Boord-ITS · BITSM

Data Processing Agreement

Effective Date: March 24, 2026 · Version 1.0 (Draft — pending attorney review) · GDPR Article 28

Background

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Boord-ITS ("Data Processor" or "Processor") and the Customer organization ("Data Controller" or "Controller") and governs the processing of personal data by Processor on behalf of Controller in connection with the BITSM platform.

This DPA supplements and is incorporated into the Terms of Service. In the event of conflict, this DPA takes precedence with respect to data processing matters.

1. Definitions

Terms defined in the GDPR (Regulation (EU) 2016/679) and UK GDPR have the same meaning here. Additionally:

"Controller" means the Customer organization that determines the purposes and means of processing personal data.
"Processor" means Boord-ITS, which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person submitted to BITSM by or on behalf of Controller.
"Processing" has the meaning given in the GDPR.
"Sub-processor" means any third party engaged by Processor to process Personal Data.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Duration

This DPA applies to all processing of Personal Data by Processor on behalf of Controller in connection with the BITSM platform, for the duration of the Controller's subscription to the Service. Upon termination, Processor will delete or return Personal Data as described in Section 9.

3. Details of Processing

Annex I — Processing Particulars

Element	Detail
Subject matter	IT helpdesk and support ticket management with AI-assisted processing
Duration	Duration of the Controller's subscription to BITSM
Nature and purpose	Storing, organizing, and AI-processing support tickets; managing knowledge bases; generating analytics; routing and triage via Atlas AI
Types of Personal Data	Names, email addresses, job roles, ticket content (which may include descriptions of technical issues, system configurations, and incidentally submitted personal information), AI conversation content, caller voice audio and phone session transcripts, phone numbers and call metadata, billing email and subscription data, usage logs, IP addresses
Categories of Data Subjects	Controller's employees (agents and administrators), Controller's customers and end users who submit support requests

4. Controller Instructions

Processor will process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information.

Controller's instructions are set out in the Terms of Service and this DPA. Controller may provide additional instructions in writing. Processor will promptly inform Controller if it believes an instruction infringes the GDPR or other applicable data protection laws.

5. Processor Obligations

Processor commits to:

Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
Sub-processors: Not engage Sub-processors without prior general or specific written authorization of Controller. Where prior general authorization is given, Processor will inform Controller of any intended changes concerning the addition or replacement of Sub-processors, giving Controller the opportunity to object. Controller provides general authorization to the sub-processors listed in Annex II.
Data subject rights: Assist Controller, by appropriate technical and organizational measures insofar as possible, to fulfill Controller's obligation to respond to requests for exercising Data Subjects' rights.
Controller assistance: Assist Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and information available to Processor.
Return or deletion: At Controller's choice, delete or return all Personal Data upon termination of the Service (see Section 9).
Audit: Make available to Controller all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller. Processor may charge a reasonable fee for audit assistance.

6. Sub-Processors

Annex II — Approved Sub-Processors

Sub-Processor	Purpose	Location	Transfer Mechanism
Anthropic, PBC	AI inference — ticket analysis, triage, conversation	United States	SCCs / Anthropic DPA
OpenAI, LLC	AI inference failover	United States	SCCs / OpenAI DPA
Voyage AI	Text embeddings for semantic search	United States	SCCs
Cloudflare, Inc.	TLS termination, network tunnel, email routing	Global (distributed)	SCCs / Cloudflare DPA
Resend	Transactional email delivery	United States	SCCs
Dropbox, Inc.	Encrypted database backup storage	United States	SCCs / Dropbox DPA
Sentry (Functional Software, Inc.)	Error diagnostics (optional — only if configured)	United States	SCCs / Sentry DPA
ElevenLabs, Inc.	Voice synthesis, speech recognition, and conversational AI for phone service — processes caller voice audio, conversation transcripts, and agent system prompts	United States	SCCs / ElevenLabs DPA
Twilio, Inc.	Telephony, call routing, and SIP connectivity for phone service — processes phone numbers, call metadata, and SIP signaling data	United States	SCCs / Twilio DPA
Stripe, Inc.	Payment processing and subscription management — processes billing email, payment method tokens, subscription data, and invoice history	United States	SCCs / Stripe DPA

SCCs = EU Standard Contractual Clauses (Commission Decision 2021/914). Sub-processor list updated as of March 2026. Controller will be notified at least 10 days before adding or replacing a Sub-processor.

