Data Processing Addendum (DPA)
Boss — a product of ARWIC
This Data Processing Addendum ("DPA") supplements the Terms of Service between [LEGAL ENTITY NAME] ("ARWIC," "Processor") and the customer ("Customer," "Controller") and applies where ARWIC processes Personal Data on Customer's behalf.
1. Definitions
"Personal Data," "Controller," "Processor," "Processing," and "Data Subject" have the meanings given under applicable Data Protection Laws. "Data Protection Laws" means privacy and data-protection laws applicable to the processing, including the EU/UK GDPR and U.S. state privacy laws (e.g., CCPA/CPRA). "Customer Personal Data" means Personal Data within the Customer Data that ARWIC processes on Customer's behalf to provide the Service.
2. Roles
For Customer Personal Data, Customer is the Controller (or, under CCPA, the "business") and ARWIC is the Processor (or "service provider"). ARWIC processes Customer Personal Data only to provide the Service and on Customer's documented instructions (which include the Terms, this DPA, and Customer's use of the Service). ARWIC's processing of account/billing/usage data as a controller is governed by the Privacy Policy.
3. ARWIC's obligations
ARWIC will:
- Process only on instructions and for the purposes of providing the Service, and inform Customer if it believes an instruction violates Data Protection Laws.
- No sale / no secondary use. Not sell or share Customer Personal Data, and not retain, use, or disclose it for any purpose other than providing the Service or as permitted by law (a CCPA "service provider" commitment).
- Confidentiality. Ensure personnel authorized to process Customer Personal Data are bound by confidentiality.
- Security. Implement and maintain appropriate technical and organizational measures (Exhibit B).
- Assist Customer with (a) responding to Data Subject requests, (b) security, breach notification, and, where applicable, data-protection impact assessments, taking into account the nature of processing and information available to ARWIC.
- Breach notice. Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, with available details.
- Deletion/return. On termination, delete or return Customer Personal Data per the Terms (30-day post-termination window), except where retention is legally required.
- Records / audits. Make available information reasonably necessary to demonstrate compliance and allow for audits (which may be satisfied by third-party reports or a written questionnaire), subject to reasonable confidentiality and frequency limits.
4. Sub-processors
Customer authorizes ARWIC to engage sub-processors to provide the Service. ARWIC will (a) impose data-protection obligations on each sub-processor substantially as protective as this DPA, (b) remain responsible for its sub-processors' performance, and (c) maintain the list below and give Customer a reasonable mechanism to learn of changes and object to new sub-processors on reasonable data-protection grounds.
Current sub-processors (verify and keep current):
| Sub-processor | Purpose | Data location |
|---|---|---|
| Stripe, Inc. | Payment processing (Stripe Connect) | United States |
| Twilio Inc. | Outbound text messaging (SMS) and telephony | United States |
| Resend, Inc. | Outbound email delivery | United States |
| Anthropic, PBC | AI assistant features | United States |
| Deepgram, Inc. | Voice-to-text transcription of call audio | United States |
| Google LLC (Google Maps Platform) | Address geocoding and mapping | United States |
| DigitalOcean, LLC | Cloud hosting, infrastructure, and backup storage | United States |
| Functional Software, Inc. (Sentry) | Error monitoring / diagnostics | United States |
5. International transfers
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree the applicable Standard Contractual Clauses (to be attached as Exhibit A by counsel) apply and are incorporated by reference, with the parties' details completed in the Terms.
6. Customer obligations
Customer represents that it has provided all required notices and obtained all rights and consents necessary for ARWIC to process Customer Personal Data as contemplated, and that Customer's instructions comply with Data Protection Laws.
7. Liability
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms (Section 13), to the extent permitted by Data Protection Laws.
8. Order of precedence
If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls.
Exhibit A — Standard Contractual Clauses
[To be attached by counsel where EU/UK/Swiss transfers occur.]
Exhibit B — Technical and Organizational Security Measures
ARWIC maintains the following measures, kept aligned with the Service's actual implementation:
- Encryption in transit. All traffic to the Service is served over TLS (HTTPS).
- Encryption at rest. Stored data resides on infrastructure encrypted at rest by our cloud hosting provider.
- Per-tenant logical isolation at the database layer. Each customer's data is held in a dedicated database schema, and access is enforced by three independent controls: an application data layer that refuses any query made outside an authenticated tenant context, database row-level security keyed to the active tenant, and a restricted read-only role used for automated and AI-assisted queries.
- Network isolation and least privilege. Database and cache services are not exposed to the public internet (reachable only on a private internal network); administrative access is limited and credential-scoped to the minimum necessary.
- Logging and monitoring. Sensitive and administrative actions are recorded to an append-only audit log; application errors are captured by a monitoring service.
- Backups. Automated backups are taken on a regular schedule, stored off the primary host, and retained for a defined period to support recovery.
- Incident response. ARWIC maintains a documented incident-response runbook covering detection, containment, secret rotation, and recovery.