1. Scope and roles

This addendum applies when a customer uses a Business Adjacent LLC product and, in doing so, has us process personal data on the customer's behalf (for example, personal data contained in a ReviewTube workspace). For that data, the customer is the controller and Business Adjacent LLC is the processor. It supplements and is subject to the Terms of Service, including its disclaimers and limitation of liability.

2. Details of processing

Subject matterProviding the contracted product
DurationThe term of the product relationship
Nature and purposeHosting, storage, transmission, and display of customer data to operate the product
Categories of dataNames, email addresses, video and review content, and related workspace data
Data subjectsThe customer's users and invited guests

3. Processing instructions

We process customer personal data only to provide the contracted product and per the customer's documented instructions, unless law requires otherwise. Personnel with access are bound to confidentiality.

We do not use customer personal data or customer content to train AI or machine-learning models, and we do not use customer content to improve the Services, except to diagnose and fix a problem the customer reports using content the customer shares for that purpose. Service improvement relies on operational metadata analyzed in aggregate, not on customer content. Our logging is designed to exclude customer content; if diagnostic logs transiently capture fragments of it, they are access-restricted and are not used for improvement or training.

4. Subprocessors

We use the subprocessors listed in the Privacy Policy to process customer personal data; a new subprocessor is added to that list before it processes any customer data. (Stripe, also listed there, processes billing data for which we act as an independent business, and does not receive customer workspace content.)

We will update that list before adding a subprocessor, and the customer may object on reasonable data-protection grounds. Customers who want advance notice of subprocessor changes can email legal@businessadjacent.com and we will notify them directly before a new subprocessor processes their data. If we cannot reasonably address an objection, the customer may terminate the affected product and we will refund any prepaid fees for the unused period.

5. Security

We apply technical and organizational measures appropriate to the risk, as described in the Privacy Policy: encryption in transit, restricted production access, secrets managed outside source code, and audit logging of secrets access and of administrative actions taken through our products.

6. Assistance

Taking into account the nature of the processing, we will reasonably assist the customer in responding to data-subject requests and in meeting its security and assessment obligations, and we will make available information reasonably necessary to demonstrate compliance with this addendum.

7. Breach notice

We will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data, with the information we have available.

8. Deletion and return

On termination of the product relationship, we will delete or return customer personal data at the customer's choice, unless law requires us to retain it. Data removed from live systems leaves our backups on their normal expiry cycle: database-provider snapshots within 7 days, daily off-site backups within 30 days, and weekly full backups within 12 months.

9. Contact

legal@businessadjacent.com