Data Processing Addendum

This Data Processing Addendum (“DPA”), including its appendices, is part of and incorporated by reference by Boom’s Terms of Use (“Terms”) between Boom and the Business User. It outlines the agreement on handling of Personal Data in accordance with data protection laws. When a Business User registers, they automatically agree to this DPA and commit to handling Personal Data responsibly and in good faith.

TLDR/Table of Contents

(This TLDR section is only a summary, please read each paragraph in its entirety below to fully understand your rights and obligations). 

1. Position of the Parties: Business User is the data controller responsible for the Personal Data it provides to Boom, the data processor. The Business User must ensure that the data it provides to Boom is accurate and companies with data protections laws.
   
   

2. Subcontractors; Boom may use subcontractors to process Personal Data; all subcontractors used by Boom must comply with the same data protections obligations as Boom.
   
   

3. Security: Boom will implement appropriate security measures to protect PErsonal Data and will update its security practices as necessary. The Business User must independently verify that Boom’s security measures meet its specific requirements.
   
   

4. Cooperation: Boom in will inform the Business user of any requests regarding the data and Boom will help the Business User meet its obligations under data protection laws such as notifying the Business User if a data breach occurs.
   
   

5. Audits: Boom will provide all necessary information to the Business User so it may demonstrate that it is complying with its obligations.
   
   

6. International Data Transfers: Boom will comply with any applicable data protection laws regarding international data transfers.
   
   

7. Term: This DPA starts when a Business User registers and remains in effect as long as Boom provides services and the user remains a Business User under the terms.
   
   

8. Governing Law: Same as the Terms of Use
   
   

9. European Union: For Business Users in the European Union, GDPR applies to this DPA.
   
   

10. United Kingdom: For Business Users in the United Kingdom, UK GDPR applies to this DPA.
    
    

11. California: If the Business User's Personal Data involves California residents, California's Consumer Privacy Act applies.
    
    

12. General: Discusses general miscellaneous things such as impact of headings,  and governing law.
    
    

13. Appendix 1: Data processing terms
    
    

14. Appendix 2: Provisions of the Standard Contractual Clauses that apply
    
    

15. Annex 1: Discusses the types of data that is transferred between the Business USer and Boom ie. account data, subscription data, etc.
    
    

16. Annex 2: Lists the security measures implemented by Boom to protect data
    
    

17. Appendix 3: Lists the sub-contractors used by Boom
    
    
    

1. Position of the Parties

1.1. Roles and Responsibilities: The Business User is the data controller, Boom acts as the data processor, and any third party Boom uses is a sub-processor, as defined by data protection laws.

1.2. Business User's Responsibility: The Business User is responsible for the personal data provided to Boom during the use of the Application, Services, and Content (“Personal Data”), including ensuring it complies with data protection laws and maintaining the data's accuracy and legality.

1.3. Purpose of Data Processing: Boom processes the Business User's Personal Data to perform the Services, detailed further in Annex I to Appendix 2.

1.4. Compliance with Laws: The Business User must ensure all data processing complies with relevant data protection laws, and their instructions to Boom must also be lawful.

1.5. Boom's Compliance: Boom will process Personal Data based on the Business User's written instructions and only for the specified purposes.

1.6. Legal Concerns: Boom will alert the Business User if any of their instructions violate data protection laws.

1.7. Access Restrictions: Only Boom personnel who are performing the Services will have access to Personal Data.

1.8. Confidentiality and Training: Boom will ensure its personnel handling Personal Data are aware of its confidential nature and are bound by confidentiality obligations.

1.9. Record Keeping: If required by law, Boom will keep detailed records of its Personal Data processing activities as specified by the applicable data protection laws.

1.10. Data Return or Deletion: After the termination of a Business User's account, Boom will either delete or return all the Business User's Personal Data, depending on the Business User's choice, unless laws require Boom to retain the data for longer for legal or business reasons.

1.11. Deletion Timeline: If the Business User chooses deletion, Boom will delete all the Personal Data within 90 days after the account's termination, or sooner if requested by the Business User.

1.12. Indemnity: The Business User must indemnify/cover any damages, costs, or losses Boom incurs if it shares or makes the Business User's Personal Data available based on the Business User's instructions, including data related to the Business User's personnel.

