Data Processing Addendum
Effective date: January 1, 2026 (Last Updated: May 6, 2026)
DPA Overview
This Data Processing Addendum ("DPA") supplements the BaseMonkeys Master Services Agreement, Terms of Use, Privacy Policy, applicable statements of work, order forms, proposals, marketplace orders, subscription orders, invoices, and service descriptions between BaseMonkeys, LLC ("BaseMonkeys," "we," "us," or "our") and the client or business customer that receives services from BaseMonkeys ("Client," "you," or "your"). Certain legacy invoices, contracts, payment accounts, or service relationships may reference AGZ Consulting, Inc. DBA BaseMonkeys. If an order form, invoice, statement of work, proposal, or signed agreement specifically identifies AGZ Consulting, Inc. DBA BaseMonkeys as the contracting party, then that entity will be the contracting party for that specific transaction. Otherwise, the contracting party is BaseMonkeys, LLC. This DPA applies when BaseMonkeys processes Client Personal Data on behalf of Client in connection with BaseMonkeys services, including services ordered through or related to: - basemonkeys.com - smallbusiness.basemonkeys.com - clientportal.basemonkeys.com - baseqr.ai - BaseMonkeys Small Business - BaseQR - Website, marketing, CRM, analytics, reporting, QR, portal, hosting-related, support, consulting, implementation, and related services This DPA is intended for business-to-business services and is designed to address data processing responsibilities where Client provides or authorizes BaseMonkeys to process personal information relating to Client's customers, prospects, leads, employees, contractors, vendors, website users, QR code users, or other individuals.
1. Purpose and Scope
This DPA governs BaseMonkeys' processing of Client Personal Data for the purpose of providing services to Client. Examples of Client Personal Data may include, without limitation: - Customer lists; - Lead lists; - Prospect lists; - CRM records; - Email marketing lists; - Contact form submissions; - Website inquiry data; - Appointment or scheduling data; - Analytics data; - Advertising audience data; - QR scan data; - BaseQR campaign data; - Support ticket data; - Portal user information; - Files or documents uploaded by Client that contain personal information; - Other personal information Client provides, uploads, connects, authorizes, or instructs BaseMonkeys to process. This DPA does not apply to information that BaseMonkeys processes as an independent business for its own account administration, billing, fraud prevention, legal compliance, analytics, business operations, marketing, or security purposes, except where applicable law requires otherwise.
2. Definitions
For purposes of this DPA: "Applicable Privacy Laws" means privacy, data protection, data security, and breach notification laws that apply to the processing of Client Personal Data under the services, which may include U.S. state privacy laws, consumer protection laws, breach notification laws, and other applicable privacy requirements. "Client Personal Data" means personal information, personal data, or similar information that Client provides to BaseMonkeys, makes available to BaseMonkeys, authorizes BaseMonkeys to access, or instructs BaseMonkeys to process on Client's behalf. "Controller," "Business," or similar term means the party that determines the purposes and means of processing Client Personal Data, as defined by Applicable Privacy Laws. "Processor," "Service Provider," "Contractor," or similar term means the party that processes Client Personal Data on behalf of the Controller, Business, or equivalent responsible party, as defined by Applicable Privacy Laws. "Process," "processing," or similar term means any operation performed on Client Personal Data, including collection, access, use, storage, copying, analysis, organization, transmission, disclosure, deletion, or other handling. "Subprocessor" means a third party engaged by BaseMonkeys to process Client Personal Data to support the services.
3. Roles of the Parties
For Client Personal Data processed under this DPA: - Client is the Controller, Business, or equivalent responsible party. - BaseMonkeys is the Processor, Service Provider, Contractor, or equivalent processing party. Client determines the purposes and means of processing Client Personal Data. BaseMonkeys processes Client Personal Data on behalf of Client according to Client's documented instructions, the applicable agreement, the applicable order document, this DPA, and Applicable Privacy Laws. Client is responsible for determining whether this DPA satisfies Client's legal and contractual obligations.
