Data Processing Agreement

Last updated: April 11, 2026

This Data Processing Agreement ("DPA") supplements the Cosma Terms of Service and governs the processing of personal data by BigBoost AI LLC ("Processor") on behalf of the customer ("Controller") in connection with the Cosma platform.

1. Definitions

"Personal Data" means any data relating to an identified or identifiable natural person processed through the Service. "Processing" means any operation performed on Personal Data including collection, storage, retrieval, use, and deletion. "GDPR" means Regulation (EU) 2016/679.

2. Scope & Roles

The Controller determines the purposes and means of processing advertising data through Cosma. The Processor processes Personal Data only on documented instructions from the Controller (i.e., through the Service configuration and connected ad accounts). The categories of data processed include: advertising account identifiers, campaign performance metrics, ad creative metadata, and user account information (name, email).

3. Processor Obligations

The Processor shall: process Personal Data only on documented instructions from the Controller; ensure that persons authorized to process Personal Data are bound by confidentiality obligations; implement appropriate technical and organizational security measures (see Section 5); not engage subprocessors without prior authorization (see our Subprocessors page for the current list); assist the Controller in responding to data subject requests; delete or return all Personal Data upon termination of the agreement; and make available all information necessary to demonstrate compliance.

4. Controller Obligations

The Controller warrants that it has a valid legal basis under applicable data protection law for the processing it instructs the Processor to carry out, that it has provided all required notices to data subjects, and that its instructions to the Processor comply with applicable law.

5. Security Measures

The Processor implements technical and organizational measures appropriate to the risk, including: AES-256 encryption (Fernet) for stored OAuth tokens; TLS 1.2+ for all data in transit; parameterized database queries; Row Level Security on Supabase PostgreSQL; role-based access controls; logical isolation of customer data via per-client BigQuery datasets; and continuous error monitoring via Sentry. Full details are documented on our Security page.

6. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed on our Subprocessors page. The Processor will notify the Controller of any intended additions or replacements of subprocessors at least 30 days before the change takes effect, giving the Controller the opportunity to object on reasonable grounds.

7. International Data Transfers

Personal Data is processed in India (application server) and the United States (BigQuery, Supabase, Clerk). For transfers from the EEA, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference. The Processor warrants that it will cooperate with the Controller to conduct transfer impact assessments where required.

8. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures in fulfilling its obligation to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). Requests received directly by the Processor will be forwarded to the Controller without undue delay.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach. The notification will describe the nature of the breach, likely consequences, measures taken or proposed, and contact details for further information.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. Upon reasonable written request (not more than once per year, except after a breach), the Controller may conduct audits — including via an independent third party bound by confidentiality — at its own expense and subject to reasonable scheduling.

11. Return or Deletion of Data

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by applicable law. Standard deletion timelines are specified in our Privacy Policy (Section 5: Data Retention).

12. Liability & Governing Law

The liability of each party under this DPA is subject to the limitations set out in the Cosma Terms of Service. This DPA is governed by the laws of the State of Wyoming, United States, without regard to conflict of law principles, except that provisions concerning GDPR are governed by applicable EU law where required.