BedPost
BedPost Data Processing Addendum Get the app

Data Processing Addendum

BedPost's standard Data Processing Addendum (DPA) for customers and processors that require a written GDPR Article 28 contract. Plain-text version below; a downloadable copy is available at /dpa.txt for use in procurement workflows.

Version 1.0  ·  Effective May 7, 2026  ·  Download plain text (.txt)

About this document

This page sets out BedPost's standard Data Processing Addendum (DPA), which forms part of any agreement under which BedPost Processes Personal Data on behalf of a Controller. It incorporates by reference the European Commission's Standard Contractual Clauses (2021/914, Module Two — Controller to Processor) for international transfers, and the UK International Data Transfer Addendum.

For the current list of authorised sub-processors, see the Sub-processor List. For BedPost's own privacy practices as a Controller (most consumer use), see the Privacy Policy.

If you require a counter-signed copy or a bespoke amendment, email privacy@getbedpost.com with your entity name and procurement contact. We aim to return executed copies within 10 business days.

Full text

BEDPOST DATA PROCESSING ADDENDUM (DPA)
Version 1.0 — Effective May 7, 2026

This Data Processing Addendum ("DPA") forms part of the agreement (the
"Agreement") between Stetty Ventures LLC ("BedPost", "Processor")
and the customer identified in the Agreement ("Customer", "Controller")
for the provision of the BedPost service ("Services").

Where Customer is a consumer using BedPost in a personal capacity, this
DPA applies only to the limited extent BedPost acts as a processor on
their behalf (for example, content the user explicitly transmits through
the Services). For most consumer use, BedPost acts as the data controller
under the Privacy Policy.

================================================================
1. DEFINITIONS
================================================================

"Applicable Data Protection Laws" means (a) Regulation (EU) 2016/679
("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the
California Consumer Privacy Act, as amended by the CPRA ("CCPA"); and
(d) any other privacy or data protection law applicable to the Processing
of Personal Data under the Agreement.

"Personal Data", "Processing", "Controller", "Processor", "Data Subject",
"Sub-Processor", "Supervisory Authority" and "Special Category Data" have
the meanings given in the GDPR.

"SCCs" means the Standard Contractual Clauses approved by the European
Commission in Decision 2021/914.

================================================================
2. ROLES AND SCOPE
================================================================

2.1 Roles. Customer is the Controller and BedPost is the Processor of
    Personal Data Processed under the Agreement, except where BedPost
    determines the means and purposes of Processing (for example,
    aggregated usage analytics for product improvement), in which case
    BedPost is the Controller and its Privacy Policy applies.

2.2 Subject matter, duration, nature and purpose. The subject matter is
    the provision of the Services. The duration is the term of the
    Agreement plus any retention period set out in Section 9.

2.3 Categories of Data Subjects. End users of the Customer's instance of
    the Services.

2.4 Categories of Personal Data. Account identifiers (email, name),
    authentication tokens, profile preferences, and — where the Data
    Subject elects to log it — wellness, cycle, fertility and intimacy
    data (Special Category Data under Article 9 GDPR).

================================================================
3. PROCESSOR OBLIGATIONS
================================================================

3.1 BedPost shall Process Personal Data only on documented instructions
    from the Customer, including the instructions set out in the
    Agreement and this DPA, unless required to do so by law (in which
    case BedPost shall inform the Customer first unless that law
    prohibits such notice).

3.2 BedPost shall ensure that personnel authorised to Process Personal
    Data are bound by written confidentiality obligations.

3.3 BedPost shall implement and maintain the technical and organisational
    measures set out in Annex II.

3.4 BedPost shall not Sell or Share Personal Data within the meaning of
    the CCPA.

================================================================
4. SUB-PROCESSING
================================================================

4.1 Customer grants BedPost general authorisation to engage Sub-Processors
    listed at https://getbedpost.com/subprocessors ("Sub-Processor List").

4.2 BedPost shall give at least 30 days' prior notice of intended
    additions to or replacements of Sub-Processors. Customer may object
    on reasonable data-protection grounds; if no resolution is reached
    within 30 days, Customer may terminate the affected portion of the
    Services.

4.3 BedPost remains liable to the Customer for the acts and omissions of
    its Sub-Processors as if performed by BedPost itself.

================================================================
5. DATA SUBJECT REQUESTS
================================================================

5.1 BedPost shall, taking into account the nature of the Processing,
    assist the Customer by appropriate technical and organisational
    measures to fulfil its obligations to respond to Data Subject
    requests under Chapter III GDPR. Self-service export and deletion
    are exposed in-product.

5.2 If BedPost receives a request directly from a Data Subject in the
    Customer's instance, BedPost will redirect that request to the
    Customer (where identifiable) without responding to the substance.

================================================================
6. SECURITY OF PROCESSING
================================================================

6.1 BedPost shall implement appropriate technical and organisational
    measures to ensure a level of security appropriate to the risk,
    including: encryption in transit (TLS 1.2+), encryption at rest
    (AES-256), authenticated and rate-limited APIs, audit-logged
    administrative access, secure SDLC review, and quarterly
    vulnerability scanning. Full controls are listed in Annex II.

================================================================
7. PERSONAL DATA BREACH
================================================================

7.1 BedPost shall notify the Customer without undue delay and in any
    event within 72 hours of becoming aware of a Personal Data Breach
    affecting Customer Personal Data. The notification shall include the
    information required by Article 33(3) GDPR to the extent then known.

7.2 Internal procedures for detection, triage, escalation and
    notification are documented in BedPost's Breach Runbook
    (docs/security/breach-runbook.md), reviewed at least annually.

