Services How we work Platform About Contact Sign in EN / VN / NL

Data Processing Agreement

BoostGood Data Processing Agreement

Effective date: 13 March 2026
Last updated: 13 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

  • Controller: The organization subscribing to the BoostGood Service ("Client," "Controller," or "you")
  • Processor: Except Integrated Sustainability BV, operating the BoostGood platform ("BoostGood," "Processor," "we," or "us")

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Service.

1. Definitions

1.1. "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

1.2. "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).

1.3. "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.4. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.5. "Service" means the BoostGood AI agent ecosystem platform as described in the Terms of Service.

1.6. "Supervisory Authority" means the competent data protection authority, in particular the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

2. Subject Matter and Duration

2.1. Subject matter. This DPA governs the Processor's processing of Personal Data on behalf of the Controller in connection with the provision of the Service.

2.2. Duration. This DPA shall remain in effect for the duration of the Agreement, plus the 90-day data archive period following termination, plus any additional period required for the Processor to delete or return all Personal Data in accordance with this DPA.

2.3. Termination. This DPA automatically terminates when the Processor no longer processes Personal Data on behalf of the Controller.

3. Nature and Purpose of Processing

3.1. The Processor processes Personal Data solely to provide the Service to the Controller, which includes:

  • (a) Hosting and operating the Controller's dedicated AI agent environment (VPS)
  • (b) Authenticating and managing user accounts within the Controller's organization
  • (c) Processing AI queries by transmitting prompts to third-party AI model providers and returning responses
  • (d) Storing files and documents uploaded by the Controller's users
  • (e) Running automated workflows configured by the Controller
  • (f) Processing billing and subscription payments
  • (g) Sending transactional emails (e.g., password resets, notifications)
  • (h) Maintaining backups for data recovery purposes

3.2. The Processor shall not process Personal Data for any purpose other than those specified in this DPA and the Agreement, unless required to do so by EU or Dutch law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure.

4. Types of Personal Data Processed

The following types of Personal Data may be processed under this DPA:

  • Names and email addresses of the Controller's users
  • User account credentials (stored in hashed form)
  • Content of AI chat conversations (which may contain Personal Data at the Controller's discretion)
  • Files and documents uploaded to the platform (which may contain Personal Data at the Controller's discretion)
  • Usage logs (timestamps, feature usage, IP addresses)
  • Billing and payment information

5. Categories of Data Subjects

The data subjects whose Personal Data may be processed include:

  • Employees, contractors, and agents of the Controller who are authorized users of the Service
  • Any individuals whose Personal Data is contained in files, documents, or conversations uploaded or entered into the Service by the Controller's users

6. Obligations of the Processor

The Processor shall:

6.1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required by EU or Dutch law.

6.2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B.

6.4. Respect the conditions for engaging Sub-Processors as set out in Section 9.

6.5. Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III.

6.6. Assist the Controller in ensuring compliance with the obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor.

6.7. At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, in accordance with Section 12, and delete existing copies unless EU or Dutch law requires storage of the Personal Data.

6.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits and inspections as described in Section 11.

6.9. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other EU or member state data protection provisions.

7. Obligations of the Controller

The Controller shall:

7.1. Ensure that there is a lawful basis for the processing of Personal Data instructed under this DPA.

7.2. Ensure that data subjects have been provided with appropriate privacy notices in accordance with GDPR Articles 13 and 14.

7.3. Be solely responsible for the accuracy, quality, and legality of Personal Data provided to or processed through the Service.

7.4. Ensure that any Personal Data uploaded to or entered into the Service is processed in compliance with applicable data protection law.

7.5. Provide documented processing instructions to the Processor and ensure that such instructions comply with applicable law.

7.6. Be responsible for determining whether the Processor's security measures are appropriate for the nature of the Personal Data being processed.

