Data Processing

Last updated: April 1, 2026

1. Overview

This Data Processing Agreement ("DPA") describes how American BMS processes data on behalf of our customers ("Data Controllers") in connection with our battery management system products and cloud analytics platform. This DPA is incorporated into and forms part of our service agreements.

2. Definitions

  • Battery Telemetry Data: Voltage, current, temperature, impedance, and other operational measurements collected from battery systems via our BMS hardware
  • Customer Data: Personal information, account data, and configuration data provided by or on behalf of the customer
  • Derived Analytics: Insights, predictions, and analytics generated by our AI/ML models from Battery Telemetry Data
  • Processing: Any operation performed on data, including collection, storage, analysis, transmission, and deletion

3. Data Processing Purposes

American BMS processes data exclusively for the following purposes:

Data Type Processing Purpose Legal Basis
Battery Telemetry Real-time monitoring, health analytics, predictive maintenance, Digital DNA profiling Contractual necessity
Customer Account Data Account management, authentication, billing, support Contractual necessity
Supply Chain Data FEOC compliance verification, traceability documentation, IRA credit qualification Contractual necessity / Legal obligation
Usage Analytics Platform improvement, feature development, performance optimization Legitimate interest
Aggregated / Anonymized AI model training, benchmarking, industry research Legitimate interest

4. Data Location & Sovereignty

All data processing occurs exclusively within the United States:

  • Primary Data Centers: US-East and US-West regions operated by American cloud providers
  • Backup & Disaster Recovery: Geographically separated US-based facilities
  • Edge Processing: On-premises BMS hardware located at customer deployment sites within the US
  • No International Transfer: Data is never transferred to, processed in, or accessible from systems located outside the United States

5. Data Retention

Data Type Retention Period After Termination
Battery Telemetry System lifetime + 5 years Export available for 90 days, then deleted
Customer Account Data Duration of service agreement Deleted within 30 days
Supply Chain Records 10 years (regulatory requirement) Retained per legal obligation
Aggregated Analytics Indefinite (anonymized) Retained (non-identifiable)

6. Security Measures

American BMS implements the following technical and organizational measures:

  • Encryption: AES-256 at rest, TLS 1.3 in transit, end-to-end for telemetry streams
  • Access Control: Role-based access, multi-factor authentication, least-privilege principle
  • Network Security: Zero-trust architecture, network segmentation, intrusion detection
  • Monitoring: 24/7 security operations center, automated threat detection, real-time alerting
  • Auditing: Complete audit trails for all data access and modifications
  • Incident Response: Documented incident response plan with 72-hour breach notification

7. Sub-Processors

American BMS uses the following categories of US-based sub-processors:

  • Cloud infrastructure providers (US-based, US-operated)
  • Customer support platforms (US-based)
  • Payment processors (PCI-DSS compliant, US-based)

A current list of specific sub-processors is available upon request. We will notify customers 30 days before engaging any new sub-processor.

8. Customer Rights & Obligations

Customer Rights:

  • Request data export in standard formats (JSON, CSV) at any time
  • Request deletion of non-regulatory data
  • Audit our data processing practices with reasonable notice
  • Receive breach notifications within 72 hours

Customer Obligations:

  • Ensure lawful basis for data collection from end users
  • Maintain security of account credentials
  • Promptly report suspected security incidents
  • Comply with applicable privacy regulations for end-user data

9. CCPA Compliance

For California residents, American BMS acts as a "Service Provider" under the California Consumer Privacy Act. We do not sell personal information. We process data solely for the business purposes outlined in this DPA and our Privacy Policy.

10. Contact

American BMS Data Protection Team
Email: dpo@americanbms.com