Data Processing Addendum

Last updated: June 2, 2026

This Data Processing Addendum ("DPA") supplements and forms part of the Platform Terms of Service, Order Form, or other agreement between Beep Messaging LLC ("Beep") and the customer that provides or makes available Customer Personal Data to Beep ("Customer") in connection with the Services (the "Agreement"). This DPA governs Beep's processing of Customer Personal Data on behalf of Customer.

If there is a conflict between this DPA and the Agreement, this DPA controls for Customer Personal Data.

1. Definitions

"Applicable Privacy Laws" means U.S. federal and state privacy, data protection, text communication, consumer protection, and similar laws applicable to Beep's processing of Customer Personal Data as a service provider or processor for Customer.

"Customer Personal Data" means personal information or personal data that Customer provides, uploads, imports, submits, or otherwise makes available to Beep for processing on Customer's behalf through the Services.

"Processing" means any operation performed on Customer Personal Data, including collection, receipt, storage, organization, use, consultation, transmission, disclosure, retrieval, deletion, return, or destruction.

"Subprocessor" means a third party engaged by Beep to process Customer Personal Data to provide the Services.

Terms such as business, controller, processor, service provider, sell, and share have the meanings given under Applicable Privacy Laws.

2. Roles of the parties

Customer is the business/controller for Customer Personal Data. Beep is the service provider/processor processing Customer Personal Data on behalf of Customer for the business purposes described in the Agreement and this DPA.

Customer determines the purposes and means of processing, including what data is submitted, which recipients are contacted, what messages are sent, what legal basis applies, and how individual rights requests are handled. Beep processes Customer Personal Data to provide the Services and according to Customer's instructions, the Agreement, this DPA, and Applicable Privacy Laws.

3. Scope, purpose, and duration

Beep processes Customer Personal Data to provide, secure, support, maintain, improve, bill for, and document the Services, including:

  • account administration and user access;
  • contact import, storage, segmentation, tagging, and campaign management;
  • SMS/MMS sending, receiving, routing, delivery reporting, opt-out handling, and reply management;
  • 10DLC, brand, campaign, number, and carrier registration/support;
  • compliance logging, auditing, fraud/security monitoring, abuse prevention, and incident response;
  • support, troubleshooting, analytics, and service improvement;
  • API, integration, automation, and AI-assisted functionality where enabled by Customer; and
  • legal, contractual, carrier, accounting, tax, and compliance obligations.

Processing lasts for the Term of the Agreement and any period necessary for return/deletion, backups, legal obligations, dispute resolution, compliance, security, and recordkeeping.

4. Categories of data subjects

Customer Personal Data may concern:

  • voters, supporters, donors, members, volunteers, activists, prospects, event attendees, or other individuals identified by Customer;
  • message recipients and contacts imported from voter files, public records, customer systems, opt-in forms, or third-party data providers;
  • Customer's staff, contractors, consultants, volunteers, and authorized users;
  • candidates, campaign staff, committee personnel, nonprofit/labor/advocacy personnel, and civic-engagement program participants; and
  • individuals who reply to, opt out of, or otherwise interact with Customer communications.

5. Categories of Customer Personal Data

Customer Personal Data may include:

  • identifiers such as name, phone number, email, address, account username, and internal IDs;
  • civic, voter-file, public-record, district, geography, precinct, and engagement attributes provided by Customer or its vendors;
  • communication data such as message content, replies, call/text history, delivery status, timestamps, opt-out status, source, tags, notes, and campaign affiliation;
  • customer-user data such as names, emails, roles, login metadata, API-key metadata, audit logs, workflow actions, prompts/instructions, and support records;
  • billing/usage data associated with Customer's account; and
  • other information Customer chooses to submit to the Services.

Customer must not submit regulated sensitive data unless expressly authorized in the Agreement and supported by appropriate legal review.

6. Beep processing commitments

Beep will:

  1. process Customer Personal Data only to provide the Services, as described in the Agreement, this DPA, Customer's instructions, or as otherwise permitted or required by law;
  2. not sell Customer Personal Data;
  3. not share Customer Personal Data for cross-context behavioral advertising except as expressly authorized by Customer and permitted by law;
  4. not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for a commercial purpose other than providing the Services, except as permitted by Applicable Privacy Laws;
  5. use reasonable security measures appropriate to the nature of Customer Personal Data;
  6. ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations;
  7. provide reasonable assistance to Customer for privacy rights requests, security obligations, and compliance inquiries, taking into account the nature of the Services and information available to Beep;
  8. notify Customer if Beep determines it can no longer meet its obligations under Applicable Privacy Laws or this DPA; and
  9. upon reasonable written request, make available information necessary to demonstrate Beep's compliance with this DPA, subject to confidentiality, security, and commercial sensitivity limits.

