1. Definitions

For purposes of this Data Processing Addendum:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, or other handling.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the customer).
• "Processor" means the entity that Processes Personal Data on behalf of the Controller (LocalBeat).
• "Subprocessor" means any third party engaged by LocalBeat to Process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and similar laws.
• "GDPR" means the European Union General Data Protection Regulation (EU) 2016/679.
• "CCPA" means the California Consumer Privacy Act and California Privacy Rights Act.
• "Standard Contractual Clauses" (SCCs) means the European Commission-approved standard contractual clauses for international data transfers.
• "Security Incident" means any unauthorized or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

2. Scope and Application

2.1 Incorporation

This Data Processing Addendum (DPA) is incorporated into and forms part of the Terms of Service between you (Controller) and LocalBeat (Processor). This DPA applies to all Processing of Personal Data by LocalBeat on your behalf in connection with the Services.

2.2 Applicability

This DPA applies when:

• You use LocalBeat's services to collect, store, or process Personal Data
• You are subject to Data Protection Laws (GDPR, CCPA, etc.)
• You act as a Controller and LocalBeat acts as a Processor

2.3 Hierarchy

In the event of conflict between this DPA and other agreements:

1. This DPA takes precedence for data processing matters
2. Standard Contractual Clauses (if applicable) take precedence over this DPA
3. Mandatory Data Protection Laws take precedence over all agreements

2.4 Duration

This DPA remains in effect as long as LocalBeat Processes Personal Data on your behalf, including during the term of your subscription and for the data retention period thereafter.

3. Roles and Responsibilities

3.1 Controller Responsibilities

As Controller, you are responsible for:

• Determining the purposes and means of Processing Personal Data
• Ensuring lawful basis for Processing (consent, contract, legitimate interest, etc.)
• Providing privacy notices to Data Subjects
• Obtaining necessary consents and authorizations
• Responding to Data Subject requests (with our assistance)
• Complying with Data Protection Laws
• Implementing your own security and privacy measures

3.2 Processor Responsibilities

As Processor, LocalBeat is responsible for:

• Processing Personal Data only according to your documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting with Data Subject rights requests
• Notifying you of Security Incidents
• Engaging only approved Subprocessors
• Assisting with compliance obligations (audits, impact assessments)
• Deleting or returning Personal Data upon termination

3.3 Instructions

Your instructions to LocalBeat for Processing Personal Data are:

• Use of the Services in accordance with the Terms of Service
• Configuration settings you apply through the dashboard
• Written instructions provided via email to privacy@mylocalbeat.com

LocalBeat will not Process Personal Data except as instructed by you or as required by law.

3.4 Unlawful Instructions

If we believe your instructions violate Data Protection Laws, we will inform you and may refuse to comply with such instructions.

4. Data Processing

4.1 Nature and Purpose

LocalBeat Processes Personal Data for the following purposes:

• Providing content management services
• Hosting and delivering website content
• Storing media files and user-generated content
• Sending email campaigns and newsletters
• Generating AI-powered content
• Processing analytics and usage data
• Providing customer support
• Maintaining security and preventing fraud

4.2 Types of Personal Data

Personal Data Processed may include:

• Account Data: Name, email address, phone number, billing address
• User-Generated Content: Posts, pages, comments, media files, profile information
• Subscriber Data: Email addresses, names, subscription preferences
• Technical Data: IP addresses, browser type, device information, cookies
• Usage Data: Pages viewed, features used, navigation patterns
• Communication Data: Support requests, email correspondence

4.3 Categories of Data Subjects

Data Subjects may include:

• Your account users (administrators, editors, contributors)
• Your website visitors and readers
• Your email newsletter subscribers
• Individuals who submit forms or comments
• Your customers and business contacts

4.4 Processing Duration

Personal Data is Processed for:

• The duration of your subscription
• Retention periods specified in our Privacy Policy
• Additional periods required by law or legal obligations

5. Security Measures

5.1 Technical Measures

LocalBeat implements the following technical security measures:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Secure authentication via Clerk with optional two-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection via Cloudflare
• Monitoring: Continuous security monitoring, logging, and alerting
• Vulnerability Management: Regular security assessments and patching

5.2 Organizational Measures

LocalBeat implements the following organizational security measures:

• Employee Training: Regular security and privacy training for all personnel
• Access Management: Restricted access to Personal Data on need-to-know basis
• Confidentiality: Confidentiality agreements for all employees and contractors
• Incident Response: Security incident response plan and procedures
• Vendor Management: Security requirements for all Subprocessors
• Policy Enforcement: Security policies and regular compliance reviews

5.3 Security Standards

Our security measures are designed to:

• Protect against unauthorized or unlawful Processing
• Prevent accidental loss, destruction, or damage to Personal Data
• Ensure confidentiality, integrity, and availability of Personal Data
• Comply with industry best practices and Data Protection Laws

5.4 Security Updates

We regularly review and update security measures to address:

• Evolving security threats and vulnerabilities
• Changes in technology and best practices
• Regulatory requirements and guidance
• Risks associated with Processing activities

6. Subprocessors

6.1 Authorization

You authorize LocalBeat to engage the following Subprocessors to Process Personal Data:

See our Subprocessor List for complete details, including privacy policy links and contact information.

6.2 Subprocessor Obligations

We ensure that all Subprocessors:

• Are bound by written agreements imposing data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational security measures
• Process Personal Data only for authorized purposes
• Comply with Data Protection Laws

6.3 Changes to Subprocessors

We will notify you of any intended changes to Subprocessors (additions or replacements) by:

• Updating our Subprocessor List
• Sending email notification to your registered address
• Providing at least 30 days advance notice

6.4 Objection Rights

You may object to a new Subprocessor on reasonable data protection grounds by notifying us within 30 days. If you object, we will:

• Work with you to address your concerns
• Provide alternative solutions where possible
• Allow you to terminate affected services if concerns cannot be resolved

6.5 Subprocessor Liability

LocalBeat remains fully liable for the acts and omissions of Subprocessors to the same extent as if LocalBeat had performed the services directly.

7. Data Subject Rights

7.1 Assistance Obligation

LocalBeat will assist you in fulfilling Data Subject rights requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making

7.2 Request Handling

If we receive a Data Subject request directly, we will:

• Forward the request to you promptly (within 2 business days)
• Not respond directly unless instructed by you
• Provide reasonable assistance in responding to the request

7.3 Technical Assistance

We provide tools and features to help you fulfill Data Subject rights:

• Access: Data export functionality for user data
• Rectification: Dashboard interfaces for updating Personal Data
• Erasure: Account and content deletion features
• Portability: Export data in structured formats (JSON, CSV)

7.4 Response Timeframe

We will provide requested assistance within 10 business days or as otherwise agreed. You remain responsible for responding to Data Subjects within applicable legal timeframes (typically 30 days under GDPR).

7.5 Fees

We provide reasonable assistance with Data Subject rights at no additional charge. Extensive or repetitive requests may incur fees based on actual costs.

8. Data Breach Notification

8.1 Notification Obligation

LocalBeat will notify you without undue delay after becoming aware of a Security Incident affecting your Personal Data. Notification will be provided within 72 hours when reasonably possible.

8.2 Notification Content

Security Incident notifications will include:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate amount of Personal Data records concerned
• Likely consequences of the Security Incident
• Measures taken or proposed to address the incident and mitigate harm
• Contact point for further information

8.3 Notification Method

Security Incident notifications will be sent to your registered email address and/or displayed in your dashboard. We may also notify you by phone for critical incidents.

8.4 Your Obligations

Upon receiving a Security Incident notification, you are responsible for:

• Assessing whether notification to Data Subjects is required under Data Protection Laws
• Notifying affected Data Subjects as required (typically within 72 hours under GDPR)
• Reporting the breach to supervisory authorities if required
• Documenting the incident and your response

8.5 Ongoing Cooperation

We will cooperate with you and provide additional information about Security Incidents as it becomes available. We will assist with regulatory reporting and Data Subject notifications as reasonably requested.

9. Audits and Compliance

9.1 Audit Rights

You have the right to audit our compliance with this DPA, subject to reasonable notice and confidentiality requirements.

