Data Processing Addendum
Forms part of the Terms of Service.
1. Roles
Customer is the controller of customer data; Busacta is the processor.
2. Subject matter & duration
Processing is for the duration of the subscription and limited to providing the contracted services.
3. Nature & purpose of processing
Storage, retrieval, computation, and presentation of customer-uploaded operational and financial records.
4. Categories of data subjects & data
Customer's employees, contractors, and the customer's own clients. Identifiers, contact details, financial transaction records, task and time data.
5. Subprocessors
Lovable Cloud (database, storage, auth) and Cloudflare (edge / CDN). Customer is notified of new subprocessors with 30 days to object.
6. Security measures
See Security overview. Includes encryption, MFA, RLS, and append-only audit logging.
7. Data subject requests
Busacta will assist Customer in responding to access, rectification, erasure, and portability requests within 30 days.
8. Breach notification
Busacta notifies Customer without undue delay and within 72 hours of confirming a personal-data breach.
9. International transfers
Where data crosses borders, Standard Contractual Clauses apply.
10. Audit rights
Customer may request our latest SOC 2 report under NDA once per year.
11. Return / deletion
On termination, customer data is exportable for 30 days, then deleted within 60 days (subject to legal retention).