4. Client Responsibilities
Client represents and warrants that: - Client has the right to provide Client Personal Data to BaseMonkeys; - Client has provided all required notices to individuals; - Client has obtained all required consents, authorizations, permissions, and rights; - Client's instructions to BaseMonkeys comply with Applicable Privacy Laws; - Client Personal Data was collected lawfully; - Client's use of BaseMonkeys services will comply with Applicable Privacy Laws, advertising laws, email marketing laws, SMS marketing laws, platform policies, and third-party terms; - Client will not provide sensitive or regulated data unless expressly approved by BaseMonkeys in writing; - Client will not instruct BaseMonkeys to process Client Personal Data in a way that violates law, third-party rights, or platform policies. Client is responsible for the accuracy, quality, legality, compliance, and appropriateness of Client Personal Data.
5. BaseMonkeys Processing Obligations
BaseMonkeys will process Client Personal Data only as reasonably necessary to: - Provide the services; - Operate, support, and maintain the client portal; - Operate, support, and maintain BaseQR; - Generate reports, audits, scans, insights, recommendations, and analytics; - Process service requests, tickets, subscriptions, orders, and approvals; - Configure, support, or maintain websites, CRM systems, analytics tools, marketing systems, QR campaigns, or other Client-authorized platforms; - Communicate with Client regarding services; - Maintain business, billing, support, project, and legal records; - Detect, prevent, and respond to security incidents, fraud, abuse, spam, phishing, malware, platform misuse, or unlawful activity; - Comply with applicable law, legal process, and regulatory obligations; - Enforce applicable agreements and policies. BaseMonkeys will not process Client Personal Data for purposes outside the services unless permitted by Client, this DPA, the applicable agreement, or Applicable Privacy Laws.
6. Documented Instructions
Client instructs BaseMonkeys to process Client Personal Data as necessary to provide the services described in the applicable order document and related communications. Client's documented instructions may include: - The applicable MSA, Terms, Privacy Policy, SOW, proposal, order form, service description, marketplace order, subscription order, invoice, or service request; - Portal approvals; - Client emails or written directions; - Client-provided access permissions; - Client-selected settings in BaseQR, portal tools, websites, marketing tools, CRM systems, or third-party platforms; - Other written or electronic instructions provided by Client. BaseMonkeys may decline or suspend processing if it reasonably believes Client's instruction violates law, third-party rights, platform policies, security requirements, or BaseMonkeys policies.
7. Limits on Use, Sale, Sharing, and Combining Data
To the extent required by Applicable Privacy Laws, BaseMonkeys will not: - Sell Client Personal Data; - Share Client Personal Data for cross-context behavioral advertising; - Retain, use, or disclose Client Personal Data for a commercial purpose other than providing the services or as otherwise permitted by law; - Retain, use, or disclose Client Personal Data outside the direct business relationship between BaseMonkeys and Client, except as permitted by law; - Combine Client Personal Data with personal information obtained from other sources except where permitted by law, necessary to provide the services, detect security incidents, prevent fraud or abuse, perform analytics requested by Client, maintain service quality, or comply with legal obligations. Nothing in this DPA prevents BaseMonkeys from processing data for security, debugging, fraud prevention, legal compliance, internal operations, service improvement, deidentified or aggregated analytics, or other purposes permitted by Applicable Privacy Laws.
8. Confidentiality
BaseMonkeys will require personnel who process Client Personal Data to be subject to confidentiality obligations or professional obligations of confidentiality. BaseMonkeys will limit access to Client Personal Data to personnel, contractors, vendors, and subprocessors who need access to provide the services, support operations, maintain security, or comply with legal obligations.