9.2 Information Requests

Upon request, we will provide:

• Documentation of our security measures and practices
• Information about Subprocessor compliance
• Third-party audit reports or certifications (e.g., SOC 2, ISO 27001)
• Evidence of security controls and processes

9.3 On-Site Audits

On-site audits may be conducted:

• With at least 30 days advance notice
• During business hours
• Subject to confidentiality agreements
• At your expense (except where required by law)
• No more than once per year (unless required by law or following a Security Incident)

9.4 Audit Cooperation

We will cooperate with audits by:

• Providing access to relevant documentation and personnel
• Answering reasonable questions about our practices
• Addressing identified deficiencies within agreed timeframes

9.5 Third-Party Audits

We may provide third-party audit reports (e.g., SOC 2 Type II) in lieu of individual audits when available. Such reports satisfy audit requirements for most purposes.

9.6 Impact Assessments

We will assist with Data Protection Impact Assessments (DPIAs) by providing information about:

• Nature, scope, context, and purposes of Processing
• Technical and organizational security measures
• Risks to Data Subject rights and freedoms
• Measures to address and mitigate risks

10. International Data Transfers

10.1 Transfer Locations

Personal Data may be transferred to and Processed in:

• United States (primary data center location)
• Other countries where Subprocessors operate (see Subprocessor List)

10.2 Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs): European Commission-approved SCCs incorporated into this DPA
• Adequacy Decisions: Transfers to countries with EC adequacy decisions (if applicable)
• Subprocessor Agreements: SCCs or equivalent safeguards with all Subprocessors

10.3 Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries (Module Two: Controller to Processor) are incorporated by reference into this DPA. In case of conflict, the SCCs take precedence.

10.4 Additional Safeguards

In addition to SCCs, we implement supplementary measures including:

• Encryption of Personal Data in transit and at rest
• Contractual restrictions on Subprocessor access to data
• Regular security assessments and monitoring
• Transparency about government access requests

10.5 Government Access

If we receive a government or law enforcement request for access to Personal Data, we will:

• Notify you promptly unless legally prohibited
• Challenge invalid or overbroad requests
• Provide minimum data necessary to comply
• Document all requests and disclosures

11. Data Deletion and Return

11.1 Deletion Upon Termination

Upon termination of your subscription, we will:

• Delete all Personal Data within 30 days
• Delete or anonymize backups within 90 days
• Provide written confirmation of deletion upon request

11.2 Data Return

Before deletion, you may request return of Personal Data. We will provide data:

• In structured, machine-readable formats (JSON, CSV)
• Via secure download link
• Within 30 days of request
• At no additional charge

11.3 Retention Exceptions

We may retain Personal Data beyond termination when:

• Required by law (e.g., tax records, billing history)
• Necessary for legal claims or dispute resolution
• Retained in anonymized or aggregated form
• Technically infeasible to delete (e.g., archived backups)

11.4 Subprocessor Deletion

We ensure that Subprocessors also delete or return Personal Data upon termination, subject to the same retention exceptions.

12. Liability and Indemnification

12.1 Liability Allocation

Under GDPR Article 82:

• Each party is liable only for damages caused by Processing that violates obligations specifically directed to that party
• A party is exempt from liability if it proves it is not responsible for the event giving rise to damages
• Liability caps in the Terms of Service apply to the extent permitted by Data Protection Laws

12.2 Indemnification

LocalBeat will indemnify you against third-party claims arising from our breach of this DPA or Data Protection Laws, subject to:

• Prompt notice of claims
• Reasonable cooperation in defense
• Sole control of defense and settlement
• Limitations in Terms of Service

12.3 Your Indemnification

You will indemnify LocalBeat against claims arising from:

• Your failure to obtain necessary consents or provide required notices
• Your Processing instructions that violate Data Protection Laws
• Your violation of Data Subject rights
• Content you upload or publish through our Services

13. Term and Termination

13.1 Effective Date

This DPA becomes effective on the earlier of:

• The date you begin using our Services
• The date GDPR or other Data Protection Laws apply to your use of Services

13.2 Duration

This DPA remains in effect for as long as we Process Personal Data on your behalf, including:

• The term of your subscription
• Any retention period after subscription termination

13.3 Survival

The following provisions survive termination:

• Confidentiality obligations
• Liability and indemnification
• Data deletion and return obligations
• Audit rights for retained data

14. Contact Information

For questions about this Data Processing Addendum or to exercise your rights, please contact:

Last Updated: November 20, 2025
Version: 1.0
This Data Processing Addendum complies with GDPR, CCPA, and other Data Protection Laws. It incorporates Standard Contractual Clauses for international data transfers. For complete Subprocessor details, see our Subprocessor List.