logo

Products

Products owerview

Coverage

Need help choosing?

Contact Sales|Get your SIM for free

Solutions

Solutions owerview

Test it in your solution?

Contact Sales|Get your SIM for free

Resources

Resources owerview

Looking for support?

Contact Sales|Visit Support Center

Pricing

Data Processing Addendum

Last updatedFebruary 6, 2026

This Data Processing Addendum (“DPA”) is a formal agreement between Simbase INC., a corporation organized under the laws of the State of Delaware (“Simbase”) and the entity outlined in the Agreement (“Customer”). Both parties are herein individually referred to as a “Party” and together as the “Parties.”

This DPA is seamlessly integrated into and forms an essential part of the subscription agreement that governs the usage of the Service (the “Agreement”) between the Parties. Any capitalized terms within this DPA, unless otherwise defined, shall carry the same meaning as specified in the Agreement. In instances of discrepancies or inconsistencies between this DPA, any previously executed data processing agreement, and other parts of the Agreement, the stipulations of this DPA shall prevail.

The essence of this DPA revolves around the conditions that apply when Simbase processes Personal Information under the Agreement. It is crafted to ensure that such processing aligns with Applicable Law and upholds the rights of individuals whose Personal Information is processed.

1. Definitions

“Applicable Law” means all applicable United States federal and state laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to the Agreement, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), and any other applicable state privacy or data protection law.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual or household, as defined under Applicable Law. This includes, where applicable, “personal information” as defined under the CCPA/CPRA and equivalent terms under other state privacy laws.

“Service Provider” means Simbase when it processes Personal Information on behalf of the Customer pursuant to the Agreement, as that term is understood under Applicable Law (including “processor” under applicable state privacy laws).

“Subprocessor” means any third party engaged by Simbase to assist in processing Personal Information on behalf of the Customer.

“Consumer” means an individual who is the subject of Personal Information processed under this DPA, including any “consumer” or “data subject” as defined under Applicable Law.

“Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise processed by Simbase or its Subprocessors in connection with the Agreement.

2. Scope and Applicability

This DPA applies to the processing of Personal Information by Simbase on behalf of the Customer in connection with the provision of Services under the Agreement. This DPA is applicable to Customers domiciled in the United States or Canada and to the processing of Personal Information of Consumers located in the United States or Canada.

Simbase shall process Personal Information only to the extent necessary to fulfill its obligations under the Agreement and in accordance with the Customer’s documented instructions, unless processing is required by Applicable Law, in which case Simbase shall, to the extent permitted by law, inform the Customer of such legal requirement before processing.

3. Obligations of Simbase

In its capacity as a Service Provider under this DPA, Simbase shall:

(a) process Personal Information only as reasonably necessary and proportionate to achieve the operational purposes set forth in the Agreement, and in accordance with the Customer’s documented instructions;

(b) not sell Personal Information, as that term is defined under the CCPA/CPRA or equivalent state privacy laws;

(c) not retain, use, or disclose Personal Information for any purpose other than for the specific purposes set forth in the Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services specified in the Agreement;

(d) not share Personal Information for cross-context behavioral advertising purposes, as defined under the CCPA/CPRA;

(e) not combine Personal Information received from or on behalf of the Customer with Personal Information that Simbase receives from or on behalf of another person or persons, or collects from its own interactions with Consumers, except as expressly permitted under Applicable Law;

(f) implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, destruction, use, modification, or disclosure, consistent with the standards described in Simbase’s Data Security Standards available at www.simbase.com/terms/data-security-standards;

(g) ensure that all employees, agents, and personnel authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality;

(h) at the written request of the Customer, delete or return Personal Information (and any copies of the same) to the Customer on termination of this Agreement, unless required by Applicable Law to retain such Personal Information;

(i) make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this section, and allow for and meaningfully contribute to audits, including inspections, conducted by the Customer or its designated auditor (at the Customer’s cost and expense unless otherwise agreed);

(j) notify the Customer without undue delay after becoming aware of a Personal Information Breach, and provide reasonable cooperation and assistance in identifying, remediating, and mitigating the effects of such breach; and

(k) upon reasonable request, provide the Customer with a summary or copy of the results of any relevant third-party security audits or assessments conducted in relation to the Services.

4. Obligations of Customer

The Customer shall:

(a) ensure that its use of the Services and its instructions for the processing of Personal Information comply with Applicable Law, including providing any required notices to, and obtaining any required consents or authorizations from, Consumers whose Personal Information will be processed under the Agreement;

(b) have sole responsibility for the accuracy, quality, and legality of Personal Information provided to Simbase and the means by which the Customer acquired such Personal Information;

(c) promptly notify Simbase of any Consumer rights requests that require Simbase’s assistance to fulfill, and cooperate with Simbase in responding to such requests within the timeframes required by Applicable Law; and

(d) ensure that it does not disclose to Simbase any categories of Personal Information that Simbase is not authorized to process under the Agreement.

5. Consumer Rights Requests

Simbase shall provide reasonable assistance to the Customer in responding to verifiable Consumer rights requests under Applicable Law, including requests to access, delete, correct, or opt out of the sale or sharing of Personal Information.