9. Security Measures
BaseMonkeys will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Client Personal Data against unauthorized access, disclosure, alteration, and destruction. Security measures may include, as appropriate: - Access controls; - Authentication controls; - Role-based or need-to-know access; - Password management practices; - Encryption where appropriate and commercially reasonable; - Secure cloud infrastructure; - Logging and monitoring; - Malware, spam, phishing, and abuse prevention tools; - Vendor review where appropriate; - Backup and recovery practices where applicable; - Incident response procedures; - Personnel confidentiality obligations; - Account access removal when no longer needed. Client acknowledges that no system, website, portal, cloud service, QR service, email system, internet transmission, or storage method is completely secure. Client is responsible for securing Client-controlled accounts, credentials, permissions, devices, platforms, domains, websites, hosting, third-party tools, and user access.
10. Subprocessors and Vendors
Client authorizes BaseMonkeys to use subprocessors, vendors, contractors, and service providers to support the services. Subprocessors may include providers of: - Hosting; - Cloud storage; - Authentication; - Security; - Analytics; - CRM; - Email delivery; - SMS or phone communications; - Payment processing; - Project management; - Customer support; - QR infrastructure; - Website tools; - Advertising and marketing tools; - AI-assisted tools; - Error monitoring; - Logging; - Backup; - Professional services. BaseMonkeys will take reasonable steps to use subprocessors that are appropriate for the services they provide. Where required by Applicable Privacy Laws and commercially practical, BaseMonkeys will impose contractual obligations on subprocessors that are designed to protect Client Personal Data and limit processing to the services provided. BaseMonkeys remains responsible for its subprocessors' processing of Client Personal Data to the extent required by Applicable Privacy Laws and applicable agreements.
11. Subprocessor Changes
BaseMonkeys may add, replace, or remove subprocessors from time to time. If required by Applicable Privacy Laws or a signed agreement, BaseMonkeys will provide notice of material subprocessor changes and allow Client to object where required. If Client reasonably objects to a subprocessor and BaseMonkeys cannot reasonably accommodate the objection, Client may need to discontinue the affected service. BaseMonkeys is not responsible for service limitations, delays, or inability to provide services resulting from Client's objection to a necessary subprocessor.
12. Data Subject and Consumer Requests
If BaseMonkeys receives a privacy rights request relating to Client Personal Data, BaseMonkeys may: - Refer the requester to Client; - Notify Client where appropriate; - Respond directly if required by law or if the request relates to BaseMonkeys' own processing; - Assist Client with the request where required by Applicable Privacy Laws and reasonably possible. Client is responsible for receiving, verifying, and responding to privacy rights requests relating to Client Personal Data, unless Applicable Privacy Laws require otherwise. BaseMonkeys may charge reasonable fees for assistance with privacy rights requests if the assistance requires significant time, technical work, data export, engineering support, custom review, or work outside the applicable service scope, unless prohibited by law or included in the applicable order document.
13. Security Incidents
BaseMonkeys will notify Client without undue delay after confirming a security incident involving Client Personal Data that requires notice under Applicable Privacy Laws or materially affects the services. Notice may include available information such as: - A general description of the incident; - The categories of Client Personal Data involved, if known; - The approximate number of affected records, if known; - Mitigation steps taken or planned; - Recommended Client actions, if applicable. BaseMonkeys may provide information in phases as it becomes available. Client is responsible for determining whether any notification to individuals, regulators, customers, users, partners, platforms, or other third parties is required, unless Applicable Privacy Laws require BaseMonkeys to provide notice directly. A security incident does not include unsuccessful attempts or activities that do not compromise Client Personal Data, such as pings, scans, blocked attacks, failed login attempts, denial-of-service attempts, spam, phishing attempts, or other unsuccessful events.
