Effective Date: July 10, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement (the “Agreement”) between Barista, Inc. (“Barista,” “Processor”) and the customer (“Customer,” “Controller”) for the Barista service (the “Service”). It applies to Barista's processing of Personal Data on Customer's behalf. If there is a conflict, this DPA controls over the Agreement with respect to data protection.
1. Definitions
Terms such as “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Supervisory Authority,” and “Personal Data Breach” have the meanings given under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and U.S. state privacy laws such as the California Consumer Privacy Act as amended (CCPA) and the Oregon Consumer Privacy Act (OCPA).
“Customer Personal Data” means Personal Data within Customer Workspace Data that Barista processes on Customer's behalf under the Agreement.
“Subprocessor” means a third party engaged by Barista to process Customer Personal Data.
2. Roles of the Parties
The parties agree that, for Customer Personal Data, Customer is the Controller (or acts as a processor on behalf of its own client controllers) and Barista is the Processor. Where Customer is itself a processor, Barista acts as a sub-processor, and Customer warrants it has the necessary authority and instructions from the relevant controller.
Under the CCPA, Barista acts as a service provider and will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it except to perform the Service or as permitted by law; or (c) combine it with other data except as permitted by the CCPA.
3. Scope and Instructions
Barista will process Customer Personal Data only:
- to provide, secure, and maintain the Service in accordance with the Agreement;
- in accordance with Customer's documented lawful instructions (the Agreement and Customer's use of the Service constitute such instructions); and
- as required by applicable law, in which case Barista will inform Customer unless legally prohibited.
Barista will notify Customer if, in its opinion, an instruction infringes applicable data protection law.
The subject matter, nature, purpose, duration, categories of Data Subjects, and types of Personal Data are described in Annex 1.
Barista will not use Customer Personal Data to train or fine-tune artificial intelligence or machine learning models, and engages its generative AI Subprocessors (Annex 3) on API terms under which those providers do not use Customer Personal Data to train their models.
4. Customer Responsibilities
Customer warrants that: (a) it has a valid lawful basis and all necessary rights, consents, and notices to provide Customer Personal Data to the Service and to instruct Barista to process it; (b) its instructions comply with applicable law; and (c) it is responsible for the accuracy and legality of the Personal Data it provides. This is particularly relevant where Customer uploads data about journalists and other media contacts who are not Customer's own users.
5. Confidentiality
Barista will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as needed to perform their duties.
6. Security
Barista will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage, taking into account the state of the art and the risks involved. Current measures are described in Annex 2.
7. Subprocessors
Customer provides general authorization for Barista to engage Subprocessors to process Customer Personal Data. Current Subprocessors are listed in Annex 3.
Barista will: (a) impose data protection obligations on each Subprocessor no less protective than those in this DPA; (b) remain responsible for its Subprocessors' performance; and (c) give Customer prior notice (for example, by email) before adding or replacing a Subprocessor, allowing Customer a reasonable period to object on reasonable data protection grounds. If the parties cannot resolve a legitimate objection, Customer may terminate the affected portion of the Service.
8. Data Subject Requests
Taking into account the nature of the processing, Barista will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If Barista receives such a request directly, it will, where lawful, redirect the Data Subject to Customer and not respond except on Customer's instructions.
9. Personal Data Breach
Barista will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its own notification obligations. Barista will take reasonable steps to mitigate and remediate the breach.
10. Data Protection Impact Assessments
Barista will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of processing and information available to Barista.
11. Deletion and Return
On termination or expiry of the Agreement, Barista will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law. The Service makes Customer Workspace Data available for export for a limited period after termination as described in the Agreement. Backup copies are deleted in the ordinary course of Barista's backup cycle.
12. Audits
Barista will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates. To the extent possible, Barista may satisfy audit requests by providing relevant third-party certifications, reports, or documentation. Audits are subject to reasonable notice, confidentiality, and frequency limits, and may not unreasonably disrupt Barista's operations.
13. International Transfers
Where Barista processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply, with Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable. For UK transfers, the UK International Data Transfer Addendum to the SCCs applies. The annex information required by the SCCs is provided in Annexes 1–3, and the parties' signatures to this DPA or the Agreement are treated as signatures to the SCCs.
For the purposes of the UK International Data Transfer Addendum (version B1.0), the parties agree it is completed as follows: Table 1 (Parties): the Exporter is Customer and the Importer is Barista, Inc., each as identified in the Agreement and Customer's account information, with key contacts as designated in the account. Table 2 (Selected SCCs): the Approved EU SCCs incorporated under this Section 13, including the Appendix Information, with Module Two or Module Three as applicable, Clause 7 included, Clause 9(a) Option 2 (general written authorisation as per Section 7), Clause 11 optional language not included, Clause 17 Option 1, and Clause 18(b) specifying the courts of England and Wales. Table 3 (Appendix Information): Annex 1A and 1B as per Annex 1 of this DPA; Annex II as per Annex 2; Annex III as per Annex 3. Table 4: neither party may end the Addendum as set out in Section 19 of the Addendum. Entering into the Agreement constitutes acceptance of the Addendum by both parties.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.
15. Term
This DPA takes effect when the Agreement does and continues until Barista has ceased all processing of Customer Personal Data and deleted or returned it under Section 11.
Annex 1 — Details of Processing
- Subject matter: Provision of the Barista AI-powered PR intelligence Service.
- Duration: For the term of the Agreement and until deletion/return under Section 11.
- Nature and purpose: Hosting, storage, organization, retrieval, AI-assisted research and content generation, and related processing necessary to provide the Service.
- Categories of Data Subjects:Customer's authorized users; media and PR contacts entered into the Service by Customer (e.g., journalists, editors, podcasters, hosts); individuals named in Customer's clients, companies, or documents.
- Types of Personal Data: Names, professional contact details (email, phone, social handles), employer/outlet and role, publicly available professional information, and any other Personal Data Customer chooses to include in Customer Workspace Data. Customer should not upload special-category data; the Service is not intended for it.
- Special categories: None intended.
Annex 2 — Technical and Organizational Security Measures
- Encryption of Personal Data in transit (TLS) and at rest where supported by infrastructure providers.
- Role-based access controls and least-privilege access; multi-factor authentication for administrative access.
- Workspace-level data isolation and row-level access controls.
- Use of reputable infrastructure and subprocessors (see Annex 3) with their own security programs.
- Logging, monitoring, and observability of system and AI activity.
- Regular backups and a documented incident response process.
- Personnel confidentiality obligations and security awareness practices.
Annex 3 — Approved Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Authentication and database | United States |
| Vercel | Application hosting and delivery | United States |
| OpenAI (via Vercel AI Gateway) | Generative AI processing | United States |
| Anthropic (via Vercel AI Gateway) | Generative AI processing | United States |
| Stripe | Payment processing | United States |
| Resend | Email delivery | United States |
| Braintrust | AI observability | United States |