Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between BadgeBadger LLC, a New Jersey limited liability company (“Processor”), and the customer identified in the BadgeBadger account record (“Controller”). It supplements the BadgeBadger Terms of Serviceand applies to any personal data Processor processes on Controller’s behalf.

• Personal Data— any information relating to an identified or identifiable natural person uploaded to or generated within the BadgeBadger service by Controller or Controller’s authorised users.
• Subprocessor— any third party engaged by Processor to process Personal Data on its behalf.
• Applicable Law— GDPR, CCPA/CPRA, FERPA, COPPA, and any other privacy or data-protection regulation applicable to the processing.

Controller appoints Processor to process Personal Data solely for the purpose of providing the BadgeBadger service. Controller determines the purposes and means of processing; Processor acts on documented instructions and the configuration of Controller’s account.

The categories typically processed are:

• Identification data— first name, last name, employee/student ID, optional photograph.
• Organisational data— position, department, location, school year.
• Operational metadata— print history, badge issuance timestamps, audit log entries.

Data subjects are employees, contractors, students, and other individuals issued credentials through Controller’s BadgeBadger account.

Controller authorises the following subprocessors as of the effective date. Processor will notify Controller at least 30 days before adding or replacing a subprocessor; Controller may object on reasonable grounds.

Processor implements the following safeguards:

• Encryption of Personal Data at rest (Supabase Postgres + storage) and in transit (TLS 1.2+).
• Row-level security policies at the database layer that enforce organisation-scoped isolation independent of the application layer.
• Bearer-token authentication for the Print Agent local API; CORS allowlist on the local listener.
• Audit logging of administrative actions.
• Principle-of-least-privilege access to production systems; only BadgeBadger personnel with operational need access production data, and accesses are logged.

Processor commits its personnel and subprocessors to written confidentiality obligations. Personnel access Personal Data only to the extent necessary to deliver the service.

Processor will assist Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection within the timelines required by Applicable Law. Where a data subject contacts Processor directly, Processor will redirect them to Controller.

If Processor becomes aware of a Personal Data breach affecting Controller, Processor will notify Controller without undue delay and in any case within 72 hours. The notification will describe the nature of the breach, categories and approximate volume of data subjects and records affected, likely consequences, and measures taken or proposed.

On reasonable advance notice (no more than once per year unless required by a regulator), Controller may request a written summary of Processor’s security controls, penetration test results, and subprocessor compliance.

Where Personal Data of EU/UK/Swiss data subjects is transferred to subprocessors in the United States, the parties rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum, incorporated by reference. Each subprocessor has executed corresponding clauses with Processor.

On termination of the BadgeBadger service, Processor will delete all Personal Data within 60 days unless Controller requests export first. Controller may request a CSV export of all structured records at any time via Settings → Employees. Photos and rendered badges can be exported via the API.

For K-12 customers, Processor acknowledges that student records may constitute “education records” under FERPA and will treat them as such: no disclosure to third parties without Controller’s authorisation, no use for any purpose other than providing the service, and deletion on Controller’s request. Processor will not collect Personal Data directly from children under 13 and will not use Personal Data for advertising or behavioural profiling.

Liability under this DPA is subject to the limitation of liability in the underlying Terms of Service. This DPA remains in force for as long as Processor processes Personal Data on Controller’s behalf.

Execute by emailing legal@badgebadger.app with your organisation’s legal name and the BadgeBadger account email. We’ll send a counter-signed PDF within two business days; redlines welcome.