14. Return and Deletion of Client Personal Data
Upon termination or expiration of the applicable services, Client may request return or deletion of Client Personal Data to the extent reasonably available and technically feasible. BaseMonkeys may retain Client Personal Data as necessary to: - Comply with legal, tax, accounting, security, and recordkeeping obligations; - Maintain business records; - Resolve disputes; - Enforce agreements; - Prevent fraud, abuse, spam, phishing, malware, or security incidents; - Maintain backups according to standard backup cycles; - Complete billing or collections; - Maintain QR redirects, analytics, or account records where needed to provide continuing services or comply with legal obligations; - Preserve evidence or comply with legal process. Data stored in backups may not be immediately deleted but will be protected according to BaseMonkeys' standard retention and security practices until deleted in the ordinary course. BaseMonkeys may retain deidentified, anonymized, or aggregated data where permitted by law.
15. Deidentified, Aggregated, and Anonymized Data
BaseMonkeys may create and use deidentified, aggregated, or anonymized data for analytics, benchmarking, security, service improvement, product development, reporting, and business purposes. BaseMonkeys will not attempt to reidentify deidentified data except where permitted by law, such as to test deidentification methods or comply with legal obligations.
16. Audits and Assessments
Upon reasonable written request, BaseMonkeys may provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, legal, and operational limitations. Client may not conduct onsite audits, penetration tests, vulnerability scans, system access reviews, or technical testing of BaseMonkeys systems without BaseMonkeys' prior written consent. Any audit or assessment must: - Be limited to Client Personal Data and the services provided to Client; - Not compromise BaseMonkeys systems, security, confidentiality, other clients, vendors, personnel, intellectual property, or operations; - Be conducted during normal business hours; - Be subject to reasonable confidentiality and security restrictions; - Be limited to once per year unless required by law or following a confirmed security incident involving Client Personal Data; - Not unreasonably interfere with BaseMonkeys' business operations. BaseMonkeys may charge reasonable fees for audit assistance, questionnaires, custom documentation, security reviews, or assessments that require significant time or work outside the applicable service scope, unless prohibited by law or included in the applicable order document.
17. International Transfers
BaseMonkeys is based in the United States. Client Personal Data may be processed in the United States and other jurisdictions where BaseMonkeys, its vendors, subprocessors, or service providers operate. Client is responsible for determining whether international transfer restrictions apply to Client Personal Data and for notifying BaseMonkeys of any specific requirements before providing the data. If legally required, the parties may enter into additional transfer terms, standard contractual clauses, or similar mechanisms.
18. Sensitive and Regulated Data
Client must not provide BaseMonkeys with sensitive or regulated data unless expressly approved by BaseMonkeys in writing. Sensitive or regulated data includes, without limitation: - Protected health information; - Full payment card numbers; - Social Security numbers; - Government identification numbers; - Financial account credentials; - Biometric information; - Children's data; - Precise geolocation data; - Criminal history; - Special categories of personal data under applicable law; - Highly sensitive security credentials; - Data subject to HIPAA, GLBA, FERPA, PCI DSS, or other regulated frameworks unless expressly agreed in writing. Unless expressly agreed in writing, BaseMonkeys is not acting as a HIPAA business associate, GLBA service provider for regulated financial data, PCI processor for full cardholder data, law firm, accounting firm, insurance agency, credit reporting agency, or regulated compliance provider.
19. Artificial Intelligence and Automated Tools
BaseMonkeys may use automation, artificial intelligence, machine learning, third-party APIs, scoring tools, analytics tools, and similar technologies to provide services, generate reports, summarize information, classify issues, support recommendations, analyze website or business data, support QR analytics, improve services, or assist with internal operations. Where Client Personal Data is processed by AI-assisted or automated tools, BaseMonkeys will use such tools in a manner reasonably related to providing or improving the services, securing systems, or supporting operations. Client should not provide sensitive or regulated data for AI-assisted processing unless expressly approved by BaseMonkeys in writing. BaseMonkeys does not use automated reports, AI-generated recommendations, scans, or analytics as a substitute for legal, financial, tax, medical, regulated, or professional advice.
