Boast Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements and forms part of the Boast Customer Agreement (the “Agreement“) between Customer and Boast as identified in the applicable Order Form. This DPA will remain in effect for the duration of the Agreement (the “Term“). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement, including its Appendix A (Definitions). If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control with respect to the Processing of Personal Data.

  1. Subject Matter and Duration
    1. Subject Matter
      This DPA reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Data that constitutes Personal Data in connection with Boast’s performance of its obligations under the Agreement.
    2. Duration and Survival
      This DPA will become legally binding upon the Effective Date of the Agreement. Boast will Process Customer Data that constitutes Personal Data until the expiration or termination of the Agreement Term. Boast’s obligations and Customer’s rights under this DPA will continue in effect so long as Boast Processes Customer Data that constitutes Personal Data.
  2. Definitions
    1. “Customer Personal Data”
      Means Customer Data that constitutes Personal Data Processed by Boast on behalf of Customer.
    2. “Data Protection Laws”
      Means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject.
    3. “Personal Data”
      Has the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws.
    4. “Process” or “Processing”
      Means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. “Third Party(ies)”
      Means Boast’s authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors) that Process Customer Personal Data.
  3. Data Use and Processing
    1. Processing Customer Personal Data
      Boast and its Third Parties shall Process Customer Personal Data only as specifically authorized by this DPA, the Agreement, or any applicable Order Form.
    2. Authorization to Use Third Parties
      To the extent necessary to fulfill Boast’s contractual obligations under the Agreement, Customer hereby authorizes (i) Boast to engage Third Parties, and (ii) Third Parties to engage sub-processors. The list of Boast sub-processors is available upon written request to the contact person indicated in the applicable Order Form or at [email protected].
    3. Boast and Third-Party Compliance
      Boast agrees to enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are no less protective than those provided in this DPA.
    4. Personal Data Inquiries and Requests
      Where required by Data Protection Laws, Boast agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, as applicable.). If a request is sent directly to Boast, Boast shall notify Customer without undue delay.
    5. Sale of Customer Personal Data Prohibited
      Boast shall not sell Customer Personal Data as the term “sell” is defined by applicable Data Protection Laws. Boast shall not disclose or transfer Customer Personal Data to a Third Party or other parties that would constitute “selling” as defined by applicable Data Protection Laws.
    6. Data Protection Impact Assessment and Prior Consultation
      Where required by Data Protection Laws, Boast agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by Boast requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
    7. Demonstrable Compliance
      Boast agrees to provide information that is reasonably necessary to demonstrate compliance with this DPA upon reasonable request.
    8. Information Security Program
      Boast agrees to implement commercially reasonable technical and organizational measures designed to protect Customer Personal Data consistent with Data Protection Laws and as described in the Agreement.
    9. Security Incidents
      Upon confirming the existence of a Security Incident, Boast agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
    10. Audits
      Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, not more than once annually, carry out an audit of Boast’s Processing of Customer Personal Data by having Boast complete a data protection questionnaire of reasonable length. Any such audit shall be subject to Boast’s security and confidentiality terms and guidelines.
    11. Data Deletion
      At the expiry or termination of the Agreement, Boast will, upon Customer’s request, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Boast’s data retention schedule), except where necessary to monitor compliance with surviving contractual provisions, or where Boast is required to retain copies under applicable laws or regulatory requirements, in which case Boast will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws, consistent with the Agreement.
  4. Processing Details
    • Subject Matter:The subject matter of the Processing is the Services pursuant to the Agreement.
    • Duration: The Processing will continue until the expiration or termination of the Agreement Term.
    • Categories of Data Subjects: Data subjects whose Personal Data will be Processed pursuant to the Agreement, which may include Customer’s employees, contractors, business partners, and other individuals whose Personal Data is contained within Customer Data.
    • Nature and Purpose of the Processing: The purpose of the Processing of Customer Personal Data by Boast is the performance of the Services as described in the Agreement and applicable Order Forms.
    • Types of Customer Personal Data: Customer Personal Data that is Processed pursuant to the Agreement, which may include contact information, employment information, financial information, and other Personal Data provided by Customer to Boast through the Platform and Services.

Version 2025.2. Last updated on December 8, 2025.