Data Processing Agreement
GDPR Article 28 Compliant
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: The customer ("Customer", "you")
- Data Processor: Bomps GmbH ("Bomps", "we")
2. Subject Matter and Duration
This DPA governs the processing of personal data by Bomps on behalf of the Customer in connection with the use of Bomps services. This DPA remains in effect for the duration of the service agreement.
3. Nature and Purpose of Processing
Bomps processes personal data to:
- Provide business management services (scheduling, CRM, invoicing)
- Store and organize customer business data
- Send communications on behalf of the Customer
- Generate analytics and reports
4. Types of Personal Data
- Contact information (names, emails, phone numbers, addresses)
- Appointment and booking data
- Transaction and payment records
- Communication history
- Custom fields as defined by the Customer
5. Categories of Data Subjects
- Customer's clients and end-users
- Customer's employees and team members
- Customer's business contacts
6. Processor Obligations
Bomps shall:
- Process personal data only on documented instructions from the Customer
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests
- Assist the Customer with GDPR compliance obligations
- Delete or return all personal data upon termination
- Make available all information necessary to demonstrate compliance
7. Sub-Processors
Bomps uses the following sub-processors. We maintain an up-to-date list and will notify the Customer before adding new sub-processors.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure | Germany (EU) |
| Stripe, Inc. | Payment processing | USA (EU SCCs) |
| Mailjet SAS | Email delivery | France (EU) |
8. International Transfers
Personal data is primarily processed within the EU. Where transfers to third countries are necessary, we ensure appropriate safeguards such as:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
9. Security Measures
Bomps implements the following security measures:
- Encryption at rest and in transit (AES-256, TLS 1.3)
- Access controls and authentication
- Regular security audits and penetration testing
- Incident response procedures
- Employee security training
- Physical security at data centers
- Backup and disaster recovery
10. Data Subject Rights
Bomps will assist the Customer in fulfilling data subject requests including:
- Access requests
- Rectification requests
- Erasure requests ("right to be forgotten")
- Data portability requests
- Restriction of processing
- Objection to processing
11. Data Breach Notification
Bomps will notify the Customer without undue delay (within 72 hours) after becoming aware of a personal data breach affecting Customer data.
12. Audits
Bomps will allow and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality obligations.
13. Termination
Upon termination of services, Bomps will, at the Customer's choice:
- Return all personal data in a standard format, or
- Delete all personal data (except as required by law)
14. Contact
For DPA-related inquiries:
Email: [email protected]
Address: Bomps GmbH, Musterstraße 123, 10115 Berlin, Germany