8. Data Breach Notification

8.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

8.2. The notification shall include, to the extent available:

  • (a) A description of the nature of the Data Breach, including the categories and approximate number of data subjects affected, and the categories and approximate number of Personal Data records affected
  • (b) The name and contact details of the point of contact from whom more information can be obtained
  • (c) A description of the likely consequences of the Data Breach
  • (d) A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.3. Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

8.4. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

8.5. The Processor's notification of a Data Breach shall not be construed as an acknowledgment of fault or liability.

9. Sub-Processors

9.1. General authorization. The Controller provides general written authorization for the Processor to engage Sub-Processors to carry out specific processing activities as described in Annex C.

9.2. Current Sub-Processors. The current list of Sub-Processors is set out in Annex C of this DPA.

9.3. Notification of changes. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes. The Processor shall provide at least 30 days' notice before engaging a new Sub-Processor.

9.4. Right to object. If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the parties shall discuss the concerns in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service or the Agreement in its entirety.

9.5. Sub-Processor agreements. The Processor shall impose on each Sub-Processor, by way of a written contract, the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

10. International Data Transfers

10.1. The Processor shall not transfer Personal Data outside the EEA unless appropriate safeguards are in place as required by GDPR Chapter V.

10.2. For transfers to Sub-Processors outside the EEA, the following safeguards apply:

  • (a) United States (Anthropic, OpenAI, Stripe): EU-U.S. Data Privacy Framework certification or Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Decision 2021/914
  • (b) China (DeepSeek): Standard Contractual Clauses (SCCs), supplemented by a transfer impact assessment

10.3. The Processor has conducted transfer impact assessments for transfers to countries not covered by an adequacy decision. The Controller may request a copy of the relevant assessment.

10.4. Controller's choice regarding AI models. The Controller acknowledges that certain AI model providers are located outside the EEA. The Controller can control which AI models are used by its users, thereby controlling which cross-border transfers occur. The use of any particular AI model is optional.

11. Audit Rights

11.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

11.2. The Controller (or a mandated independent third-party auditor bound by confidentiality obligations) may conduct an audit of the Processor's processing activities, subject to the following conditions:

  • (a) The Controller shall provide at least 30 days' written notice of an audit request
  • (b) Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
  • (c) The Controller shall bear the costs of the audit
  • (d) Audits shall be limited to once per 12-month period, unless a Data Breach has occurred or a Supervisory Authority requires an additional audit
  • (e) The auditor must execute a confidentiality agreement before accessing any Processor facilities or documentation

11.3. If an audit reveals non-compliance with this DPA, the Processor shall promptly take corrective action at its own expense and inform the Controller of the measures taken.

11.4. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other evidence of compliance, where available.

12. Data Deletion and Return

12.1. Upon termination of the Agreement, the Processor shall:

  • (a) Continue to store the Controller's Personal Data in an archived state for 90 days to allow the Controller to request data export
  • (b) Upon request from the Controller during the 90-day archive period, export and return all Personal Data in a structured, commonly used, and machine-readable format
  • (c) After the 90-day archive period, permanently delete all Personal Data from its systems, including all copies and backups, within 30 days

12.2. Exceptions to deletion. The Processor may retain:

  • (a) Billing records for 7 years from the transaction date, as required by Dutch tax law, with personal identifiers minimized to the extent possible
  • (b) Any Personal Data that the Processor is required to retain by EU or Dutch law

12.3. The Processor shall provide written confirmation of deletion upon request from the Controller.

13. Liability

13.1. Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

13.2. Both parties acknowledge their respective obligations under GDPR Article 82 regarding the right of data subjects to compensation for damage suffered as a result of a GDPR infringement.

