Rad Dad Labs LLC — Data Processing Addendum
Version: 1.1 (merged pre-lawyer draft) Effective Date: [TO BE INSERTED ON EXECUTION] Last Updated: [TO BE INSERTED ON EXECUTION]
This Data Processing Addendum (the "DPA") forms part of, and is incorporated into, the Rad Dad Labs Terms of Service (the "Terms") between Rad Dad Labs LLC ("Rad Dad Labs," "we," "us," or "Processor") and the customer entity that has accepted the Terms ("Customer" or "Controller"). This DPA applies where Rad Dad Labs processes Personal Data on Customer's behalf in connection with the Service.
If there is any conflict between this DPA and the Terms, this DPA controls with respect to the processing of Personal Data.
1. Definitions
Terms used in this DPA have the meanings given in the Terms unless defined here.
- "Applicable Data Protection Law" means each privacy, data protection, and information security law applicable to the processing of Personal Data under the Service, including the California Consumer Privacy Act as amended ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the comprehensive privacy laws of Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, and Texas, in each case as in effect on the Effective Date.
- "Personal Data" means information processed by Rad Dad Labs on Customer's behalf that identifies or could reasonably be linked to an individual.
- "Process" and "Processing" have their ordinary commercial meaning and include any operation performed on Personal Data, whether or not automated.
- "Security Incident" means a confirmed unauthorized access to, acquisition of, use of, disclosure of, alteration of, or destruction of Personal Data in Rad Dad Labs's custody.
- "Sub-processor" means a third party engaged by Rad Dad Labs to Process Personal Data on Customer's behalf.
2. Roles, Scope, and Instructions
2.1 Roles
For the purposes of this DPA, Customer is the Controller and Rad Dad Labs is the Processor of Personal Data submitted to the Service or generated by Customer's use of the Service.
2.2 CCPA Service Provider
For CCPA purposes, Rad Dad Labs is a "Service Provider" to Customer. Rad Dad Labs will not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship between Rad Dad Labs and Customer; (c) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services specified in the Terms; or (d) combine Personal Data with personal information that Rad Dad Labs receives from other sources, except as permitted under CCPA § 7053(b).
2.3 Carve-Out: Rad Dad Labs as Controller for Its Own Purposes
This DPA applies to Personal Data Rad Dad Labs Processes on Customer's behalf. It does not apply to data Rad Dad Labs Processes as Controller for its own purposes, including account administration, billing, marketing to Customer's authorized representatives, security analytics, and product development based on aggregated and de-identified data derived from Service usage.
2.4 Subject Matter and Duration
Rad Dad Labs Processes Personal Data for the duration of the Subscription Term and any extended retention required by the Privacy Policy or by law.
2.5 Nature and Purpose of Processing
Rad Dad Labs Processes Personal Data to provide the Service as described in Section 2.1 of the Terms, including operating the COA routing layer, the Brand portal, the Retailer Shopify application, the Distributor portal, transactional communications, the audit log, billing through Stripe, and recall notifications.
2.6 Categories of Data Subjects
Account administrators and Authorized Users of Customer; representatives of Customer's commercial counterparties (e.g., brand representatives identified in a distributor's retailer network); end users who follow a barcode-keyed redirect URL.
2.7 Categories of Personal Data
See Sections 2.1 through 2.5 of the Privacy Policy. Rad Dad Labs does not Process sensitive Personal Data, biometric Personal Data, genetic Personal Data, health Personal Data, or Personal Data of children under 16 as part of the Service. Customer is contractually prohibited from submitting consumer Personal Data outside the categories permitted by the Terms and Documentation.
2.8 Documented Instructions
Customer's documented instructions to Rad Dad Labs are the Terms, this DPA, the Privacy Policy, and any in-product configuration set by Customer through the Service. Rad Dad Labs will Process Personal Data only on those instructions, except as required by law. Any additional instruction must be in writing and may be subject to additional fees if it materially changes the scope of services.
2.9 Compliance with Applicable Law
Rad Dad Labs will inform Customer if, in Rad Dad Labs's opinion, an instruction violates Applicable Data Protection Law. Customer represents that its use of the Service and its instructions to Rad Dad Labs comply with Applicable Data Protection Law.
2.10 Customer Responsibilities
Customer represents and warrants that (a) it has all necessary rights, consents, and notices in place to enable lawful Processing by Rad Dad Labs; (b) it has provided all required notices and obtained any required consents from data subjects in connection with the Processing; and (c) the Personal Data it submits to the Service complies with the Terms.
3. Sub-processors
3.1 Authorization
Customer grants Rad Dad Labs a general authorization to engage Sub-processors. The current list of Sub-processors is set out in Appendix A.
