1. Scope
This DPA applies to all processing of personal data carried out by GBPHive Inc. on behalf of the customer in connection with the provision of the GBPHive platform. It is incorporated by reference into the master service agreement (MSA) between the parties.
2. Definitions
Capitalized terms not defined here have the meanings given to them in the GDPR, the UK GDPR, the CCPA / CPRA, or the MSA, as applicable.
3. Subject matter and duration
GBPHive processes personal data on behalf of the customer to provide the GBPHive platform (Google Business Profile management, geo-grid rank tracking, reviews, listings distribution, and AI-search visibility). Processing continues for the duration of the MSA.
4. Categories of data subjects and personal data
Customer end users (workspace members), customer's customers whose data appears in connected sources (Google Business Profile reviewers, message senders), and any other personal data the customer chooses to process within the platform. Categories include identifiers (name, email), content (review text, message text), and operational metadata.
5. Customer instructions
GBPHive will process personal data only on documented instructions from the customer, including with regard to transfers of personal data, unless required to do so by applicable law.
6. Confidentiality
GBPHive ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Security measures
GBPHive implements and maintains the technical and organizational measures described in our Security page, including encryption in transit and at rest, role-based access control, audit logging, vulnerability management, and annual SOC 2 Type II audit.
8. Subprocessors
The customer authorizes GBPHive to engage subprocessors. The current list is maintained at /legal/subprocessors. We will provide notice of new subprocessors at least 30 days in advance and the customer may object on reasonable grounds.
9. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, GBPHive uses the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as applicable.
10. Data subject rights
Taking into account the nature of the processing, GBPHive will assist the customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the customer's obligation to respond to requests for exercising data subject rights.
11. Data breach notification
GBPHive will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's data, and in any event within 72 hours.
12. Audits
The customer's audit right is satisfied by GBPHive providing the most recent SOC 2 Type II report under NDA, plus written responses to a security questionnaire upon reasonable request and not more than once per year.
13. Return or deletion
On termination of the service, GBPHive will return or delete all customer personal data, at the customer's choice, unless retention is required by applicable law.
14. How to execute this DPA
Customers on the Pro, Studio, and Scale plans are deemed to accept this DPA on accepting the MSA. Customers requiring a counter-signed DPA: email [email protected] with your billing entity name and we will return a counter-signed copy within 5 business days.