2. Subcontractors

2.1. Subcontractor Use: The Business User agrees that Boom may hire, change, or replace subcontractors to process Personal Data as needed to meet its obligations under the Terms. Boom is responsible for ensuring that these subcontractors adhere to the same standards and obligations as Boom itself. A current list of Boom’s subcontractors is included in Appendix 3.

2.2. Subcontractor Compliance: Boom will ensure that any subcontractors it uses comply with the same data protection obligations as Boom, as required by applicable laws. Boom will notify the Business User in advance (except in emergencies) about any changes to its subcontractors. The Business User has the right to object to new subcontractors within thirty days of being notified. If the Business User does not object within this period, the new subcontractor is considered accepted.

2.3. Right to Terminate: If the Business User objects to a new subcontractor, it may choose to terminate its account.

3. Security

3.1. Security Measures: Boom has put in place appropriate technical, physical, and organizational measures to protect Personal Data, considering factors like the risk of data breaches and the nature of the data processed. These measures are detailed in Annex II to Appendix 2 and have been acknowledged by the Business User as adequate and appropriate, factoring in technological advancements and costs.

3.2. Monitoring and Updates: Boom regularly checks its security practices and may update its measures to maintain or enhance security levels. The Business User agrees that Boom can change these measures without notice as long as the new measures do not reduce the overall level of security.

3.3. Business User's Responsibility: The Business User must independently verify that Boom’s security measures meet their specific requirements and comply with applicable data protection laws. The Business User is also responsible for securing any components (like devices or networks) that they provide or control.

4. Cooperation

4.1.Handling External Requests: Boom will inform the Business User about any requests from individuals or government bodies, except supervisory authorities, as long as it's legally allowed. Boom will not respond to these requests unless authorized by the Business User or required by law. Boom will also assist the Business User in handling such requests, using appropriate technical and organizational measures.

4.2. Support with Compliance: Boom will help the Business User meet its obligations under data protection laws. This includes assistance with security measures, notifying about data breaches, conducting data protection impact assessments, and dealing with supervisory authority inquiries, based on the nature of the processing and the information Boom has.

4.3. Data Breach Notification: Boom will promptly notify the Business User if a data breach occurs. If the law requires, Boom will also notify the supervisory authorities and other relevant government bodies about the breach.

4.4. Costs of Assistance: The Business User will cover the reasonable costs of Boom's assistance related to handling requests, compliance support, and data breach notifications as outlined above.

5. Audits

5.1. Audit Availability: Boom will provide all necessary information and, if required by law, support audits and inspections by the Business User or an appointed auditor to show compliance with its obligations.

5.2. Audit Frequency and Duration: Audits are limited to once per year unless otherwise required by law, and should not last more than three business days. The Business User must ensure audits do not delay service delivery.

5.3. Audit Notice: The Business User must give Boom at least 60 days' written notice before an audit, unless a quicker audit is mandated by authorities.

5.4. Audit Planning: The Business User and Boom will agree on the audit's scope and agenda beforehand. They may use existing certifications or audit reports to reduce repetitive audits.

5.5. Audit Costs: Both parties will cover their own costs for the audit. The Business User must provide Boom with a copy of the audit report.

6. International Data Transfers

6.1. International Data Transfers: Boom will comply with any applicable data protection laws regarding international data transfers.

6.2. Conflict Resolution: If there's a conflict between data protection laws on international transfers and any other terms of this DPA, the data protection laws will take precedence.

7. Term

7.1. Effective Date: This DPA starts when a Business User registers.

7.2. Replacement of Previous Arrangements: This DPA replaces any previous data processing arrangements between the parties, which are now terminated.

7.3. Duration and Termination: This DPA remains in effect as long as Boom provides services and the user remains a Business User under the terms. It automatically ends when the user's registration as a Business User, their account, or the applicability of the terms ends, whichever happens last.

8. Governing Law & Venue

9.1. Venue: This DPA is governed by the same laws as the Terms, and any disputes related to this DPA will be resolved as outlined in the Terms.

9. European Union

9.1. EU-Based Business Users: For Business Users in the European Union, GDPR applies to this DPA. GDPR is the law designed to protect personal data and ensure its free movement within the EU.

