Data Processing Agreement

The Processor processes personal data submitted by the Controller to provide the Service described in the Terms of Service. The duration corresponds to the term of the Customer’s subscription.

The processing consists of hosting, storing, organizing, structuring, analyzing (including via large language models), and displaying the Customer Data necessary to deliver editorial reports and related features.

Data subjects may include the Controller’s customers, prospects, employees, contractors, or any individual identified in the data the Controller submits.

Personal data categories typically processed:

• Identifying data (names, email addresses, customer IDs)
• Contact data (phone, address)
• Transaction or behavioral data (purchases, sessions, events)
• Any other personal data the Controller chooses to connect to the Service

The Controller is responsible for not submitting special categories of personal data (Article 9 GDPR — health, biometrics, religion, etc.) unless explicitly agreed in writing with the Processor.

The Processor undertakes to:

• Process personal data only on the Controller’s documented instructions, including via the Service’s configuration.
• Ensure that authorized personnel are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Annex B).
• Assist the Controller in fulfilling its obligations regarding data subject rights, security, and DPIAs.
• Notify the Controller without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach affecting the Customer Data.
• At the Controller’s choice, delete or return the personal data after the end of the provision of services.
• Make available all information necessary to demonstrate compliance, and allow for audits as described in section 8.

The Controller authorizes the Processor to engage subprocessors listed at /legal/subprocessors. The Processor will give the Controller at least 30 days’ prior notice of new subprocessors. The Controller may object on reasonable grounds; if no commercial resolution is reached, the Controller may terminate the affected services.

The Processor remains liable for the acts and omissions of its subprocessors as for its own.

When the Processor transfers personal data outside the European Economic Area, it relies on the Standard Contractual Clauses (Module 3 — processor to processor) adopted by the European Commission, supplemented by the technical and organizational measures detailed in Annex B.

The Processor will provide the Controller with reasonable assistance (taking into account the nature of the processing) to respond to data subject requests for access, rectification, erasure, restriction, portability, or objection.

The Service includes self-serve features that allow Controllers and data subjects to exercise these rights directly (e.g. data export and account deletion from the user interface).

The Processor will provide the Controller with reasonable information necessary to demonstrate compliance with this DPA, including third-party audit reports where available (e.g. SOC 2, ISO 27001 — to be obtained progressively).

The Controller may, no more than once per year and at its own cost, request an on-site audit subject to reasonable notice and confidentiality obligations.

Upon termination of the Service, the Processor will, at the Controller’s choice, delete or return all Customer Data within 30 days, unless retention is required by applicable law.

As described in section 2 (Nature) and section 3 (Categories). The Service-specific configuration (data sources connected, glossary settings, scheduled analyses) constitutes additional documented instructions from the Controller.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Strict access control with role-based permissions and audit logs.
• Multi-factor authentication for administrative access.
• Network segmentation, firewalls, and intrusion detection.
• Daily encrypted backups with off-site retention.
• Regular dependency updates and vulnerability scanning.
• Incident response plan with 48-hour breach notification commitment.
• Personnel security: background checks, confidentiality agreements, security training.
• Pseudonymization where feasible, especially for non-production environments.

For DPA enquiries: privacy@boyevi.com.