Data Processing Addendum

This Data Processing Addendum applies when Boo processes personal data on behalf of Customer through the Services. It is part of the Master Subscription Agreement and Terms of Service.

Roles

Customer is the controller or business for Customer Personal Data. Boo is the processor or service provider for Customer Personal Data, except where Boo acts as an independent controller for account administration, billing, security, legal compliance, and business operations.

Customer Personal Data

Customer Personal Data means personal data included in Customer Data and processed by Boo on behalf of Customer.

Processing instructions

Boo will process Customer Personal Data only on Customer's documented instructions, including this Data Processing Addendum, the Agreement, Order Forms, Customer settings, Authorized User instructions, and applicable law.

Details of processing

The subject matter is the provision of Boo. The duration is the term of the Agreement plus any retention period. The nature and purpose include providing agentic AI services, retrieving information, generating outputs, running workflows, maintaining private workspace memory, indexing, billing, security, support, troubleshooting, and related operations.

Categories of data subjects

Data subjects may include Authorized Users, employees, contractors, customers, prospects, vendors, job candidates, support contacts, event participants, website visitors, and other individuals whose data appears in systems connected by Customer.

Categories of personal data

Personal data may include identifiers, contact information, account information, communications, documents, messages, support tickets, calendar data, email data, employment information, customer records, technical data, usage data, code authorship data, and other data connected or submitted by Customer.

Sensitive data

Customer is responsible for deciding whether to connect sensitive data to Boo and for ensuring that Customer has a lawful basis and appropriate controls. Boo will process sensitive data only as part of Customer Personal Data and Customer's instructions.

Confidentiality

Boo will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.

Security measures

Boo will implement administrative, technical, and physical safeguards designed to protect Customer Personal Data as described in the Security Addendum.

Subprocessors

Customer authorizes Boo to use subprocessors and model providers to provide the Services. Boo will enter into written agreements with subprocessors that require protection of Customer Personal Data at a level consistent with this Data Processing Addendum and applicable law.

Subprocessor notice and objections

Boo will make information about subprocessors available through the Subprocessor and Model Provider Policy. Customer may object to a new subprocessor as described in that policy or the applicable Order Form. If the parties cannot resolve an objection, Customer may stop using the affected feature or terminate the affected Order Form where required by law, the Agreement, or the Order Form.

Model providers

Model providers may process Customer Personal Data for inference and related services. Boo will require model providers used for Customer Data to agree not to use Customer Personal Data to train their models unless Customer gives Explicit Approval, including through a Customer-Approved Provider Setting that is off by default.

International transfers

If Customer Personal Data is transferred internationally and transfer safeguards are required, the parties will use appropriate transfer mechanisms, which may include standard contractual clauses, the UK international data transfer addendum, the UK international data transfer agreement, a data privacy framework, or another lawful mechanism, as applicable.

Data subject requests

Boo will provide reasonable assistance to Customer in responding to data subject requests, taking into account the nature of the Services and information available to Boo.

Government and legal requests

If Boo receives a legal request for Customer Personal Data, Boo will notify Customer unless prohibited by law. Boo will use reasonable efforts to redirect the request to Customer when appropriate.

Security incidents

Boo will notify Customer without undue delay after confirming a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, and within any shorter period required by applicable law or an Order Form. Boo will provide information reasonably available to help Customer meet its legal obligations.

Assistance

Boo will provide reasonable assistance for security, data protection impact assessments, prior consultations, and compliance obligations where required by law and taking into account the nature of processing.

Deletion and return

Upon termination or Customer request, Boo will delete or return Customer Personal Data as required by the Agreement, Customer settings, and applicable law. Boo may retain copies in backups, logs, billing records, security records, and legal archives for limited periods where permitted by law. Backup copies will be deleted or overwritten in the ordinary course of backup rotation.

Audits

Boo will make available information reasonably necessary to demonstrate compliance with this Data Processing Addendum. Where required by law and subject to reasonable confidentiality and security restrictions, Boo will allow audits by Customer or an independent auditor no more than once per year unless a security incident or regulator requires otherwise. Customer will not access systems, data, or information of other Boo customers during an audit.

United States state privacy laws

Boo will process Customer Personal Data as a service provider or processor under applicable United States state privacy laws. Boo will not sell Customer Personal Data or share it for cross-context behavioral advertising. Boo will not retain, use, or disclose Customer Personal Data outside the business purposes of providing the Services except as permitted by law, the Agreement, or Customer's documented instructions.

HIPAA and regulated data

Boo is not a business associate under HIPAA and is not intended for protected health information unless Boo signs a business associate agreement. Customer must not submit protected health information, payment card data subject to PCI DSS, government classified information, export-controlled technical data, or other regulated data requiring special contractual terms unless the parties have signed the required Order Form, addendum, or agreement.

Conflict

If this Data Processing Addendum conflicts with the Agreement on privacy or data protection matters, this Data Processing Addendum controls for those matters.

Annex A. Processing details

Subject matter is the provision of Boo agentic AI services. Duration is the term plus retention periods. Nature and purpose are described in section 4. Data subjects are described in section 5. Personal data categories are described in section 6. Sensitive data categories depend on Customer's connected systems and instructions.

Annex B. Technical and organizational measures

Measures include encryption in transit, encryption at rest, access control, least privilege, credential protection, logging, monitoring, vulnerability management, incident response, secure development practices, vendor management, backups, business continuity, and personnel confidentiality. The Security Addendum describes these measures in more detail.