Data Processing Agreement

Last updated: January 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Ado, Inc. d.b.a. Bamboo ("Bamboo", "Processor", "we", "us", or "our"), a Delaware corporation, and you ("Customer", "Controller", "you", or "your").

This DPA applies to the extent that Bamboo processes Personal Data on behalf of Customer in providing the Services.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including, where applicable, the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other similar data protection laws.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data.

"Customer Data" means all data, including Personal Data, that Customer submits to, uploads to, or that is collected through the Services on Customer's behalf.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Bamboo in connection with the Services.

"Processing" (and its derivatives) means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.

"Processor" means an entity that processes Personal Data on behalf of a Controller.

"Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of, Customer Data.

"Services" means the Bamboo platform and services as described in the Agreement.

"Subprocessor" means any third party engaged by Bamboo to process Customer Data on behalf of Customer.

2. Roles and Scope

2.1 Roles of the Parties

The parties acknowledge and agree that:

  • Customer is the Controller of Customer Data
  • Bamboo is the Processor of Customer Data
  • Bamboo processes Customer Data solely on behalf of Customer and in accordance with Customer's documented instructions

2.2 Scope of Processing

Bamboo processes Customer Data solely for the purposes of providing the Services, which include:

  • Aggregating and storing advertising and marketing performance data
  • Providing analytics, reporting, and trend analysis
  • Generating AI-powered insights and recommendations
  • Enabling integrations with third-party advertising platforms

2.3 Categories of Personal Data

Customer Data may include the following categories of Personal Data, depending on Customer's use of the Services:

  • Business contact information (names, email addresses, phone numbers)
  • Account identifiers and credentials
  • Advertising campaign performance metrics
  • Audience segment data from advertising platforms
  • Marketing engagement data

2.4 Data Subjects

Data Subjects may include:

  • Customer's employees and authorized users
  • Customer's end users and customers (to the extent included in advertising data)
  • Individuals whose data is included in advertising platform reports

3. Customer Obligations

Customer represents and warrants that:

  • Customer has obtained all necessary consents and authorizations to collect and share Personal Data with Bamboo
  • Customer's instructions to Bamboo comply with Applicable Data Protection Law
  • Customer has provided appropriate privacy notices to Data Subjects

4. Bamboo Obligations

4.1 Processing Instructions

Bamboo shall:

  • Process Customer Data only in accordance with Customer's documented instructions, unless required by law
  • Inform Customer if, in Bamboo's opinion, an instruction violates Applicable Data Protection Law
  • Ensure that persons authorized to process Customer Data are subject to confidentiality obligations

4.2 Security Measures

Bamboo shall implement and maintain appropriate technical and organizational measures to protect Customer Data, including:

  • Encryption of Customer Data in transit (TLS 1.2 or higher)
  • Encryption of Customer Data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments
  • Employee security training

4.3 Subprocessors

Bamboo uses Subprocessors to provide the Services. The current list of Subprocessors is available at withbamboo.com/legal/subprocessors.

Bamboo shall:

  • Provide at least thirty (30) days' notice before engaging a new Subprocessor by updating the Subprocessor list
  • Enter into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA
  • Remain liable for the acts and omissions of its Subprocessors

Customer may object to a new Subprocessor by providing written notice to Bamboo within fifteen (15) days of the notification. If the parties cannot resolve the objection, Customer may terminate the affected Services.

4.4 Data Subject Rights

Bamboo shall, taking into account the nature of the processing, assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, data portability, and objection.

If Bamboo receives a request directly from a Data Subject, Bamboo shall promptly notify Customer and shall not respond to the request without Customer's authorization, unless required by law.

4.5 Assistance with Compliance

Upon Customer's request, Bamboo shall provide reasonable assistance to Customer with:

  • Data protection impact assessments
  • Consultations with supervisory authorities
  • Compliance with security, breach notification, and data protection obligations under Applicable Data Protection Law

5. No Training on Customer Data

Bamboo and its Subprocessors do not use Customer Data to train, develop, or improve generalized machine learning models, foundation models, or artificial intelligence systems. Customer Data is processed solely to provide the Services.