If Simbase receives a Consumer rights request directly, Simbase shall promptly notify the Customer and shall not respond to such request directly unless authorized by the Customer or required by Applicable Law. Simbase shall cooperate with the Customer to fulfill such requests within the timeframes prescribed by Applicable Law, which are generally:

(a) California (CCPA/CPRA): 45 days from receipt of a verifiable request, with a possible extension of an additional 45 days upon notice to the Consumer;

(b) Virginia (VCDPA): 45 days from receipt, with a possible extension of an additional 45 days upon notice;

(c) Colorado (CPA) and Connecticut (CTDPA): 45 days from receipt, with a possible extension of an additional 45 days upon notice; and

(d) other applicable states: as prescribed by the relevant state privacy law.

6. Subprocessors

The Customer hereby grants Simbase a general written authorization to engage Subprocessors for the processing of Personal Information under this DPA. A current list of Simbase’s Subprocessors is available at www.simbase.com/terms/subprocessors.

Simbase shall provide reasonable advance notice to the Customer before engaging a new Subprocessor or replacing an existing Subprocessor, by updating the Subprocessors page referenced above or by direct notification. If the Customer objects to a new Subprocessor on reasonable grounds related to data protection, the Customer shall notify Simbase in writing within fourteen (14) days of receiving notice. The Parties shall work together in good faith to find a mutually acceptable resolution. If no resolution can be reached, the Customer may terminate the affected Service without penalty upon written notice to Simbase.

Simbase shall ensure that each Subprocessor is bound by obligations no less protective than those set forth in this DPA, and Simbase shall remain fully liable to the Customer for the acts and omissions of its Subprocessors.

7. Personal Information Breach

In the event of a Personal Information Breach, Simbase shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach. Such notification shall include, to the extent reasonably available:

(a) a description of the nature of the breach, including where possible the categories and approximate number of Consumers and records concerned;

(b) the name and contact details of the point of contact within Simbase from whom further information can be obtained;

(c) a description of the likely consequences of the breach; and

(d) a description of the measures taken or proposed to be taken by Simbase to address the breach and mitigate its possible adverse effects.

Simbase shall cooperate with the Customer in fulfilling any breach notification obligations under Applicable Law, which generally require notification to affected Consumers and, where applicable, to state attorneys general within timeframes ranging from thirty (30) to ninety (90) days depending on the jurisdiction.

8. Security Measures

Simbase shall implement and maintain a comprehensive information security program that includes appropriate administrative, technical, and physical safeguards to protect Personal Information, consistent with industry standards including the NIST Cybersecurity Framework and ISO/IEC 27001. Simbase’s security measures are further described in the Data Security Standards available at www.simbase.com/terms/data-security-standards.

These measures shall include, at a minimum: encryption of Personal Information in transit and at rest; access controls and authentication mechanisms; regular vulnerability assessments and penetration testing; employee security awareness training; and incident response procedures.

9. Audits and Compliance

Upon the Customer’s reasonable written request, and subject to appropriate confidentiality obligations, Simbase shall make available information necessary to demonstrate compliance with this DPA. The Customer may conduct or commission an audit of Simbase’s processing activities, provided that:

(a) the Customer provides Simbase with at least thirty (30) days’ prior written notice;

(b) audits are conducted during regular business hours and do not unreasonably disrupt Simbase’s operations;

(c) the Customer bears all costs associated with the audit unless otherwise agreed; and

(d) audit results and any information obtained are treated as Simbase’s Confidential Information.

Where Simbase has obtained relevant third-party certifications or audit reports (such as SOC 2 Type II), Simbase may make such reports available to the Customer in lieu of a direct audit, at Simbase’s discretion.

10. Data Return and Deletion

Upon termination or expiration of the Agreement, and upon the Customer’s written request, Simbase shall, at the Customer’s election, either return all Personal Information to the Customer in a commonly used, machine-readable format, or securely delete all Personal Information in its possession, including all copies, within thirty (30) days of receiving such request.

Simbase shall provide written certification of deletion upon the Customer’s request. Simbase may retain Personal Information to the extent required by Applicable Law, provided that Simbase shall continue to protect such retained Personal Information in accordance with this DPA and shall process it only for the purposes required by law.

11. Liability and Indemnification

Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either Party’s liability for willful misconduct, gross negligence, or any liability that cannot be limited or excluded by Applicable Law.

Each Party shall indemnify, defend, and hold harmless the other Party from and against any third-party claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from or relating to a breach of this DPA by the indemnifying Party, subject to the liability limitations in the Agreement.

12. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, and the applicable federal laws of the United States. To the extent that a specific state privacy law applies to the processing of Personal Information under this DPA, such state law shall also govern the relevant processing activities.

Any dispute arising out of or relating to this DPA that cannot be resolved by the Parties through good faith negotiation shall be submitted to the exclusive jurisdiction of the federal or state courts located in the State of Delaware.

13. Term and Termination

This DPA shall become effective on the date the Agreement is executed and shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, this DPA shall automatically terminate, subject to the provisions of Section 10 (Data Return and Deletion) and any other provisions that by their nature are intended to survive termination, including confidentiality obligations, liability, and indemnification.

14. Miscellaneous

This DPA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter of this DPA.

If any provision of this DPA is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this DPA shall otherwise remain in full force and effect and enforceable.

Simbase may update this DPA from time to time to reflect changes in Applicable Law or Simbase’s processing practices. Simbase shall provide the Customer with reasonable notice of material changes. Continued use of the Services after such notice constitutes acceptance of the updated DPA.

Contact Information

For questions about this DPA or to exercise rights under this DPA, please contact:

Simbase INC.

1401 Pennsylvania Ave, Suite 105 Wilmington, DE 19806

Email: privacy@simbase.com

Website: www.simbase.com