Data Processing Addendum
Processor: Pearson & Pearson Holdings LLC, a Florida limited liability company, doing business as Back Office Briefcase (the “Processor”).
Controller: the User / customer.
Service: the AI Back Office and Clara at backofficebriefcase.com.
This Addendum is incorporated by reference into, and forms part of, the User Licensing Agreement V2.4 (ULA Section 7.3) and is read together with the Privacy Policy V1.1. If there is a conflict on data-processing terms, this Addendum controls.
1. Roles and Primary Framing
1.1 As between the parties, the Controller determines the purposes and means of processing the Controller’s data, and Back Office Briefcase acts as Processor (and, for U.S. state-privacy purposes, as a service provider), processing that data only to provide the Service and on the Controller’s documented instructions. This Addendum and the ULA constitute those instructions.
1.2 Primary framing. The Service is provided primarily to U.S. small businesses, and the controlling framework is U.S. state privacy law, including Florida law. Back Office Briefcase acts as a service provider and does not sell or share the Controller’s personal information, and does not retain, use, or disclose it for any purpose other than providing the Service. The controller/processor terminology is used for generality and applies where a comprehensive privacy statute governs the Controller’s data.
1.3 Back Office Briefcase engages subprocessors as permitted under Section 5.
2. Scope & Details of Processing
Subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects are described in Annex A.
3. Processor Obligations
Back Office Briefcase will: (a) process Controller data only on documented instructions; (b) ensure persons authorized to process are bound by confidentiality; (c) implement the security measures in Annex B; (d) assist the Controller, taking into account the nature of processing, in responding to data-subject requests; (e) assist the Controller with security, breach-notification, and impact-assessment obligations; and (f) on termination, delete or return Controller data per Section 7, subject to legal-retention requirements.
4. Controller Obligations
The Controller warrants that it has a lawful basis to provide the data and to instruct the processing, and that its instructions comply with applicable law.
5. Subprocessors
5.1 The Controller provides general authorization for Back Office Briefcase to engage the subprocessors listed in Annex C.
5.2 Back Office Briefcase imposes data-protection terms on each subprocessor no less protective than this Addendum and remains responsible for their performance.
5.3 Back Office Briefcase will give the Controller at least thirty (30) days’ advance notice of any intended addition or replacement of a subprocessor, by email to the address on file and through the in-product notice channel. The Controller may raise a reasonable, good-faith objection within that period; if the parties cannot resolve the objection, the Controller may terminate the affected Service under the ULA as its sole remedy.
6. Security & Breach Notification
6.1 Back Office Briefcase maintains the technical and organizational measures in Annex B, including tenant isolation (logical separation of each client’s data at the database layer).
6.2 Back Office Briefcase will notify the Controller of a personal-data breach affecting Controller data without undue delay and within seventy-two (72) hours of confirmation, with the information reasonably available at that time. This timing aligns with Privacy Policy Section 11.
7. Deletion / Return
On cancellation or termination, the Controller may export all of the Controller’s data and Work Product through the in-product per-tenant export for thirty (30) days following the effective termination date (ULA Section 5.9). After that export window, Back Office Briefcase will, at the Controller’s choice, delete or return the Controller data in accordance with the Privacy Policy’s retention schedule and no later than ninety (90) days after the effective termination date, except where retention is required by law.
8. Audit & Information
Back Office Briefcase will make available the written information reasonably necessary to demonstrate compliance with this Addendum and, where available, third-party audit reports of its infrastructure providers. On-site or direct audits may be conducted on reasonable prior notice, no more than once per twelve (12) months (except as required by a supervisory authority following a breach), during business hours, and subject to confidentiality and security constraints.
9. International Transfers
The Service and its subprocessors operate in the United States, and the Controller’s data is processed in the United States. Where the Controller introduces personal data subject to the EU GDPR or UK GDPR, the parties will rely on a lawful transfer mechanism, and the EU Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Addendum) are incorporated by reference and apply to that transfer, with Back Office Briefcase as data importer.
10. Liability
Each party’s liability under this Addendum is subject to the Limitation of Liability in ULA Section 7.2, including its twelve (12) month fee cap and its carve-outs.
Annex A — Details of Processing
- Subject matter: provision of the AI Back Office Service.
- Duration: the term of the ULA plus the deletion/return window in Section 7.
- Nature & purpose: hosting, AI-assisted generation of Work Product, storage, and support, on the Controller’s instructions.
- Types of personal data: account contact details (name, email, login credentials, and billing contact); and any personal data the Controller chooses to input into its business content and Work Product, which is Controller-determined.
- Categories of data subjects: the Controller’s personnel and authorized users; and the Controller’s own customers and contacts, to the extent the Controller inputs such data — Controller-determined.
Annex B — Security Measures (TOMs)
- Tenant isolation enforced at the database layer, with per-client logical separation governed by row-level security and per-request tenant scoping.
- Access control — least-privilege access; the application server database role operates without database-bypass privileges; owner-scoped API access controls; role-based access (owner / partner / worker) with money-visibility scoping.
- Authentication — application access is gated by managed authentication (email/password and federated OAuth sign-in) with session-based, per-user access control.
- Encryption — in transit via TLS, and at rest as provided by the hosting and database infrastructure.
- Logging & monitoring of access and operations, with owner error notification.
- Confidentiality obligations on all authorized personnel.
Annex C — Subprocessors
- Anthropic, PBC — AI processing — United States.
- Supabase, Inc. — Database hosting — United States.
- Cloudflare, Inc. — Application hosting / edge — United States (global edge).
- Stripe, Inc. — Payment processing — United States.
- Resend — Transactional email — United States.
This list is kept consistent with Privacy Policy Section 6. Changes are governed by Section 5.3.