6. AI Providers and API Usage

Bamboo uses AI model providers (through OpenRouter) to deliver AI-powered features of the Services. Bamboo:

  • Uses its own API credentials to access AI providers
  • Acts as Processor when transmitting Customer Data to AI providers
  • Has contractual commitments from AI providers that prohibit use of Customer Data for model training

Customer is not required to establish separate agreements with AI providers to use the Services.

7. Data Storage and Transformation

7.1 Storage

Bamboo stores Customer Data in its databases hosted on Supabase for the following purposes:

  • Historical analysis and reporting
  • Trend identification and insights
  • AI-powered analysis and recommendations

7.2 Data Transformation

Customer Data may be:

  • Stored in raw form as received from connected platforms
  • Transformed, normalized, or aggregated to enable analytics features

Both raw and transformed data are subject to the protections in this DPA.

8. Security Incidents

8.1 Notification

Bamboo shall notify Customer without undue delay (and in no event later than seventy-two (72) hours) after becoming aware of a Security Incident affecting Customer Data.

8.2 Incident Response

Bamboo shall:

  • Investigate the Security Incident and take reasonable steps to mitigate its effects
  • Provide Customer with information about the nature of the incident, categories of data affected, and remedial measures taken
  • Cooperate with Customer's reasonable requests related to the incident

9. Data Deletion and Return

9.1 Deletion Upon Request

Customer may request deletion of Customer Data at any time by submitting a request through withbamboo.com/legal/data-deletion. Bamboo shall delete Customer Data within thirty (30) days of a verified request.

9.2 Deletion Upon Termination

Upon termination of the Agreement, Bamboo shall delete Customer Data within thirty (30) days, unless retention is required by law or for legitimate business purposes (such as maintaining audit logs or resolving disputes).

9.3 Exceptions

Bamboo may retain Customer Data as necessary to:

  • Comply with legal obligations
  • Resolve disputes
  • Enforce the Agreement

Retained data shall remain subject to the confidentiality and security obligations of this DPA.

10. Audits

Upon Customer's written request (not more than once per year), Bamboo shall make available information reasonably necessary to demonstrate compliance with this DPA. Bamboo may satisfy audit requests by providing:

  • Third-party audit reports or certifications
  • Responses to security questionnaires
  • Documentation of security controls

11. International Data Transfers

Bamboo primarily processes Customer Data in the United States. To the extent Customer Data originates from jurisdictions with data transfer restrictions (such as the European Economic Area), Bamboo relies on appropriate transfer mechanisms, including:

  • Standard Contractual Clauses (where applicable)
  • Subprocessor agreements incorporating appropriate safeguards

12. Limitation of Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.

13. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations of Bamboo with respect to Customer Data shall survive termination to the extent Bamboo retains Customer Data as permitted by this DPA.

14. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Data.

15. Contact

For questions about this DPA or to exercise data protection rights, contact:

Ado, Inc. d.b.a. Bamboo
Email: data-requests@withbamboo.com

Annex A: Description of Processing

ElementDescription
Subject MatterProcessing of advertising and marketing data to provide analytics and AI-powered insights
DurationFor the term of the Agreement plus any retention periods
Nature and PurposeCollection, storage, analysis, transformation, and reporting of advertising performance data
Categories of Data SubjectsCustomer employees, authorized users, and individuals included in advertising platform data
Categories of Personal DataBusiness contact information, account identifiers, advertising metrics, audience data
Processing OperationsStorage, retrieval, analysis, transformation, aggregation, AI-powered analysis, reporting

Annex B: Technical and Organizational Measures

Bamboo implements the following security measures:

Access Control

  • Role-based access controls
  • Multi-factor authentication for administrative access
  • Regular access reviews

Encryption

  • TLS 1.2+ for data in transit
  • AES-256 encryption for data at rest

Infrastructure Security

  • Hosting on Vercel with enterprise-grade security
  • Database hosted on Supabase with encryption and access controls
  • Regular security updates and patching

Monitoring and Logging

  • Audit logging of administrative actions
  • Security event monitoring
  • Incident response procedures

Personnel Security

  • Confidentiality agreements for employees
  • Security awareness training
  • Background checks where appropriate

Business Continuity

  • Regular data backups
  • Disaster recovery procedures
  • Geographic redundancy through cloud providers