Data Processing Agreement
Effective date: January 1, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Boundrify Technologies Inc. ("Processor," "we," "us") and the customer ("Controller," "you") using the Boundrify Inc. Services. This DPA sets out the terms that apply when personal data is processed by us on your behalf.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable regulations
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf
- "Data Subject" means the individual to whom the Personal Data relates
2. Scope and Purpose
This DPA applies to all Processing of Personal Data by us on your behalf in connection with the Services. The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 below.
3. Obligations of the Processor
We shall:
- Process Personal Data only on your documented instructions and in accordance with applicable Data Protection Laws
- Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures to protect Personal Data
- Not engage any Sub-processor without your prior written consent
- Assist you in responding to Data Subject requests and ensuring compliance with your obligations under Data Protection Laws
- Delete or return all Personal Data upon termination of the Services, at your choice
- Make available to you all information necessary to demonstrate compliance with this DPA
4. Obligations of the Controller
You shall:
- Ensure that you have a lawful basis for the Processing of Personal Data
- Provide clear and documented instructions for the Processing of Personal Data
- Ensure that Data Subjects are informed about the Processing in accordance with Data Protection Laws
- Comply with your obligations under applicable Data Protection Laws
5. Security Measures
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Control: Role-based access controls, multi-factor authentication, and principle of least privilege
- Monitoring: Continuous security monitoring, logging, and alerting
- Incident Response: Documented incident response procedures with defined escalation paths
- Business Continuity: Regular backups, disaster recovery procedures, and redundant infrastructure
- Employee Training: Regular security and privacy awareness training for all staff
6. Sub-processors
We use the following categories of Sub-processors to deliver the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting and infrastructure | United States / EU |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Google Analytics | Usage analytics | United States |
We will notify you of any intended changes to Sub-processors with at least 30 days' notice, giving you the opportunity to object.
7. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide you with sufficient information to meet any obligations to report the breach to supervisory authorities or Data Subjects
- Take reasonable steps to mitigate the effects and minimize any damage resulting from the breach
- Cooperate with you and provide assistance as reasonably requested
8. International Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Privacy Framework certification where applicable
- Additional supplementary measures as required by applicable law
9. Data Subject Rights
We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. We will promptly notify you if we receive a request directly from a Data Subject and will not respond to such requests without your instructions, unless required by law.
10. Audits
We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Such audits shall be conducted with reasonable advance notice and during normal business hours, and shall not unreasonably disrupt our operations.
11. Term and Termination
This DPA shall remain in effect for as long as we process Personal Data on your behalf. Upon termination of the Services, we will, at your choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law.
Annex 1: Details of Processing
Categories of Data Subjects
- Users of the Services (freelancers, consultants, agency members)
- Clients of the users whose data is entered into the platform
Categories of Personal Data
- Contact information (name, email address)
- Business information (company name, address, industry)
- Project and contract data
- Financial information (invoice amounts, payment status)
- Usage data and technical logs
Nature and Purpose of Processing
Processing is performed to provide the Boundrify Inc. platform services, including project management, contract management, milestone tracking, invoicing, and related functionality.
Duration of Processing
Personal Data will be processed for the duration of the agreement plus any applicable retention period required by law or agreed upon with the Controller.
12. Contact Us
For questions about this DPA, please contact us at:
Boundrify Technologies Inc.
123 Innovation Drive, Suite 400
San Francisco, California 94105
[email protected]