20. BaseQR and QR Analytics Data
If Client uses BaseQR or QR code-related services, BaseMonkeys may process QR-related data on Client's behalf, including QR code configuration, destination URLs, campaign labels, scan timestamps, scan counts, approximate location, device type, browser type, operating system, referral information, campaign parameters, and related analytics. Client is responsible for: - Providing required notices to individuals who may scan QR codes; - Ensuring QR destinations comply with law and platform policies; - Obtaining any required consent for tracking, analytics, marketing, or targeted advertising; - Ensuring QR campaigns and linked content are lawful, accurate, and not deceptive; - Responding to privacy requests relating to Client's QR campaigns; - Determining whether QR analytics data is personal information under Applicable Privacy Laws. BaseQR analytics may be approximate, incomplete, delayed, filtered, or affected by privacy settings, device settings, browser restrictions, network settings, bot filtering, VPNs, proxies, ad blockers, and third-party limitations.
21. Client Portal Data
If Client uses clientportal.basemonkeys.com, BaseMonkeys may process portal-related data on Client's behalf, including account users, roles, permissions, service requests, tickets, files, messages, notes, subscriptions, approvals, marketplace orders, reports, recommendations, settings, and activity logs. Client is responsible for managing authorized users, account permissions, internal approval authority, user removal, and the accuracy of information submitted through the portal. BaseMonkeys may rely on instructions, approvals, uploads, and actions submitted through authorized Client accounts or credentials.
22. Cooperation With Privacy Compliance
BaseMonkeys will provide reasonable cooperation with Client's privacy compliance obligations where required by Applicable Privacy Laws and reasonably related to the services. Cooperation may include reasonable assistance with: - Data access requests; - Deletion requests; - Correction requests; - Portability requests; - Opt-out implementation where applicable and technically feasible; - Security incident review; - Vendor questionnaires; - Data mapping related to services; - Documentation reasonably necessary to show processing activities. Assistance beyond standard service support may be subject to additional fees unless prohibited by law or included in the applicable order document.
23. Compliance With Laws
Each party will comply with Applicable Privacy Laws that apply to its respective role in processing Client Personal Data. Client is responsible for complying with laws applicable to Client's business, websites, customers, marketing, advertising, emails, SMS messages, customer lists, lead lists, QR campaigns, privacy notices, cookie notices, consent flows, and data collection practices. BaseMonkeys is responsible for complying with Applicable Privacy Laws that apply to BaseMonkeys in its role as processor, service provider, contractor, or similar processing party for Client Personal Data.
24. Liability
Liability arising under this DPA is subject to the limitations of liability, exclusions of damages, claim deadlines, dispute resolution terms, and indemnification obligations in the applicable MSA, Terms of Use, order document, or other agreement between the parties. Nothing in this DPA increases BaseMonkeys' liability beyond the limits stated in the applicable agreement unless expressly required by law.
25. Term and Termination
This DPA remains in effect for as long as BaseMonkeys processes Client Personal Data on behalf of Client. Termination of the underlying services does not affect either party's rights or obligations relating to Client Personal Data processed before termination or retained as permitted by this DPA, the applicable agreement, or Applicable Privacy Laws.
26. Conflict
If there is a conflict between this DPA and another agreement between the parties, this DPA controls only with respect to the processing of Client Personal Data, unless a signed written agreement expressly states otherwise. For all other matters, the applicable MSA, Terms of Use, order document, or signed agreement controls.
27. Changes to This DPA
BaseMonkeys may update this DPA from time to time. Updated versions apply prospectively unless otherwise stated. If Client has a signed agreement requiring written notice or consent for DPA changes, BaseMonkeys will follow the applicable signed agreement.
