Skip to Content
Data Processing Agreement (DPA)1. Introduction and Scope2. Definitions3. Roles of the Parties4. Nature and Purpose of Processing5. Processing Instructions6. Sub-processors7. Security8. Security Incidents9. Data Retention and Deletion10. Data Subject Rights11. Data Protection Impact Assessments12. Audit Rights13. International Data Transfers14. Liability15. Term and Termination16. Governing Law17. Updates18. Contact

Data Processing Agreement (DPA)

BOUM IT LLC 30 N Gould St Ste R, Sheridan, Wyoming 82801, United States Email: legal@boum.it Website: www.boum.it

Last updated: April 13, 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions available at www.boum.it/terms ("Terms") and applies where Boum It LLC ("Processor") processes personal data on behalf of a client ("Controller") in the course of delivering products or services subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or other applicable data protection legislation.

This DPA is incorporated by reference into the Terms. By accepting the Terms, the Controller also accepts this DPA as binding. Where the Controller requires a separately executed DPA, it may request one by contacting legal@boum.it.

In the event of conflict between this DPA and the Terms, this DPA prevails with respect to data protection matters only.

2. Definitions
  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined under applicable data protection law
  • "Processing" — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
  • "Controller" — the party that determines the purposes and means of Processing (the Client)
  • "Processor" — the party that Processes Personal Data on behalf of the Controller (Boum It LLC)
  • "Sub-processor" — any third party engaged by the Processor to Process Personal Data
  • "Data Subject" — the individual to whom Personal Data relates
  • "Security Incident" — any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
3. Roles of the Parties

3.1 Controller Responsibilities

The Controller is solely responsible for:

  • Determining the lawful basis for Processing under applicable law
  • Ensuring that Personal Data provided to Boum It LLC is accurate, lawfully collected, and may be lawfully processed
  • Responding to Data Subject requests where the Controller is the point of contact
  • Providing appropriate notices to Data Subjects regarding the Processing

3.2 Processor Responsibilities

Boum It LLC, as Processor, shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
  • Inform the Controller if it believes an instruction infringes applicable data protection law
  • Ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations
  • Assist the Controller in meeting its obligations regarding Data Subject rights, security, and breach notification, to the extent reasonably possible given the nature of the Processing
4. Nature and Purpose of Processing

4.1 General

Boum It LLC may process Personal Data in connection with:

  • Delivery of software products and SaaS services
  • Consulting, implementation, development, and technical support engagements
  • Remote or on-site access to Client systems (e.g. ERP, CRM, databases) as necessary to perform contracted services
  • Project management and operational coordination

4.2 Categories of Personal Data

Depending on the engagement, Personal Data processed may include:

  • Contact information (name, email, phone, job title)
  • Professional and organizational data (company name, role, department)
  • System and application data (user accounts, access logs, configuration data)
  • Operational data (transactions, records, communications) as contained in Client systems accessed during service delivery

4.3 Categories of Data Subjects

  • Client employees, contractors, and representatives
  • End users of Client's systems or applications
  • Third parties whose data is contained in Client systems accessed during service delivery

4.4 Duration

Processing continues for the duration of the applicable engagement or subscription. Upon termination, Section 9 (Retention and Deletion) applies.

5. Processing Instructions

Boum It LLC shall process Personal Data solely:

  • As necessary to deliver the contracted products or services
  • In accordance with the Controller's documented instructions as set out in the applicable Order Form, Statement of Work, or written agreement
  • As required by applicable law, in which case Boum It LLC shall inform the Controller unless prohibited by law

The Controller acknowledges that engaging Boum It LLC to deliver a specific scope of services constitutes documented processing instructions for the purposes of this DPA.

6. Sub-processors

6.1 Authorized Sub-processors

The Controller provides general authorization for Boum It LLC to engage the following categories of sub-processors:

Sub-processor

Purpose

Location

Stripe, Inc.

Payment processing

United States

Supabase

Database infrastructure

United States

Cloudflare, Inc.

API infrastructure, CDN

United States

Google LLC

Authentication, communication (Google Meet/Hangouts), productivity

United States

Notion Labs, Inc.

Project management and documentation

United States

Odoo S.A.

ERP platform (where used in delivery)

Belgium / United States

6.2 Changes to Sub-processors

Boum It LLC shall inform the Controller of any intended addition or replacement of sub-processors by updating the sub-processor list at www.boum.it/dpa and providing at least 14 days' notice via email or website notice. If the Controller objects to a new sub-processor on reasonable data protection grounds, it must notify Boum It LLC in writing within 14 days. The parties shall seek to resolve the objection in good faith. If unresolved, the Controller may terminate the affected service with written notice, without penalty.

6.3 Sub-processor Obligations

Boum It LLC shall impose data protection obligations on sub-processors equivalent to those in this DPA and shall remain liable to the Controller for the performance of sub-processors' obligations.

7. Security

7.1 Technical and Organizational Measures

Boum It LLC implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, including:

  • HTTPS/TLS encryption for all data in transit
  • Access controls on a need-to-know basis
  • Authentication via cryptographically signed tokens
  • No storage of passwords or payment credentials
  • Use of reputable cloud infrastructure providers (see Section 6.1) that maintain their own security certifications
  • Regular review of access rights

Boum It LLC does not hold ISO 27001, SOC 2, or equivalent certifications. Security measures are implemented in accordance with industry best practices appropriate to the nature and scale of the Processing and the risks involved.

