Data Processing Agreement
Last updated: March 21, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and Big App Studio LLC ("Data Processor" or "we") and governs the processing of personal data by Bippsi on your behalf.
This DPA applies when you use Bippsi applications that process personal data of your end users or customers (for example, customer email addresses in License Ninja, or social media account data in Social Ninja).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law (GDPR, CCPA, or equivalent).
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- "Sub-processor" means any third party engaged by Bippsi to process Personal Data on behalf of the Customer.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR (EU), UK GDPR, CCPA/CPRA (California), and any successor legislation.
2. Scope of Processing
2.1 Categories of Data Subjects
- Customer's end users and customers (License Ninja)
- Customer's social media audience (Social Ninja — only to the extent content is published on their behalf)
- Customer's own account data
2.2 Types of Personal Data Processed
| Application | Personal Data Types |
|---|---|
| Platform (Core) | Name, email address, hashed password, IP address, session data |
| License Ninja | Customer names, email addresses, license keys, IP addresses (validation), payment references |
| Social Ninja | Social media usernames, display names, profile images, encrypted OAuth tokens, post content, uploaded media |
| Strategy Ninja | No additional personal data beyond core platform data |
2.3 Purpose of Processing
We process Personal Data solely to provide, maintain, and improve the Service as described in our Terms of Service and as instructed by the Customer. We do not process Personal Data for our own purposes, marketing, or profiling.
3. Obligations of the Data Processor
Bippsi shall:
- Process Personal Data only on documented instructions from the Customer (i.e., through use of the Service's features and APIs)
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5)
- Not engage any Sub-processor without prior written authorization from the Customer (see Section 4)
- Assist the Customer in responding to data subject requests (access, deletion, portability)
- Notify the Customer without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach
- Delete or return all Personal Data upon termination of the agreement, at the Customer's choice
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
4. Sub-processors
The following Sub-processors are currently authorized to process Personal Data on behalf of Customers:
| Sub-processor | Purpose | Location |
|---|---|---|
| GreenGeeks (Kish Technologies Inc.) | Web hosting, database storage | United States |
| Payment Processor (Merchant of Record) | Subscription billing, payment processing | Varies by processor |
| Social Media Platforms (as connected by Customer) | Content publishing at Customer's direction | Varies by platform |
We will notify the Customer at least 30 days before adding or replacing a Sub-processor. If the Customer objects to a new Sub-processor, they may terminate the affected subscription without penalty.
5. Security Measures
Bippsi implements the following technical and organizational security measures:
- Encryption in transit: All connections use TLS/HTTPS
- Encryption at rest: Sensitive data (OAuth tokens) encrypted with AES-256-CBC
- Password security: Passwords hashed with bcrypt (cost factor 12); plaintext passwords are never stored
- Access control: Multi-tenant data isolation — all database queries scoped by authenticated user ID
- CSRF protection: All state-changing operations protected against cross-site request forgery
- Input validation: All user input sanitized to prevent injection attacks
- Session management: Secure, server-side sessions with configurable timeouts
- Backups: Regular automated backups with encryption
6. Data Subject Rights
We provide the following mechanisms for Customers to fulfill data subject requests:
- Access and Portability: Data export functionality available through Account settings (JSON format)
- Rectification: Customers can update personal data through their Account settings
- Erasure: Account deletion functionality permanently removes all Personal Data within 30 days
- Restriction: Customers may contact us to restrict processing of specific data
For License Ninja customers specifically: the GDPR anonymization feature allows Customers to anonymize their end-user data while preserving aggregate records.
7. International Transfers
Personal Data is stored and processed in the United States. For transfers from the European Economic Area (EEA) or the United Kingdom, we rely on:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
8. Data Retention and Deletion
- We retain Personal Data for as long as the Customer's account is active
- Upon account deletion or termination, we permanently delete all Personal Data within 30 days
- Anonymized data (with all personal identifiers removed) may be retained for billing and legal compliance
- Backups containing Personal Data are overwritten within 90 days of deletion
9. Audits
Upon reasonable request and with at least 30 days' notice, we will make available information necessary for the Customer to verify compliance with this DPA. Audit requests should be directed to [email protected].
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.
11. Term and Termination
This DPA remains in effect for as long as the Customer has an active account with Bippsi. Upon termination, the obligations in this DPA continue to apply to any Personal Data still in our possession until it is deleted.
12. Contact
For questions or requests related to this DPA:
- Email: [email protected]
- Phone: 1-623-800-1727
- Mail: Big App Studio LLC, Glendale, AZ, United States