9.2. GDPR Compliance: If Boom processes Personal Data under the GDPR, it will follow the Standard Contractual Clauses (“SCC”s) attached in Appendix 2 of this DPA.

9.3. Legal Governance of SCCs: The SCCs will be governed by the specific laws mentioned within them, and any disputes related to the SCCs will be resolved in the courts specified by those clauses.

10. United Kingdom

10.1. UK-Based Business Users: For Business Users in the United Kingdom, UK GDPR applies to this DPA. This is the version of GDPR retained by the UK after leaving the EU, which continues to protect personal data and ensure its free movement.

10.2. Compliance with UK GDPR: If Boom processes Personal Data that is subject to UK GDPR, it will follow the Standard Contractual Clauses (SCCs) outlined in Appendix 2 of this DPA.

10.3. Legal and Dispute Resolution under SCCs: The SCCs are governed by specified laws within them, and any disputes related to these clauses must be resolved in the designated courts as per the SCCs.

11. California

11.1. California Data Protection: If the Business User's Personal Data involves California residents, California's Consumer Privacy Act applies. This law includes all related regulations and amendments.

11.2. Role of Boom: Under California Data Protection Laws, Boom acts as a Service Provider, meaning it processes data solely to provide services to the Business User.

11.3. Data Use Restrictions: Boom cannot sell the Personal Data it handles and is restricted to using or disclosing this data strictly for fulfilling its service obligations to the Business User. Boom is not permitted to use the Personal Data for any purpose outside the direct business relationship or for any commercial purposes other than providing the specified services.

11.4. Compliance Certification: Boom confirms its understanding of these restrictions and commits to adhere to them.

12. General 

12.1. The headings in this DPA are just for easier reading and don't impact the meaning of the terms.

12.2. Words in singular form also apply to their plural forms and vice versa; references to any gender include all genders.

12.3. Capitalized terms in this DPA are defined in Appendix 1.

12.4 Governing Law & Jurisdiction: This DPA is governed by the laws of the province of Ontario, Canada, without regard to conflict of law principles that would require the application of the laws of another jurisdiction. Applicability of the United Nations Convention on the International Sale of Goods (CISG, 1980) is explicitly excluded. The parties irrevocably submit to the exclusive jurisdiction of the courts of the Province of Ontario.

Appendix 1: Data Processing Terms

• Account: Defined in the Terms.

• Annex: A section attached to an Appendix of this DPA.

• Appendix: A supplement to this DPA.

• Applicable Data Protection Laws: The laws and regulations related to privacy, security, and data protection that apply to the processing of Personal Data.

• Application: Defined in the Terms

• Business User: As defined in the Terms.

• Business User: means the Business User as ascribed in the Terms

• Controller: The entity that decides how and why Personal Data is processed, according to applicable laws.

• Data Breach: As defined by applicable data protection laws.

• DPA: This Data Processing Addendum.

• Individual: The person whose Personal Data is being processed.

• Effective Date: The date the user registered or requested to be registered as a Business User.

• Party/Parties: Refers to either Boom or the Business User, or both together.

• Personal Data: As defined in Article 1.2 of this DPA.

• Processing: As defined in Article 1.3 of this DPA.

• Processor: The entity processing Personal Data on behalf of the Controller, as defined by applicable laws.

• Boom: The specific entity of Boom that agreed to the Terms with the Business User.

• Terms: The Terms of Use agreement between Boom and the Business User.

• SCCs: Standard Contractual Clauses from the European Commission for data protection, currently available here.

• Subcontractor: A third party engaged by Boom to process Personal Data, also known as a sub-processor.

• Services: The services Boom provides to users under the Terms.

• Supervisory Authority: The official organization overseeing compliance with applicable data protection laws.

• User: Defined in the Terms of Use.

Appendix 2

For the Standard Contractual Clauses (SCCs) between the Business User (data exporter) and Boom (data importer), the following provisions are agreed upon:

1. Docking Clause (Clause 7 SCCs): This clause will be applied, allowing additional parties to join the SCCs in the future.

2. Use of Sub-processors (Clause 9 SCCs, Option 2): Boom is authorized to engage subcontractors as per the general authorization granted by the Business User. The current list of approved subcontractors is included in Appendix 3.