7.2 Acknowledgment

The Controller acknowledges that no security measure can guarantee absolute protection, and that the measures described herein are appropriate to the risk level associated with the Processing activities covered by this DPA.

8. Security Incidents

8.1 Notification

In the event that Boum It LLC becomes aware of a Security Incident affecting Personal Data processed on behalf of the Controller, Boum It LLC shall notify the Controller without undue delay and within 72 hours of becoming aware, to the extent reasonably practicable.

8.2 Content of Notification

Notification shall include, to the extent known at the time:

  • A description of the nature of the Security Incident
  • The categories and approximate number of Data Subjects and records affected
  • The likely consequences of the Security Incident
  • Measures taken or proposed to address the incident

Information may be provided in phases as it becomes available.

8.3 Controller Responsibility

The Controller is solely responsible for notifying supervisory authorities and Data Subjects as required under applicable law. Boum It LLC shall provide reasonable assistance to the Controller in meeting these obligations.

9. Data Retention and Deletion

9.1 During Engagement

Boum It LLC retains access to and copies of Personal Data for the duration of the engagement as necessary to deliver the contracted services and maintain project continuity.

9.2 Post-Engagement

Following termination or expiry of an engagement:

  • Boum It LLC shall retain working copies of Personal Data for a period of up to 12 months for backup, dispute resolution, and project continuity purposes
  • After this period, Personal Data shall be deleted or anonymized unless retention is required by applicable law

9.3 Deletion on Request

The Controller may request deletion of Personal Data at any time by written notice to legal@boum.it. Boum It LLC shall action such requests within 30 days, except where retention is required by applicable law or legitimate business necessity (e.g. invoice records, legal claims).

9.4 Confirmation

Upon request, Boum It LLC shall provide written confirmation that deletion has been completed.

10. Data Subject Rights

Where Boum It LLC receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, Boum It LLC shall:

  • Promptly forward the request to the Controller
  • Not respond to the request directly unless authorized by the Controller or required by law
  • Provide reasonable assistance to the Controller in responding, given the nature of the Processing

The Controller is responsible for responding to Data Subject requests within the timeframes required by applicable law.

11. Data Protection Impact Assessments

Where required by applicable law, Boum It LLC shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) relating to Processing activities performed by Boum It LLC, taking into account the nature of the Processing and the information available to Boum It LLC.

12. Audit Rights

12.1 Information Requests

The Controller may request information demonstrating Boum It LLC's compliance with this DPA by submitting a written questionnaire to legal@boum.it. Boum It LLC shall respond within 30 days.

12.2 Limitation on On-Site Audits

Given the nature and scale of Boum It LLC's operations as a small business, on-site audits are not offered as a standard right under this DPA. The Controller acknowledges that information provided in response to written questionnaires constitutes a reasonable and proportionate audit mechanism.

Where a Controller requires additional assurance, the parties may agree in writing on a specific audit scope, format, and cost allocation. Any such audit shall be conducted at the Controller's expense, with at least 30 days' advance notice, no more than once per calendar year, and in a manner that does not unreasonably disrupt Boum It LLC's operations.

13. International Data Transfers

13.1 Transfers by Boum It LLC

Where Boum It LLC transfers Personal Data to sub-processors located outside the EEA or UK, it shall ensure that appropriate transfer mechanisms are in place, such as:

  • EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • Adequacy decisions where available

13.2 Transfers by Controller

Where the Controller transfers Personal Data to Boum It LLC from the EEA, UK, or Switzerland, the parties acknowledge that such transfer is subject to applicable transfer requirements. The standard DPA at www.boum.it/dpa, incorporating the relevant SCCs by reference, constitutes the transfer mechanism for such transfers.

13.3 Standard Contractual Clauses

To the extent that Processing under this DPA involves the transfer of Personal Data from the EEA to a third country without an adequacy decision, the EU Standard Contractual Clauses (Module 2: Controller to Processor) adopted by European Commission Decision 2021/914 are hereby incorporated by reference and form part of this DPA. In the event of conflict between the SCCs and this DPA, the SCCs prevail.

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms (Section 12). To the extent that applicable data protection law imposes liability that cannot be contractually limited, such mandatory provisions shall prevail.

15. Term and Termination

This DPA remains in effect for as long as Boum It LLC processes Personal Data on behalf of the Controller. It terminates automatically upon the expiry or termination of all applicable engagements, subject to the survival of Sections 8, 9, 13, and 14.

16. Governing Law

This DPA is governed by the same law as the Terms (Wyoming, United States), subject to mandatory provisions of the GDPR or UK GDPR where applicable to EU/UK Data Subjects.

17. Updates

Boum It LLC may update this DPA from time to time to reflect changes in applicable law or sub-processors. Material changes will be communicated with at least 14 days' notice. Continued use of Boum It LLC products or services following notice constitutes acceptance of the updated DPA.

18. Contact

Boum It LLC 30 N Gould St Ste R Sheridan, Wyoming 82801 United States

Email: legal@boum.it Website: www.boum.it

EIN: pending — will be updated upon issuance.