Back to home
LoveBoard

Data Processing Agreement

Last updated: March 31, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Better Version, Inc., a Delaware corporation doing business as LoveBoard ("Processor", "we", "our", or "us"), and the entity or individual who has agreed to the Terms of Service ("Controller", "you", or "your").

This DPA applies to the extent that we process Personal Data on your behalf in the course of providing the LoveBoard platform and services ("Service"). By using the Service, you accept this DPA as part of the Agreement. If you are accepting on behalf of an organization, you represent that you have the authority to bind that organization.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as referenced in Section 10 of this DPA.

3. Scope and Details of Processing

The following describes the scope of data processing under this DPA:

3.1 Subject Matter and Purpose

The Processor processes Personal Data solely to provide the Service to the Controller. This includes the collection, storage, display, and management of testimonials and associated data submitted through the Controller's collection forms and workspace.

3.2 Duration

Processing continues for the duration of the Agreement. Upon termination, data is handled in accordance with Section 12 of this DPA.

3.3 Categories of Data Subjects

  • The Controller's customers and end users who submit testimonials
  • Individuals whose testimonials are collected through the Service
  • The Controller's team members who are invited to a workspace

3.4 Types of Personal Data

  • Name, email address, and other contact information provided in testimonial forms
  • Testimonial content including text, images, and video recordings
  • IP addresses and browser metadata collected during form submission
  • Any additional fields the Controller configures in their collection forms

3.5 Nature of Processing

Collection, storage, organization, retrieval, display (via embeddable widgets and dashboards), and deletion of Personal Data as instructed by the Controller through the Service.

4. Obligations of the Controller

The Controller agrees to:

  • Ensure that it has a lawful basis for collecting and processing Personal Data through the Service, including obtaining any necessary consents from Data Subjects
  • Provide appropriate privacy notices to Data Subjects before collecting their testimonials, informing them of how their data will be used and their rights
  • Ensure that any instructions given to the Processor comply with applicable data protection laws
  • Respond to Data Subject requests that relate to the Controller's use of the Service, with assistance from the Processor as described in Section 8

5. Obligations of the Processor

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller's instructions are defined by the Agreement and the Controller's use and configuration of the Service
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement and maintain appropriate technical and organizational security measures as described in Section 7
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests as described in Section 8
  • Assist the Controller in ensuring compliance with its obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA
  • Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law

6. Sub-Processors

The Controller provides general authorization for the Processor to engage Sub-Processors to assist in providing the Service. The current list of Sub-Processors is as follows:

  • Cloudflare, Inc. — Content delivery, security, media storage (R2), and web analytics. Location: United States (global edge network).
  • MongoDB, Inc. — Database hosting and data storage. Location: United States.
  • Google Cloud (Google LLC) — Cloud infrastructure and related services. Location: United States.
  • Stripe, Inc. — Payment processing. Location: United States.
  • Resend, Inc. — Transactional and product email delivery. Location: United States.
  • Datadog, Inc. — Application monitoring, logging, and observability. Location: United States.
  • Featurebase — Knowledge base and product feedback. Location: European Union.

We will notify you via email at least 14 days before adding or replacing any Sub-Processor. If you object to a new Sub-Processor on reasonable data protection grounds, you may notify us in writing within 14 days of our notification. We will work with you in good faith to find a resolution. If no resolution can be reached, you may terminate the affected portion of the Service without penalty.

We impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA. We remain fully liable to you for the performance of each Sub-Processor's obligations.

7. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent standards, including media files stored on Cloudflare R2.
  • Access controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis. Authentication is enforced for all access to production systems.
  • Infrastructure security: The Service is hosted on managed cloud infrastructure with built-in redundancy, DDoS protection (via Cloudflare), and automated backups.
  • Monitoring: We use application monitoring and logging (via Datadog) to detect and respond to security incidents. Logs are retained for a limited period and access to logs is restricted.
  • Workspace isolation: Each workspace is logically isolated. Data, testimonials, and settings are not shared between workspaces.
  • Secure development: We follow secure development practices including code review and dependency management.

8. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

The Service provides the Controller with tools to view, export, and delete testimonials and associated Personal Data directly through the dashboard. If the Processor receives a request directly from a Data Subject, we will promptly redirect the request to the Controller, unless legally required to respond directly.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor will:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach, via the email address associated with the Controller's account
  • Provide the Controller with sufficient information to allow the Controller to meet its obligations to report the breach to the relevant supervisory authority, including: a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach
  • Take reasonable steps to mitigate the effects of the Data Breach and cooperate with the Controller in investigating and remediating the breach

10. International Data Transfers

The Processor is located in the United States, and Personal Data will be processed and stored primarily in the United States. Where Personal Data originating from the EEA or UK is transferred to the United States or other countries without an adequacy decision, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the transfer mechanism.

For the purposes of the SCCs:

  • Module Two (Controller to Processor) applies where you are the Controller and we are the Processor
  • The Controller acts as the "data exporter" and the Processor acts as the "data importer"
  • The governing law of the SCCs shall be the law of the EU Member State in which the data exporter is established
  • Disputes shall be resolved before the courts of the EU Member State in which the data exporter is established

For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner) applies.

You may request a copy of the applicable SCCs by contacting us at hello@loveboard.io.

11. Audits

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon the Controller's written request (no more than once per year, unless a Data Breach has occurred or a supervisory authority requires it), the Processor will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.

The Controller shall bear the costs of any audit it initiates. The Processor may provide a summary of relevant third-party audit reports or certifications as an alternative to an on-site audit where appropriate.

12. Data Deletion and Return

Upon termination of the Agreement, or upon the Controller's written request, the Processor will:

  • Provide the Controller with a reasonable opportunity (at least 30 days) to export their data through the Service's export functionality
  • Delete all Personal Data processed on behalf of the Controller within 30 days after the end of the export period, including all copies, unless applicable law requires further retention
  • Permanently remove associated media files (including video and image testimonials) from storage within 30 days of deletion
  • Upon request, provide written confirmation that the deletion has been completed

Where the Processor is required by applicable law to retain any Personal Data, the Processor will inform the Controller and will ensure that such data is processed only for the purpose required by law and remains protected in accordance with this DPA.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is not permitted by law.

14. Term

This DPA takes effect when you accept the Agreement and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. The obligations in this DPA survive termination of the Agreement to the extent necessary to complete the processing, deletion, or return of Personal Data.

15. Changes to This DPA

We may update this DPA from time to time to reflect changes in our processing activities, Sub-Processors, or applicable law. We will notify you of material changes by posting the updated DPA on this page, updating the "Last updated" date, and notifying you via email at least 14 days before the changes take effect.

16. Contact Us

If you have any questions about this Data Processing Agreement, please contact us at hello@loveboard.io or by mail at:

Better Version, Inc.
28 Geary Street, STE 650 Suite #228
San Francisco, CA 94108
United States