================================================================
8. DATA PROTECTION IMPACT ASSESSMENT & PRIOR CONSULTATION
================================================================

8.1 BedPost shall provide reasonable assistance to the Customer in
    carrying out Data Protection Impact Assessments and prior
    consultations with Supervisory Authorities under Articles 35–36 GDPR.

================================================================
9. RETURN AND DELETION
================================================================

9.1 At the Customer's choice, BedPost shall delete or return all
    Personal Data after the end of the provision of Services and
    delete existing copies, unless retention is required by Union or
    Member State law. Default retention: deletion within 30 days of
    account termination, except backups which roll off within 90 days.

================================================================
10. AUDITS
================================================================

10.1 BedPost shall make available to the Customer all information
     necessary to demonstrate compliance with this DPA, and allow for
     and contribute to audits, including inspections, conducted by the
     Customer or another auditor mandated by the Customer, no more than
     once per calendar year (and on no less than 30 days' written
     notice), conducted during business hours and subject to reasonable
     confidentiality undertakings.

================================================================
11. INTERNATIONAL TRANSFERS
================================================================

11.1 Transfers of Personal Data from the EEA, UK or Switzerland to a
     country not subject to an adequacy decision are governed by:
     (a) the SCCs (Module Two: Controller-to-Processor) incorporated by
     reference and completed by Annex I of this DPA;
     (b) for UK transfers, the UK International Data Transfer Addendum;
     (c) for Swiss transfers, the Swiss Federal Data Protection and
     Information Commissioner's adaptations to the SCCs.

================================================================
12. ORDER OF PRECEDENCE & MISCELLANEOUS
================================================================

12.1 In the event of a conflict between the Agreement and this DPA,
     this DPA shall prevail to the extent of the conflict and only with
     respect to Processing of Personal Data.

12.2 This DPA is governed by the law of Wyoming, USA, except where
     Applicable Data Protection Laws require otherwise.

================================================================
ANNEX I — DETAILS OF PROCESSING (SCC ANNEX I)
================================================================

A. List of parties.
   Data Exporter: Customer (as identified in the Agreement).
   Data Importer: Stetty Ventures LLC, Wyoming, USA.
   Contact for both: privacy@getbedpost.com

B. Description of transfer.
   Categories of data subjects: end users of the Services.
   Categories of personal data: account identifiers, authentication
   credentials, profile preferences, and — where the data subject elects
   to log it — wellness/cycle/intimacy data (Special Category Data).
   Sensitive data: yes; protected by access controls listed in Annex II.
   Frequency: continuous.
   Nature: storage, retrieval, computation, transmission to authorised
   sub-processors.
   Purpose: provision of the Services as described in the Agreement.
   Retention: see Section 9.

C. Competent supervisory authority.
   For EU data subjects: the lead supervisory authority of the data
   exporter's Member State. For UK data subjects: the UK Information
   Commissioner's Office.

================================================================
ANNEX II — TECHNICAL AND ORGANISATIONAL MEASURES
================================================================

1.  Encryption.
    - In transit: TLS 1.2+ enforced on all public endpoints; HSTS with
      a 1-year max-age.
    - At rest: database storage encrypted with AES-256; per-user
      credential blobs additionally encrypted with AES-256-GCM under a
      versioned, rotatable application key (HKDF-SHA256-derived).

2.  Access control.
    - Production database access is limited to engineers on-call;
      every administrative action against the admin dashboard is
      written to an immutable audit log (admin_audit_log).
    - Multi-factor authentication (TOTP) is mandatory for the admin
      dashboard. Idle session timeout is 30 minutes (sliding).
    - Optional CIDR allowlist (ADMIN_IP_ALLOWLIST) restricts admin
      access to designated networks.

3.  Network security.
    - Helmet-configured HTTP security headers (HSTS, CSP, COOP,
      Referrer-Policy, Permissions-Policy).
    - CSRF protection (double-submit cookie) on all cookie-authenticated
      surfaces.
    - Brute-force throttling (Postgres-backed) on all authentication
      endpoints with constant-shape responses.

4.  Logging and monitoring.
    - Sentry crash reporting with PII scrubbing.
    - Server-side console output is wrapped with a redactor that masks
      authorization headers, cookies, tokens, secrets, OTP codes, and
      partially masks email addresses.
    - Webhook idempotency (claim-once table) prevents duplicate
      processing across retries.

5.  Secure SDLC.
    - All changes are peer-reviewed before merge.
    - Dependencies are tracked and audited for known vulnerabilities.

6.  Resilience.
    - Daily database backups retained for 30 days.
    - Disaster-recovery procedures rehearsed at least annually.

7.  Data minimisation.
    - Health and wellness data is never used for advertising.
    - Analytics events are anonymised before transmission and
      IP-anonymised at the analytics provider.

8.  Sub-processor management.
    - Public list at https://getbedpost.com/subprocessors with 30-day
      notice of changes.
    - Each sub-processor is bound by a DPA equivalent in substance to
      this DPA.

================================================================
ANNEX III — LIST OF SUB-PROCESSORS
================================================================

The current list of sub-processors is published at
https://getbedpost.com/subprocessors and is incorporated into this DPA
by reference.

--------------------------------------------------------------------------
Questions: privacy@getbedpost.com
This DPA is provided as a standard contractual framework. BedPost is
willing to negotiate bespoke amendments with enterprise customers on
request. A signed counterpart will be returned within 10 business days
of countersignature by Customer.
--------------------------------------------------------------------------

Contact

Privacy team: privacy@getbedpost.com  ·  Legal team: legal@getbedpost.com