3. Appendices:

   1. The content of Annex I to Appendix 2 will serve as Annex I to the SCCs.

   2. The content of Annex II to Appendix 2 will serve as Annex II to the SCCs.

ANNEX I LIST OF PARTIES

Data Exporter (Business User):

• Name: As listed in the Business User Account.

• Address: As specified in the Business User Account.

• Contact Person: Details provided in the Business User Account.

• Activities: Related to the performance of the Services as outlined in the Terms.

• Role: Controller

Data Importer (Boom):

• Name: Boom.

• Address: As listed in the Terms.

• Contact Person: Robleh Jama, CEO, email: rj@boomvision.co.

• Activities: Related to the performance of the Services as described in the Terms.

• Role: Processor

B. Description of Transfer

1. Categories of Individuals: Personal data from the Business User and their employees, contractors, clients, customers, and any other individuals involved or whose data is processed through the Services
   
   

2. Types of Personal Data Transferred:

   • Account Data: Names, passwords, email addresses, photos (avatars), and Google account information if signed up through Google.

   • Subscription Data: Details about current and past subscriptions, including start and end dates.

   • Support Data: Contact details, browser type, operating system, and other related service usage details.

   • Analytics Data: User behaviors, click patterns, browser types, language preferences, time zone, IP addresses, and referral sources.
     
     

3. Frequency of Transfer: Data is transferred continuously as the Business User and their staff use the Services.
   
   

4. Nature of Processing: Processing is carried out to perform the Services.
   
   

5. Purpose of Data Transfer and Processing: The data is processed as necessary to provide the Services and according to the Business User's instructions.
   
   

6. Data Retention Period: Personal data will be retained as outlined in Article 1 and 7 of the DPA unless a different agreement is made in writing.
   
   

7. Sub-processor Transfers: Sub-processors, if used, will handle personal data to help perform the Services as per the terms and for the duration specified in the DPA or agreed upon in writing.

C. Competent Supervisory Authority

There are four different situations with regard to the qualification of the competent Supervisory Authority:

• Data Exporter Established in EU: The Supervisory Authority of the member state where the data exporter is established will oversee compliance with the EU GDPR for data transfers.

• Data Exporter Not Established in EU but Under EU GDPR Scope with an EU Representative: The Supervisory Authority of the member state where the EU representative is located will act as the competent authority.

• Data Exporter Not Established in EU, Under EU GDPR Scope but No Representative Required: The Dutch Data Protection Authority will be the competent Supervisory Authority.

• Data Exporter in the UK or Under UK GDPR Scope: The Information Commissioner's Office in the UK will oversee compliance.

Annex II

Measures to secure data: 

• Measures of encryption of personal data Technical:

  • SSL encryption on the website

  • Encryption of data stored in database

  • Encryption of data stored on laptops
    
    

• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Technical:

  • Authentication with username/password, two factor authentication, and/or biometric methods

  • Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication
    
    

• Organisational:

  • Authorization is immediately blocked when employees and contractors leave the company
    
    

• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Technical: 

    • Data is stored with automated backups

    • Multi-region data hosting
      
      

• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Organizational:

    • Regular code reviews

    • Automated testing on all product updates

Appendix 3: List of Sub-processors

The controller has authorized the use of the following sub-processors:

• Boom

  • Location: Toronto, Canada

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To develop and maintain the Services, including Boom’s web platform, Boom's macOS app, create analytical reports, and to provide various business and operational services, including sales, marketing, business enhancement, bookkeeping as well as customer and other support services.
    
    

• Segment

  • Location: United States

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To provide analytical reports of Boom’s website, macOS app, and Services
    
    

• Stripe

  • Location: United States

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To create and manage invoices and (recurring) payments
    
    

• Google Inc. (Google Analytics)

  • Location: United States 

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To create analytical reports
    
    

• Firebase (external service provider for authentication and analytics)

  • Location: United States

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To perform authentication, analytics, and crash reporting
    
    

• June.SO (external service provider for analytics)

  • Location: United States

  • Contact person’s name, position and contact details: N/A

  • Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To create analytical reports of our website, macOS app, and Services