3.2 Notice of Changes
Rad Dad Labs will provide Customer with at least thirty (30) days' advance notice of any addition to or replacement of a Sub-processor that Processes Personal Data, by updating Appendix A and notifying the Account administrator by email or in-product notice.
3.3 Customer Objection
Customer may object to a proposed Sub-processor for reasonable, documented data-protection reasons within twenty (20) days of notice. If Customer objects, the parties will discuss in good faith. If the parties cannot agree within thirty (30) days, Customer may terminate the affected portion of the Service for material breach, with a prorated refund of any prepaid, unused fees for the period after termination.
3.4 Sub-processor Obligations
Rad Dad Labs will impose on each Sub-processor written data protection obligations no less protective than those in this DPA. Rad Dad Labs remains liable to Customer for the acts and omissions of its Sub-processors with respect to Customer Personal Data, to the same extent as if Rad Dad Labs performed the services directly.
4. Security
4.1 Technical and Organizational Measures
Rad Dad Labs maintains administrative, technical, and physical safeguards appropriate to the nature of the Personal Data Processed. A description of those measures as of the Effective Date is set out in Appendix B. Rad Dad Labs may update these measures from time to time provided that any such update does not materially diminish the protection of Personal Data.
4.2 Personnel Confidentiality
Rad Dad Labs will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
4.3 No Public-Facing Security Whitepaper
Rad Dad Labs will provide a written security overview to Customer upon reasonable request, subject to a customary mutual non-disclosure agreement. The Phase 1 Service does not include a SOC 2 report or equivalent third-party certification.
5. Security Incidents
5.1 Notification
Rad Dad Labs will notify Customer of a Security Incident affecting Customer's Personal Data without undue delay and no later than seventy-two (72) hours after Rad Dad Labs becomes aware of it. Notification will include the information then known about the nature and likely impact of the incident, the categories and approximate number of records affected, and the steps taken or planned to remediate.
5.2 Investigation and Remediation
Rad Dad Labs will investigate Security Incidents, take reasonable steps to remediate, and provide reasonable cooperation with Customer in connection with regulator notifications or affected-individual notifications that Customer is required to make.
5.3 No Acknowledgment of Liability
Notification under Section 5.1 is not, and does not constitute, an acknowledgment of fault or liability by Rad Dad Labs.
6. Data Subject Rights Assistance
6.1 Forwarding
If Rad Dad Labs receives a request from an individual purporting to exercise rights under Applicable Data Protection Law that relate to Personal Data Processed on Customer's behalf, Rad Dad Labs will, except where the law permits direct response, forward the request to Customer without responding to the substance and will not respond to the data subject except to confirm receipt and direct the data subject to Customer.
6.2 Cooperation
Rad Dad Labs will provide reasonable assistance to Customer in responding to verified individual rights requests, including by providing access to, correction of, or deletion of relevant Personal Data through the Service or through reasonable export (including JSON or CSV format on request).
6.3 Cost
Rad Dad Labs will provide assistance under Section 6.2 at no additional charge for the volumes reasonably expected in Customer's tier. Disproportionate or repeated requests may be subject to a reasonable cost reimbursement.
6.4 Direct CCPA Responses
Where Rad Dad Labs is required by law to respond directly (for example, under CCPA verifiable consumer requests where Rad Dad Labs is acting as a Business with respect to certain data), Rad Dad Labs will respond in accordance with that law and notify Customer where permitted.
7. Audits
7.1 Audit Right
Once per twelve-month period, on at least thirty (30) days' advance written notice and subject to mutual non-disclosure, Customer may request a written response to a security questionnaire and a copy of any then-current third-party assessment or summary, to the extent one exists. Phase 1 of the Service does not include on-site customer audits or live penetration test access.
7.2 SOC 2 Substitute
If Rad Dad Labs becomes subject to a SOC 2 or equivalent third-party attestation, Rad Dad Labs will share the report under NDA and that report will satisfy Section 7.1 for the period covered.
7.3 Regulator Requests
Rad Dad Labs will cooperate with bona fide regulator inquiries directed to Customer, subject to Section 2.8.
8. Deletion or Return of Data
8.1 Upon Termination
Within thirty (30) days of termination of the Service, Customer may request export of Customer Content as described in Section 8.4 of the Terms (including in JSON or CSV format). After the export window or upon Customer instruction, Rad Dad Labs will delete or de-identify Personal Data in accordance with the retention schedule in Section 8 of the Privacy Policy.
8.2 Retention Exceptions
Notwithstanding Section 8.1, Rad Dad Labs may retain Personal Data (a) in the audit log for the seven-year retention period; (b) where required by law; (c) in backups until they cycle out in the ordinary course; and (d) in de-identified or aggregated form indefinitely.
