Data Processing Agreement
Last updated: June 5, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use between you ("Data Controller" or "Customer") and Big App Studio LLC ("Data Processor" or "we") and governs the processing of personal data by Bippsi on your behalf. If this DPA conflicts with the Terms of Use, the Terms of Use control except where applicable data-protection law requires otherwise.
This DPA applies when you use Bippsi applications that process personal data of your end users or customers (for example, customer email addresses in License Ninja, or social media account data in Social Ninja).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law (GDPR, CCPA, or equivalent).
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- "Sub-processor" means any third party engaged by Bippsi to process Personal Data on behalf of the Customer.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR (EU), UK GDPR, CCPA/CPRA (California), and any successor legislation.
2. Scope of Processing
2.1 Categories of Data Subjects
- Customer's end users and customers (License Ninja)
- Customer's social media audience (Social Ninja — only to the extent content is published on their behalf)
- Customer's own account data
2.2 Types of Personal Data Processed
| Application | Personal Data Types |
|---|---|
| Platform (Core) | Name, email address, hashed password, IP address, session data |
| License Ninja | Customer names, email addresses, license keys, IP addresses (validation), payment references |
| Social Ninja | Social media usernames, display names, profile images, encrypted OAuth tokens, post content, uploaded media |
| Strategy Ninja | No additional personal data beyond core platform data |
2.3 Purpose of Processing
We process Personal Data solely to provide, maintain, and improve the Service as described in our Terms of Use and as instructed by the Customer. We do not process Personal Data for our own purposes, marketing, or profiling.
3. Obligations of the Data Processor
Bippsi shall:
- Process Personal Data only on documented instructions from the Customer (i.e., through use of the Service's features and APIs)
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5)
- Not engage any Sub-processor without prior written authorization from the Customer (see Section 4)
- Assist the Customer in responding to data subject requests (access, deletion, portability)
- Notify the Customer without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach
- Anonymize, return, or delete Personal Data upon termination of the agreement as required by applicable law and the Terms of Use, while preserving financial, tax, audit, dispute, security, and legal-hold records where retention is required or permitted
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
4. Sub-processors
The following Sub-processors are currently authorized to process Personal Data on behalf of Customers:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting and database storage | Germany and United States |
| Stripe, Inc. | Payment processing as Bippsi's payment-service provider | United States / global |
| Authenticate.com (Authenticating.com LLC) | Identity, age, and business verification | United States / global |
| Cloudflare, Inc. | DNS, CDN, TLS termination, bot protection, and edge security | Global |
| Postmark (Wildbit LLC) | DMARC report aggregation and email deliverability monitoring | United States |
| MaxMind, Inc. | GeoIP database for fraud, rate limiting, and jurisdictional controls | United States |
| Discord Inc. | Community role integration when a customer connects Discord | United States / global |
| Social Media Platforms (as connected by Customer) | Content publishing at Customer's direction | Varies by platform |
We will notify the Customer at least 30 days before adding or replacing a Sub-processor. If the Customer objects to a new Sub-processor, they may terminate the affected subscription without penalty.
5. Security Measures
Bippsi implements the following technical and organizational security measures:
- Encryption in transit: All connections use TLS/HTTPS
- Encryption at rest: Sensitive data (OAuth tokens) encrypted with AES-256-CBC
- Password security: Passwords hashed with bcrypt (cost factor 12); plaintext passwords are never stored
- Access control: Multi-tenant data isolation — all database queries scoped by authenticated user ID
- CSRF protection: All state-changing operations protected against cross-site request forgery
- Input validation: All user input sanitized to prevent injection attacks
- Session management: Secure, server-side sessions with configurable timeouts
- Backups: Regular automated backups with encryption
6. Data Subject Rights
We provide the following mechanisms for Customers to fulfill data subject requests:
- Access and Portability: Data export functionality available through Account settings (JSON format)
- Rectification: Customers can update personal data through their Account settings
- Erasure: Account deletion functionality anonymizes account data and removes eligible personal data, subject to records Bippsi must retain for financial, tax, audit, dispute, security, legal-hold, and compliance purposes
- Restriction: Customers may contact us to restrict processing of specific data
For License Ninja customers specifically: the GDPR anonymization feature allows Customers to anonymize their end-user data while preserving aggregate records.
7. International Transfers
Personal Data is stored and processed in Germany and the United States, and may also be processed in jurisdictions where authorized Sub-processors operate. For transfers from the European Economic Area (EEA) or the United Kingdom, we rely on:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
8. Data Retention and Deletion
- We retain Personal Data for as long as the Customer's account is active
- Upon account deletion or termination, we anonymize account data and remove eligible personal data, subject to retention exceptions
- Financial, tax, payout, refund, chargeback, audit, contract, security, and legal-hold records may be retained for up to seven (7) years, or longer if required by law, dispute defense, tax obligations, or regulatory process
- Anonymized or pseudonymized data may be retained for billing, legal compliance, abuse prevention, platform integrity, and aggregate analytics
- Backups containing Personal Data are overwritten within 90 days of deletion
9. Audits
Upon reasonable request and with at least 30 days' notice, we will make available information necessary for the Customer to verify compliance with this DPA. Audit requests should be directed to help@bippsi.com.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Use.
11. Term and Termination
This DPA remains in effect for as long as the Customer has an active account with Bippsi. Upon termination, the obligations in this DPA continue to apply to any Personal Data still in our possession until it is deleted.
12. Contact
For questions or requests related to this DPA:
- Email: help@bippsi.com
- Phone: 1-623-800-1727
- Mail: Big App Studio LLC, Glendale, AZ, United States