Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service or Master Services Agreement (the "Agreement") between Better Auth, Inc. ("Processor," "we," "us," or "our") and the customer entity that is party to the Agreement ("Controller" or "Customer").

This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the Services.

1. Definitions

• "Applicable Data Protection Law" means all applicable privacy and data protection laws, including (where applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), UK GDPR, and the California Consumer Privacy Act as amended ("CCPA/CPRA").
• "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
• "Processing" has the meaning set forth under Applicable Data Protection Law.
• "Subprocessor" means any third party engaged by Processor to process Personal Data.

2. Roles of the Parties

The parties acknowledge and agree that:

• Controller is the data controller (or business, as defined under CCPA/CPRA).
• Processor is the data processor (or service provider).
• Processor processes Personal Data solely on behalf of Controller.
• Processor does not determine the purposes or means of processing Personal Data except as necessary to provide the Services.

3. Scope and Nature of Processing

3.1 Subject Matter

Authentication, identity management, authorization, and related services.

3.2 Duration

For the term of the Agreement and until deletion or return of Personal Data in accordance with Section 10.

3.3 Nature and Purpose

Processing necessary to:

• Authenticate End Users
• Provide account security
• Generate authentication logs
• Prevent fraud and abuse
• Maintain service integrity

3.4 Categories of Data Subjects

• Customer personnel
• End Users of Customer applications

3.5 Categories of Personal Data

May include:

• Identifiers (e.g. name, email, username, user ID)
• Authentication credentials (e.g. hashed passwords, MFA data)
• Login metadata (e.g. IP address, device info)
• Security logs

Sensitive personal data is not required for the Services unless configured by Customer.

4. Processor Obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller.
• Ensure personnel authorized to process Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organizational measures to protect Personal Data, including encryption in transit, access controls, and monitoring.
• Notify Controller without undue delay upon becoming aware of a Personal Data Breach.
• Assist Controller, taking into account the nature of processing, in responding to data subject requests.
• Assist Controller in meeting obligations related to security, breach notification, impact assessments, and regulatory consultations, where applicable.

5. Subprocessors

Processor may engage Subprocessors to provide the Services.

Processor shall:

• Maintain a list of Subprocessors available upon request.
• Impose data protection obligations on Subprocessors consistent with this DPA.
• Remain responsible for Subprocessor performance.

Controller may object to a new Subprocessor on reasonable data protection grounds within 10 days of notice.

6. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Processor shall ensure appropriate safeguards are in place, including the Standard Contractual Clauses set forth in Exhibit A.

7. Security Measures

Processor maintains an information security program that includes:

• Encryption of data in transit
• Logical access controls
• Multi-factor authentication for administrative access
• Security monitoring and logging
• Secure software development practices

8. Audit Rights

Upon reasonable written notice, Controller may request documentation demonstrating Processor's compliance with this DPA, including third-party audit reports (e.g., SOC 2). On-site audits shall be limited to once annually and subject to reasonable confidentiality and security restrictions.

9. CCPA/CPRA Terms

Processor shall:

• Not sell or share Personal Data.
• Not retain, use, or disclose Personal Data outside the direct business relationship.
• Comply with applicable obligations of a service provider under CCPA/CPRA.

10. Return and Deletion

Upon termination of the Agreement, Processor shall delete or return Personal Data, unless retention is required by law.

11. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement.

Exhibit A – Standard Contractual Clauses (SCCs)

For transfers of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to countries not recognized as providing an adequate level of data protection, the parties agree as follows:

• The Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs") are hereby incorporated by reference.
• Module Two (Controller to Processor) applies where Controller acts as controller and Processor acts as processor.
• Module Three (Processor to Processor) applies where relevant.
• In Clause 7, the optional docking clause applies.
• In Clause 9, Option 2 applies and the time period for prior notice of Subprocessor changes shall be as set forth in Section 5 of this DPA.
• In Clause 11, the optional language does not apply.
• In Clause 17, the governing law shall be Ireland (or another EU Member State agreed by the parties).
• In Clause 18(b), disputes shall be resolved in the courts of Ireland.
• Annex I and Annex II to the EU SCCs shall be deemed completed with the information set forth in this DPA, including:
  • Description of transfer: Authentication and identity services
  • Categories of data subjects and data: As described in Section 3
  • Technical and organizational measures: As described in Section 7
• For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference.

The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

By using the Services, the parties agree to this DPA.