Data Processing Agreement

This DPA supplements the BossMode Terms of Service for customers subject to GDPR, UK GDPR, or similar privacy laws. The customer acts as controller of customer content submitted to BossMode, and BossMode acts as processor.

1. Subject matter and duration

Processing covers customer account data, workspace content, audit trails, artifacts, and connected-system metadata for the duration of the subscription and any agreed deletion grace period.

2. Nature and purpose of processing

BossMode processes personal data to authenticate users, execute customer instructions, enforce approvals, provide analytics, operate integrations, and preserve auditability.

3. Security measures

BossMode maintains access controls, environment-managed secrets, audit trails, approval gating, role-based access controls, and monitoring suitable for the risk profile of the service.

4. Subprocessors

Authorized subprocessors are listed on the subprocessors page. BossMode remains responsible for their performance consistent with Article 28 obligations.

5. Data subject requests and incidents

BossMode will assist the customer with access, portability, deletion, and incident notification requests to the extent required by Articles 28, 32, and 33.

6. International transfers

Where personal data is transferred internationally, BossMode will use appropriate contractual and technical safeguards.