7. Customer obligations

Customer represents and warrants that:

  1. Customer has provided all legally required notices and obtained all legally required consents, permissions, opt-ins, authorizations, or other legal bases for Customer's collection, disclosure, and processing of Customer Personal Data;
  2. Customer's instructions to Beep comply with Applicable Privacy Laws, TCPA, CTIA guidance, carrier rules, 10DLC requirements, consumer protection laws, election laws, campaign-finance laws, lobbying laws, and other Applicable Law;
  3. Customer will not submit Customer Personal Data that it is not legally permitted to process through the Services;
  4. Customer is responsible for responding to privacy rights requests from individuals unless the Agreement states otherwise;
  5. Customer will maintain appropriate records supporting consent, opt-in, source, suppression, and compliance obligations; and
  6. Customer will not use the Services to mislead, harass, unlawfully discriminate against, or unlawfully contact individuals.

Beep is not required to independently verify the lawfulness of Customer Personal Data, Customer's contact lists, Customer's message content, Customer's opt-in records, or Customer's campaign practices.

8. Subprocessors

Customer authorizes Beep to engage Subprocessors to provide the Services. Beep may provide a Subprocessor list to Customer upon reasonable request, by customer notice, or by making a list available on Beep's website when Beep determines a public list is ready. Beep will provide notice of new material Subprocessors that process Customer Personal Data by a reasonable mechanism, which may include email, account notice, Order Form notice, website update, or customer-available list update.

Customer may object to a new Subprocessor within 10 business days after notice if Customer reasonably believes the Subprocessor's processing would materially violate Applicable Privacy Laws. If the parties cannot resolve the objection, Beep may either not use the Subprocessor for Customer or allow Customer to terminate the affected Services.

Beep will enter written agreements with Subprocessors that impose data-protection obligations consistent with Beep's obligations under this DPA, as applicable to the services provided.

9. Security incidents

Beep will notify Customer without undue delay after confirming a security incident involving unauthorized access to or disclosure of Customer Personal Data processed by Beep. Unless a shorter period is required by the Agreement or Applicable Law, Beep will target notice no later than 72 hours after confirming such an incident. Notice will include available information reasonably necessary for Customer to meet its obligations, subject to law enforcement, security, and investigation constraints.

Customer is responsible for determining whether notification to individuals, regulators, carriers, or other parties is required, unless the Agreement states otherwise.

10. Privacy rights requests and recipient replies

Beep does not monitor or evaluate all communications between Customer and recipients. Customer is responsible for reviewing replies, inquiries, opt-out requests, privacy rights requests, and other communications received through the Services and for responding where required by law.

Beep will provide reasonable technical and operational assistance, where available, for export, deletion, suppression, access, correction, or opt-out workflows. Beep may charge reasonable fees for assistance outside standard platform functionality unless prohibited by law or the Agreement.

11. Return or deletion

At the end of the Services, upon Customer's written request, Beep will return or delete Customer Personal Data within a commercially reasonable period, unless retention is required or permitted by law, security, backup, dispute, accounting, tax, carrier, compliance, or contractual obligations.

Beep may retain aggregated, anonymized, or de-identified data that does not identify Customer or individuals, provided such retention complies with Applicable Privacy Laws.

12. Audits and compliance information

Upon reasonable written request, Beep will provide documentation or information reasonably necessary to demonstrate compliance with this DPA. Any audit or review must be conducted in a way that protects Beep's systems, security, confidentiality, other customers, and commercial information; avoids unreasonable disruption; and is limited to information relevant to Customer Personal Data.

13. International transfers

The Services are primarily intended for U.S. use. Customer must not use the Services for international data transfers or non-U.S. recipients unless authorized in the Agreement and supported by appropriate legal safeguards. If GDPR, UK GDPR, or similar international transfer obligations apply, the parties will enter appropriate supplemental terms before such processing.

14. Term

This DPA begins when Customer signs an Order Form or otherwise uses the Services and ends when Beep no longer processes Customer Personal Data, except for provisions that by nature survive.

15. Contact

Beep Messaging LLC
Attn: Data Processing Addendum
418 Broadway #11549
Albany, NY 12207, USA
Email: [email protected]