Data Processing Agreement (DPA)

1. Purpose and scope

This DPA governs personal data processing carried out by BootandStrap on behalf of the customer when BootandStrap acts as Data Processor.

2. Roles

The customer acts as Data Controller and BootandStrap acts as Data Processor, except where BootandStrap processes data for its own legal or security obligations.

3. Documented instructions

BootandStrap will process personal data only under the customer's documented instructions, the main service agreement, and this DPA.

4. Security

BootandStrap applies appropriate technical and organizational measures, including access controls, encryption in transit, event logging, and backup/recovery processes.

5. Subprocessors

BootandStrap may use subprocessors required to deliver the service (e.g., hosting, transactional email, payments, or infrastructure). BootandStrap maintains an updated list and imposes equivalent data protection obligations.

6. International transfers

Where personal data is transferred outside the EEA, BootandStrap applies lawful transfer mechanisms (adequacy decisions, Standard Contractual Clauses, or other valid safeguards).

7. Security incidents

BootandStrap will notify the customer without undue delay after becoming aware of a personal data breach affecting data processed on the customer's behalf.

8. Assistance to the controller

BootandStrap will reasonably assist the customer with data subject requests, DPIAs, and regulatory inquiries as required by law and technically feasible.

9. Return or deletion

At the end of service delivery, BootandStrap will return or delete personal data unless legal retention obligations apply.

10. Audit and evidence

BootandStrap will provide reasonable information to demonstrate compliance and enable proportionate audits, subject to confidentiality and security safeguards.