← Back to home

Data Processing Agreement

Last updated: 28 April 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Jolo Vita (KvK: 87189437), operating as Bulk Contact Manager ("Processor"), and the user of the Service ("Controller").

1. Subject Matter and Nature of Processing

The Processor provides a third-party software application that integrates with the Controller's Xero account. To provide filtering, bulk-editing, and anonymization features, the Processor will temporarily cache and process personal data stored in the Controller's Xero environment.

2. Roles of the Parties

Under the EU General Data Protection Regulation (GDPR), the Controller is the owner and "Data Controller" of the Xero contacts. The Processor acts exclusively as the "Data Processor" and will only process this data based on the Controller's documented instructions (i.e., the user's interactions with the Bulk Contact Manager application).

3. Obligations of the Processor

To ensure the safety of the Controller's data, the Processor agrees to:

  • Confidentiality: Ensure that all persons authorized to process the personal data have committed themselves to strict confidentiality.
  • Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (detailed in Annex 2).
  • Data Subject Rights: Assist the Controller, insofar as possible, in fulfilling their obligation to respond to requests from individuals exercising their GDPR rights (e.g., Right to be Forgotten). Because the Processor's tool is explicitly designed to assist with data anonymization, the Controller can execute these requests directly within the application.
  • Personal Data Breaches: Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.

4. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors to deliver the Service. The Processor remains fully liable for the acts of its sub-processors. The current list of authorized sub-processors is:

  • Hetzner Online GmbH (Germany): Cloud server hosting and database infrastructure.
  • Proton AG (Switzerland): Inbound email handling for support, privacy, and legal addresses. Switzerland is recognized as an adequate country under the GDPR.
  • Resend, Inc. (data processing region: Ireland, EU): Transactional email delivery for marketing-site forms. Resend, Inc. is incorporated in the United States; outbound email content is processed and stored in the EU. Any residual transfers outside the EEA (e.g., parent-company support access) are governed by Standard Contractual Clauses.

Sub-processor Changes

The Processor will update this DPA if new sub-processors are added, giving the Controller the opportunity to object.

5. Return or Deletion of Data

Upon termination of the Service (e.g., the Controller disconnects the application from their Xero dashboard), the Processor will promptly and permanently delete all cached personal data belonging to the Controller from its active systems.

Annex 1: Details of Processing

  • Categories of Data Subjects: Customers, clients, suppliers, and employees of the Controller whose details are stored in the Controller's Xero account.
  • Types of Personal Data: Names, email addresses, physical addresses, telephone numbers, tax identification numbers, bank account details (where stored on supplier or customer contacts in Xero), contact group memberships, contact persons (named individuals at customer or supplier organizations), free-text user-entered notes about contacts, and basic invoice metadata (invoice dates and identifiers).
  • Duration: For the duration the Controller maintains an active connection between the Service and their Xero account.

Annex 2: Technical and Organizational Security Measures

The Processor implements the following baseline security measures:

  • Encryption: OAuth tokens are encrypted at rest using AES-256-GCM. All data in transit is encrypted using TLS 1.3.
  • Hosting: All database and application servers are physically located within the European Union (Germany).
  • Tenant Isolation: Database architecture strictly isolates data at the query level based on the Controller's unique Xero Tenant ID.
  • Data Minimization: No financial amounts, line items, or general ledgers are synchronized or stored by the Processor.

Contact

For questions about this DPA, contact privacy@bulkcontactmanager.com or legal@bulkcontactmanager.com.

← Back to home