Data Processing Addendum

Effective: 2 May 2026 · Version 1.0

For business customers. This Data Processing Addendum ("DPA") forms part of the Bimerge AI Terms of Service when you (the "Customer") are subject to the GDPR, UK GDPR, or a similar privacy regulation, and Bimerge AI processes personal data on your behalf. By agreeing to our Terms, you also agree to this DPA.

1. Definitions

Unless defined here, capitalised terms have the meaning given in the Terms of Service.

  • "Applicable Data Protection Law" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss FADP, the CCPA/CPRA, and any other privacy law applicable to the Customer.
  • "Customer Personal Data" means personal data that Bimerge AI processes on the Customer's behalf to provide the Service.
  • "Data Subject", "Personal Data Breach", "Processing", "Controller", and "Processor" have the meanings given in the GDPR.
  • "Subprocessor" means any third party engaged by Bimerge AI that processes Customer Personal Data.

2. Roles and scope

  • The Customer is the Controller of Customer Personal Data.
  • Bimerge AI is the Processor of Customer Personal Data and acts on the Customer's documented instructions.
  • Bimerge AI is a separate Controller with respect to billing, account, and security data described in our Privacy Policy; that processing is outside the scope of this DPA.

3. Processing details

Subject matterProvision of the Bimerge AI organic-marketing platform.
DurationFor the term of the subscription, plus the retention period in the Privacy Policy.
Nature and purposeHosting, scheduling, AI generation, analytics, and engagement automation as instructed by the Customer.
Categories of Data SubjectsCustomer's authorised users, Customer's social-media followers, commenters, and message senders.
Categories of Personal DataIdentifiers (handles, names, emails), demographic and behavioural data, audience analytics, content of public posts and inbound messages.

4. Bimerge AI obligations

Bimerge AI will:

  • Process Customer Personal Data only on documented instructions from the Customer (the Terms, this DPA, and the Customer's use of the Service constitute such instructions).
  • Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Section 7).
  • Assist the Customer with Data Subject requests, security obligations, breach notification, data protection impact assessments, and consultation with supervisory authorities.
  • Notify the Customer without undue delay (and in any case within 72 hours) of any Personal Data Breach, providing the information required under Article 33(3) GDPR.
  • On termination, delete or return all Customer Personal Data within 30 days, except where law requires longer retention.
  • Make available to the Customer all information necessary to demonstrate compliance, including allowing audits as described in Section 8.

5. Customer obligations

The Customer warrants and agrees that:

  • It has obtained all necessary consents and provided all required notices to Data Subjects to lawfully process Customer Personal Data through the Service.
  • Its instructions to Bimerge AI comply with Applicable Data Protection Law.
  • It will not transfer to Bimerge AI any special-category personal data (Article 9 GDPR) unless explicitly agreed in writing.

6. Subprocessors

The Customer authorises Bimerge AI to engage Subprocessors for the purposes described in the Privacy Policy. The current list is published at bimerge.online/legal/subprocessors.

  • Bimerge AI will impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA.
  • Bimerge AI will notify the Customer at least 30 days before adding a new Subprocessor by email and an in-product notice.
  • The Customer may object to a new Subprocessor on reasonable data-protection grounds within 14 days. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service and receive a pro-rata refund.

7. Security

Bimerge AI maintains technical and organisational measures designed to ensure a level of security appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege principles.
  • Single-sign-on and mandatory multi-factor authentication for all Bimerge AI personnel.
  • Continuous vulnerability scanning and a private bug-bounty programme.
  • Logged and monitored access to production systems.
  • Incident-response plan with defined roles, runbooks, and post-incident review.
  • Annual penetration testing by an independent third party.
  • Documented backup and disaster-recovery procedures.

8. Audit rights

On reasonable prior notice (at least 30 days, except for an active breach), and no more than once per twelve-month period, the Customer may audit Bimerge AI's compliance with this DPA. The audit may be conducted by:

  • Reviewing Bimerge AI's then-current SOC 2 Type II report or equivalent (when available).
  • Submitting a written security questionnaire (we will respond within 30 days).
  • For Pro and Agency customers with a written NDA, an on-site or virtual audit conducted by an independent qualified auditor approved by Bimerge AI.

Audits must be conducted during regular business hours, must not interfere with our operations, and must respect the confidentiality of other customers' data.

9. International transfers

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor, Module Three: Processor-to-Processor) approved by Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference.

  • The Customer is the data exporter; Bimerge AI is the data importer.
  • Clause 7 (docking clause) applies.
  • The optional language in Clause 11 does not apply.
  • For Clause 17 (governing law) and Clause 18 (jurisdiction), the laws and courts of the Republic of Ireland apply.
  • Annex I (parties, processing), Annex II (security measures), and Annex III (Subprocessors) are populated by Sections 3, 7, and 6 of this DPA respectively.
  • For UK transfers, the parties incorporate the UK International Data Transfer Addendum.

10. Data Subject requests

If a Data Subject contacts Bimerge AI with a request related to Customer Personal Data, we will promptly forward the request to the Customer and not respond directly (except to acknowledge receipt). For Customer-managed users, we provide self-service tools that allow Customers to action access, rectification, erasure, restriction, portability, and objection requests directly within the Service.

11. Liability

The aggregate liability of either party arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service.

12. Term and termination

This DPA takes effect on the date the Customer accepts the Terms and remains in force as long as Bimerge AI processes Customer Personal Data. Termination of the Terms terminates this DPA.

13. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict, but only with respect to the processing of Customer Personal Data.

14. Acceptance

This DPA does not need to be signed to be effective. By using the Service, you accept this DPA. If your organisation requires a counter-signed copy for its records, request one from legal@bimerge.online.

We use cookies

We use cookies to keep you signed in, remember your preferences, and learn how you use Bimerge AI so we can improve it. We never use cookies for advertising or cross-site tracking. Read our Cookie Policy.