Data Processing Addendum (DPA)
Last updated: July 9, 2026 · Operated by Bad Decision (Lagos, Nigeria) · support@baddecision.app
This Data Processing Addendum ("DPA") forms part of the Bad Decision ("Bad Decision", "Processor") Terms of Service and is incorporated by reference. It applies to the extent you ("Customer", "Controller") process personal data through the Service.
This DPA reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Nigeria Data Protection Act (NDPA) 2023.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing personal data. This is you, the Customer.
- "Processor" means the entity that processes personal data on behalf of the Controller. This is Bad Decision.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Lead Data" means Personal Data of third parties (your leads) that you process through the Service.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51.
- "Standard Contractual Clauses" (SCCs) means the standard data protection clauses for the transfer of personal data to third countries pursuant to GDPR, as approved by the European Commission.
2. Roles and Scope
2.1 Roles: The Customer is the Controller (or Processor acting on behalf of a third-party Controller). Bad Decision is the Processor. The parties acknowledge and agree that with respect to Lead Data, the Customer acts as the Controller and Bad Decision acts as the Processor.
2.2 Scope: This DPA applies to Bad Decision's processing of Personal Data on behalf of the Customer in connection with the Service, as described in the Privacy Policy and Terms of Service.
2.3 Customer Responsibilities: The Customer is responsible for:
- Ensuring they have a lawful basis (consent, legitimate interest, etc.) to process Lead Data.
- Providing required privacy notices to data subjects (your leads).
- Honoring data subject rights requests (access, deletion, opt-out).
- Ensuring Lead Data is accurate and lawfully collected.
- Compliance with applicable data protection laws (GDPR, CCPA, NDPA, etc.).
3. Processing Details
3.1 Subject Matter: The subject matter of the processing is the provision of the Service (lead generation, email verification, AI outreach drafting, cold email campaign management) to the Customer.
3.2 Duration of Processing: The processing will continue for the duration of the Customer's subscription to the Service, plus the retention period described in Section 5 of the Privacy Policy.
3.3 Nature and Purpose: Bad Decision processes Personal Data for the sole purpose of providing the Service to the Customer, including:
- Storing Lead Data (contact information, company information, social profiles).
- Verifying email addresses through third-party verification providers.
- Generating AI-drafted outreach messages using DeepSeek.
- Sending cold email campaigns through Customer-supplied SMTP mailboxes.
- Tracking email opens, clicks, replies, and bounces.
- Providing analytics dashboards and reporting.
3.4 Types of Personal Data: The Personal Data processed includes:
- Business contact information (name, email, phone, job title)
- Company information (name, website, industry, location, tech stack)
- Social media profile URLs (LinkedIn, Twitter, Instagram)
- Email engagement data (opens, clicks, replies)
- Customer account information (name, email, payment method last 4)
3.5 Categories of Data Subjects: The data subjects are the leads the Customer processes through the Service (typically B2B contacts) and the Customer's own employees / team members who use the Service.
4. Processor Obligations
Bad Decision agrees to:
- 4.1 Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law. Bad Decision will inform the Customer if it receives a legally binding request to process Personal Data in a way that conflicts with the Customer's instructions.
- 4.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- 4.3 Implement appropriate technical and organizational security measures as described in Section 7 of the Privacy Policy, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
- 4.4 Not engage another processor (sub-processor) without prior specific or general written authorization from the Customer. Where Bad Decision engages a new sub-processor, we will notify the Customer at least 30 days in advance, giving the Customer the opportunity to object.
- 4.5 Assist the Customer in responding to data subject rights requests (access, rectification, erasure, etc.) by providing tools (data export, account deletion) and reasonable cooperation.
- 4.6 Assist the Customer in meeting security breach notification obligations under GDPR Article 33. Bad Decision will notify the Customer of a Personal Data breach within 72 hours of becoming aware of it.
- 4.7 Assist the Customer with Data Protection Impact Assessments (DPIAs) and prior consultation with Supervisory Authorities, where required.