9. International Data Transfers
The Service operates entirely in the United States. Rad Dad Labs does not currently transfer Personal Data outside the United States. If Rad Dad Labs begins international transfers, the parties will execute appropriate transfer mechanisms, including the EU Standard Contractual Clauses (including Module Two, controller-to-processor, with appropriate Annexes derived from this DPA's Appendices) or successor instruments, and the UK International Data Transfer Addendum if applicable. The procedure in Sections 3.2 and 3.3 on new Sub-processors applies.
10. Limitation of Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions in Section 12 of the Terms. For the avoidance of doubt, this DPA does not increase or reduce a party's liability under the Terms except to the extent expressly required by Applicable Data Protection Law.
11. Term and Termination
This DPA takes effect on the Effective Date of the Terms and continues for as long as Rad Dad Labs Processes Personal Data on Customer's behalf. Provisions that by their nature should survive termination, including Sections 5, 6.2, 7.3, and 8, survive.
12. Order of Precedence
In the event of a conflict between the Terms, this DPA, and the Privacy Policy: (a) this DPA controls with respect to the Processing of Personal Data; (b) any Order Form controls on commercial terms; (c) the Terms control on other matters; and (d) the Privacy Policy controls on the description of Rad Dad Labs's privacy practices toward individuals.
13. Governing Law
This DPA is governed by the laws of the State of Louisiana, except where Applicable Data Protection Law requires a different governing law for transfer mechanisms or specific provisions.
Appendix A — Sub-processors
As of the Effective Date of this DPA, Rad Dad Labs engages the following Sub-processors:
| # | Sub-processor | Function | Type of Personal Data Processed | Region | Status |
|---|---|---|---|---|---|
| 1 | Vercel, Inc. (San Francisco, CA) | Application hosting, edge delivery, build infrastructure | Account, product, barcode, permit, and access log data; transmitted via TLS | United States | Active |
| 2 | Supabase, Inc. (San Francisco, CA) | Primary database, object storage (including any uploaded COA PDF or permit document), authentication | All Personal Data described in Section 2.7 | United States | Active |
| 3 | Stripe, Inc. (South San Francisco, CA) — Rad Dad Labs Stripe account acct_1TPleSKIdVuYBLq3 |
Payment processing; subscription billing; invoicing | Account administrator name and email; billing address; payment method tokens; transaction history. Card numbers and CVV are not transmitted to or stored by Rad Dad Labs. | United States | Active |
| 4 | Resend, Inc. (San Francisco, CA) | Transactional email, alert email, recall notification email delivery | Recipient email address; message content as configured by the Service | United States | Active |
| 5 | Cloudflare, Inc. (San Francisco, CA) | Edge cache, DDoS mitigation, WAF, optionally TLS termination | Truncated source IP, user agent, request metadata for routed requests | United States | Pending — engagement in queue; will be activated upon contract execution and DNS cutover |
This Appendix A is the current authoritative list. The list may also be published at raddadlabs.com/sub-processors. In the event of conflict between this Appendix A and the published page, this Appendix A controls. Customer can subscribe to notice of changes per Section 3.2.
Appendix B — Technical and Organizational Measures
Rad Dad Labs maintains the following measures as of the Effective Date. These may be updated from time to time consistent with Section 4.1.
Access Control:
- Multi-factor authentication required for administrative access
- Role-based access controls within the application
- Principle of least privilege for personnel
- Separation of production and development environments
Encryption:
- TLS 1.2 or higher for all data in transit
- Encryption at rest provided by Sub-processor (Supabase, Vercel platform encryption)
- Encryption at rest for sensitive fields stored in the database
- Secrets management via environment-scoped variables; no plaintext secrets in source control
Network Security:
- Cloudflare or equivalent edge protection (Cloudflare pending; see Appendix A)
- Application-layer rate limiting
- IP-level abuse monitoring
Logging and Monitoring:
- Application access and audit logs retained per the Privacy Policy retention schedule
- Alerting on anomalous authentication patterns
- Database query logs at Sub-processor level
Personnel:
- Background checks where permitted by law for personnel with production data access
- Confidentiality obligations in personnel agreements
- Security awareness training
Vendor Management:
- Written agreements with all Sub-processors imposing equivalent data protection obligations
- Periodic review of Sub-processor security posture
Software Security:
- Regular dependency review and patching
- Documented secure-development practices
Incident Response:
- Documented Security Incident response procedure
- 72-hour Customer notification commitment (Section 5.1)
Business Continuity:
- Sub-processor-managed backups
- Configuration as code, redeployable on incident