DPA Schedule 1: Processing Details
Subject Matter BaseMonkeys' processing of Client Personal Data to provide website, portal, marketing, reporting, QR, CRM, analytics, consulting, support, implementation, hosting-related, and related services to Client. Duration For the term of the applicable services and thereafter as needed for legal, security, backup, recordkeeping, dispute resolution, billing, enforcement, and legitimate business purposes permitted by the applicable agreement and law. Nature and Purpose of Processing Processing may include collection, access, use, storage, analysis, organization, hosting, transmission, disclosure to subprocessors, deletion, reporting, scanning, auditing, recommendation generation, QR analytics, CRM support, website support, marketing support, and other processing reasonably necessary to provide the services. Categories of Data Subjects Depending on the services, data subjects may include: - Client employees; - Client contractors; - Client vendors; - Client customers; - Client prospects; - Client leads; - Website visitors; - QR code scanners; - Portal users; - Service request submitters; - Contact form submitters; - Email subscribers; - Advertising audiences; - Other individuals whose information Client provides or authorizes BaseMonkeys to process. Categories of Client Personal Data Depending on the services, Client Personal Data may include: - Names; - Email addresses; - Phone numbers; - Business names; - Job titles; - Mailing addresses; - Website URLs; - Form submission details; - CRM records; - Lead records; - Customer records; - Email list information; - Marketing preferences; - Analytics identifiers; - IP addresses; - Device and browser information; - Approximate location information; - QR scan metadata; - Portal activity; - Support ticket content; - Files or documents uploaded by Client; - Other information submitted or authorized by Client. Sensitive Data Sensitive or regulated data is not intended to be processed unless expressly approved by BaseMonkeys in writing.
DPA Schedule 2: Authorized Subprocessor Categories
BaseMonkeys may use subprocessors in the following categories: - Cloud hosting providers; - Website hosting providers; - Domain, DNS, and infrastructure providers; - Authentication and account management providers; - Payment processors; - CRM providers; - Email delivery providers; - SMS, phone, or communication providers; - Analytics providers; - Advertising and marketing providers; - QR infrastructure providers; - Data storage providers; - Project management providers; - Support and ticketing providers; - Security, logging, monitoring, and error-tracking providers; - AI-assisted productivity, analysis, or reporting providers; - Professional advisors, including legal, accounting, tax, and insurance providers; - Contractors and consultants who support BaseMonkeys services. Before publishing or signing this DPA, BaseMonkeys should consider adding a public or client-available list of actual subprocessors if required by law, contract, or client expectations.
Optional Signature Block
This DPA may be incorporated by reference into the applicable MSA, SOW, proposal, order form, invoice, subscription order, marketplace order, or client portal approval. It may also be signed below. BaseMonkeys, LLC Signature: _______________________________ Name: ___________________________________ Title: ____________________________________ Date: ____________________________________ Client Legal Business Name: ______________________ Signature: _______________________________ Name: ___________________________________ Title: ____________________________________ Date: ____________________________________
Publishing and Implementation Checklist
Before using this DPA, complete the following: - Confirm exact contracting entity: BaseMonkeys, LLC vs. AGZ Consulting, Inc. DBA BaseMonkeys; - Confirm whether this DPA should be public, available upon request, or attached to larger-client SOWs; - Confirm actual vendors/subprocessors used for hosting, payments, CRM, email, analytics, QR infrastructure, AI tools, support, and portal operations; - Consider creating a public subprocessor list; - Confirm whether BaseMonkeys uses customer/client data for AI tools and under what settings; - Confirm whether BaseMonkeys processes EU/UK data and whether SCCs or international transfer terms are needed; - Confirm whether any clients require HIPAA, GLBA, PCI, FERPA, or other regulated-data terms; - Do not accept highly sensitive or regulated data unless reviewed separately; - Link this DPA from the MSA or make it available upon request; - Add DPA language to SOWs where client customer data, CRM data, lead lists, email lists, QR analytics, or ad audiences are involved; - Make sure portal upload screens and service request forms warn clients not to upload sensitive regulated data unless approved; - Have a North Carolina business attorney review before using with clients. Recommended label: Data Processing Addendum