- 4.8 Delete or return all Personal Data to the Customer after the end of the Service, at the Customer's choice. Bad Decision will delete Personal Data within 30 days of contract termination, unless retention is required by law.
- 4.9 Make available all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer (not more than once per year, with reasonable notice, during business hours, and subject to confidentiality).
5. Sub-Processors
Bad Decision currently uses the following sub-processors to provide the Service. Each sub-processor is bound by a written agreement that imposes data protection obligations equivalent to this DPA.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| WorkOS | Authentication | United States | SCCs |
| Supabase | Database hosting | United States / EU | SCCs / DPF |
| Amazon Web Services | Cloud infrastructure | Multiple regions | SCCs / DPF |
| Vercel | Frontend hosting | Global edge | SCCs / DPF |
| Dodo Payments | Payment processing | Global | SCCs / DPF |
| Resend | Transactional email | United States | SCCs / DPF |
| Cloudflare | CDN / DDoS protection | Global edge | SCCs / DPF |
| DeepSeek | AI drafting | China | SCCs |
| MyEmailVerifier / BillionVerify / Reoon / MailboxValidator | Email verification | Various | SCCs |
| Sentry | Error tracking | United States | SCCs / DPF |
| PostHog (optional) | Product analytics | United States / EU | SCCs / DPF |
We will update this list at baddecision.app/dpa and notify you by email at least 30 days before engaging any new sub-processor. You may object to a new sub-processor by emailing support@baddecision.app within 30 days of notification. If we cannot resolve your objection, you may terminate your subscription with a pro-rata refund.
6. International Data Transfers
Bad Decision may transfer Personal Data to sub-processors located outside the EEA, UK, or Switzerland. Such transfers are subject to:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), as amended from time to time.
- EU-U.S. Data Privacy Framework (DPF) for transfers to U.S. sub-processors that are DPF-certified.
- UK International Data Transfer Addendum for transfers from the UK.
- Supplementary measures (encryption, pseudonymization) where required by the Schrems II decision.
7. Security Measures
Bad Decision implements the technical and organizational measures described in Section 7 of the Privacy Policy, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Application-level encryption for secrets (AES-256-GCM)
- Role-based access control with least-privilege principle
- Audit logging of all production access
- Automated dependency scanning and quarterly security reviews
- Incident response plan with 72-hour breach notification
- Regular data backups with 30-day retention
8. Personal Data Breach
Bad Decision will notify the Customer of a Personal Data Breach without undue delay and in any case within 72 hours of becoming aware of it. The notification will include:
- Description of the nature of the breach
- Name and contact details of the data protection officer or contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Bad Decision will cooperate with the Customer in meeting the Customer's breach notification obligations under GDPR Article 33.
9. Data Subject Rights
Bad Decision will assist the Customer in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection) by:
- Providing a data export tool that produces Lead Data in CSV / JSON format.
- Providing an account deletion tool that permanently deletes Lead Data within 30 days.
- Providing reasonable cooperation for complex requests (no charge for the first 5 requests per year; reasonable fees for additional requests).
- Forwarding any data subject requests received directly by Bad Decision to the Customer for response.
10. Audits
The Customer may audit Bad Decision's compliance with this DPA, subject to:
- No more than one audit per 12-month period.
- At least 30 days' written notice.
- Conducted during business hours with minimal disruption to Bad Decision's operations.
- Conducted by the Customer's internal audit team or a third-party auditor bound by confidentiality (not a competitor of Bad Decision).
- Audit report shared with Bad Decision before publication, with reasonable time to respond.
Alternatively, Bad Decision will provide an annual SOC 2 Type II report (once available) or equivalent third-party attestation, which the Customer may rely on in lieu of conducting its own audit.
11. Term and Termination
This DPA is effective as of the date the Customer accepts the Terms of Service and remains in effect until termination of the Service. Upon termination, Bad Decision will delete or return all Personal Data within 30 days, at the Customer's choice, subject to retention required by law.
12. Contact
For questions about this DPA, to object to a sub-processor, or to request an audit, contact us at support@baddecision.app with subject "DPA request".
Email us at support@baddecision.app and we'll get back to you within 24 hours.