6.1 BYOK Enterprise Customers

Enterprise Customers who supply their own AI API keys (BYOK) establish a direct relationship with the respective AI provider (Anthropic, OpenAI, Voyage AI). In BYOK configurations, Boord-ITS does not transmit Customer Data to these providers on Boord-ITS's accounts. The AI provider is a Controller-appointed sub-processor, not a Boord-ITS sub-processor, for BYOK customers.

7. Security Measures

Annex III — Technical and Organizational Measures

Category	Measure
Encryption in transit	TLS 1.2+ enforced via Cloudflare Tunnel for all client connections. HTTPS-only. No unencrypted communication with the platform.
Encryption at rest	Connector credentials and BYOK API keys encrypted using Fernet (AES-128-CBC with HMAC-SHA256) before database storage. Database server uses filesystem encryption.
Access control	Role-based access control (RBAC) with permission-level granularity enforced on all 60+ endpoints. Multi-tenant isolation enforced at the database query level (tenant_id scoping on all queries).
Authentication	OAuth 2.0 (Microsoft 365 / Google) with CSRF state parameter validation. HttpOnly, Secure, SameSite=Lax session cookies. Server-side session storage (Redis).
Network security	SSRF protection on all outbound HTTP requests to user-supplied URLs (hostname resolution, RFC 1918 blocking). Non-root Docker container execution.
Data backup	Daily encrypted database backups with GFS (Grandfather-Father-Son) rotation. Backup storage: encrypted Dropbox.
Monitoring	Structured JSON application logs. Optional Sentry error tracking. API usage logging per tenant.
Organizational	Access to production systems limited to Boord-ITS personnel with operational need. Infrastructure access requires SSH key authentication.

8. Security Incident Notification

In the event of a Security Incident involving Personal Data of Controller's Data Subjects, Processor will:

Notify Controller without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
Provide Controller with the following information to the extent available:
- Nature of the Security Incident (categories and approximate number of Data Subjects and records concerned)
- Name and contact details of the data protection point of contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the incident and mitigate its effects
Cooperate with Controller's investigation and reasonable requests.

Notification of a Security Incident by Processor does not constitute an acknowledgment of fault or liability.

Security incident reports should be sent to: [email protected]

9. Return and Deletion of Personal Data

Upon termination or expiry of the Service:

Processor will provide Controller a 30-day window to export Customer Data via available export features.
After 30 days from termination, Processor will securely delete all Personal Data (including backup copies, subject to backup rotation schedules of up to 90 days).
Controller may request earlier deletion by written notice to [email protected].
Processor will provide written confirmation of deletion upon request.
Processor may retain Personal Data for longer periods where required by applicable law, in which case Processor will inform Controller.

10. Data Transfers

Where processing involves transfer of Personal Data outside the European Economic Area (EEA) or United Kingdom, such transfers are made:

To Sub-processors under Standard Contractual Clauses (SCCs) issued by the European Commission (Decision 2021/914); or
Under another appropriate safeguard recognized under GDPR Chapter V.

Controller provides general authorization for transfers to Sub-processors listed in Annex II, subject to the transfer mechanisms noted therein.

11. Data Protection Impact Assessments

Where Controller determines that a Data Protection Impact Assessment (DPIA) is required under GDPR Article 35, Processor will provide reasonable assistance and relevant information about the processing activities, security measures, and sub-processor arrangements described in this DPA.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under applicable data protection law.

13. Order of Precedence

In the event of conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA takes precedence. In all other matters, the Terms of Service govern.

14. Governing Law

This DPA is governed by the same governing law as the Terms of Service, unless otherwise required by applicable data protection law (e.g., GDPR supervisory authority requirements).

15. Contact

For DPA-related inquiries, signing requests, or audit notices:

Email: [email protected]
Subject line: DPA — [Organization Name]
Company: Boord-ITS / BITSM

Customers requiring a countersigned DPA should contact us at the address above. We will execute countersigned DPAs upon request for all Starter tier and above Customers.