Annex A: Description of Processing

Element Description
Subject matter Provision of AI agent ecosystem platform services
Duration Duration of the subscription agreement plus 90-day archive period
Nature of processing Collection, storage, retrieval, transmission, deletion
Purpose of processing Operating the Service: user authentication, AI query processing, file storage, workflow automation, billing, email notifications, backups
Categories of data subjects Employees, contractors, and agents of the Controller; individuals whose data is contained in content uploaded by the Controller
Types of Personal Data Names, email addresses, account credentials (hashed), chat conversation content, uploaded documents and files, usage logs, IP addresses, billing information
Sensitive data None processed intentionally; the Controller is responsible for ensuring that any special category data uploaded complies with GDPR Article 9

Annex B: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

B.1. Data Isolation

  • Each Controller receives a dedicated virtual private server (VPS)
  • No data is shared between client environments
  • Network-level isolation between VPS instances

B.2. Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is encrypted at the filesystem level on all VPS instances
  • Backups are encrypted before storage

B.3. Access Control

  • Administrative access to VPS instances is restricted to authorized BoostGood personnel
  • SSH key-based authentication is required for server access (password authentication is disabled)
  • User authentication within the platform uses hashed passwords with industry-standard algorithms (bcrypt or equivalent)
  • Role-based access control within client environments
  • Principle of least privilege applied to all administrative access

B.4. Network Security

  • Firewall rules restrict access to necessary ports only
  • Regular security updates and patching of operating systems and software
  • Monitoring for unauthorized access attempts
  • DDoS mitigation through hosting provider infrastructure

B.5. Backup and Recovery

  • Regular automated backups of all client data
  • Backups are encrypted and stored separately from production systems
  • Backup retention aligned with service requirements
  • Tested recovery procedures

B.6. Incident Management

  • Documented incident response procedures
  • Breach notification process within 72 hours as described in Section 8
  • Post-incident review and remediation

B.7. Personnel Measures

  • Confidentiality obligations for all personnel with access to Personal Data
  • Access granted only on a need-to-know basis
  • Security awareness practices

B.8. Vendor Management

  • Written data processing agreements with all Sub-Processors
  • Assessment of Sub-Processor security measures before engagement
  • Regular review of Sub-Processor compliance

B.9. Data Minimization

  • Only data necessary for the specified purposes is processed
  • AI model providers receive only conversation content; no account or billing data is shared
  • Personal identifiers are minimized in retained billing records after account termination

Annex C: Sub-Processor List

The following Sub-Processors are authorized to process Personal Data on behalf of the Controller:

Sub-Processor Registered Location Processing Activity Data Processed Transfer Safeguard
Anthropic PBC United States AI model inference (Claude) Chat prompts and responses EU-U.S. Data Privacy Framework / SCCs
OpenAI Inc. United States AI model inference (GPT) Chat prompts and responses EU-U.S. Data Privacy Framework / SCCs
Google LLC United States (with EU processing) AI model inference (Gemini) Chat prompts and responses EU-U.S. Data Privacy Framework / SCCs
Mistral AI France (EU) AI model inference Chat prompts and responses N/A (within EEA)
DeepSeek China AI model inference Chat prompts and responses Standard Contractual Clauses (SCCs)
Stripe Inc. United States (with EU entity, Stripe Payments Europe Ltd., Ireland) Payment processing Billing info, payment details, transaction records EU-U.S. Data Privacy Framework / SCCs
Contabo GmbH Germany (EU) VPS hosting infrastructure All service data stored on the VPS N/A (within EEA)
Hetzner Online GmbH Germany (EU) VPS hosting infrastructure All service data stored on the VPS N/A (within EEA)
Scaleway SAS France (EU) Transactional email delivery Email addresses, email content N/A (within EEA)

Notes:

  • AI model Sub-Processors only receive the content of individual conversations when a user selects the corresponding model. No account information, billing data, or other Personal Data is transmitted to AI model providers.
  • The use of each AI model is optional. The Controller can restrict which models are available to its users.
  • The Sub-Processor list is current as of the "Last updated" date shown at the top of this DPA. Changes will be communicated in accordance with Section 9.3.

Except Integrated Sustainability BV
hello@boostgood.eco
boostgood.eco