Boostrad

Data Processing Agreement (DPA)

Agreement governing the processing of personal data by Boostrad on behalf of customers.

Last updated: March 25, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Boostrad AI ("Processor", "we", "us", or "our") and the customer or user acting as a data controller ("Controller", "you", or "your").

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the use of the Service.

This DPA is intended to ensure compliance with applicable data protection laws, including:

  • Regulation (EU) 2016/679 ("GDPR")
  • UK GDPR
  • Swiss Federal Act on Data Protection

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person

"Processing" means any operation performed on Personal Data

"Controller" means the entity determining purposes and means of processing

"Processor" means the entity processing data on behalf of the Controller

All other terms shall have the meaning given under applicable data protection laws.

3. Scope of Processing

The Processor shall process Personal Data only:

  • On documented instructions from the Controller
  • For the purpose of providing the Service

Processing may include:

  • Storage
  • Analysis
  • Transmission
  • Transformation
  • AI-based processing

4. Nature and Purpose of Processing

The processing activities include:

  • Hosting and storage of user data
  • AI-driven content generation
  • Analytics and performance measurement
  • Integration with third-party services

5. Categories of Data Subjects

Personal Data may relate to:

  • End users
  • Customers
  • Employees
  • Marketing audiences
  • Individuals appearing in uploaded content

6. Types of Personal Data

The categories of Personal Data processed may include:

  • Identification data (name, email)
  • Account data
  • User-generated content (images, videos, audio, text)
  • Behavioral and usage data
  • Advertising and performance data
  • Technical and device data

7. Controller Obligations

The Controller represents and warrants that:

  • It has a lawful basis for processing Personal Data
  • It has obtained all necessary consents and permissions
  • It complies with all applicable data protection laws
  • It is responsible for the legality of Personal Data uploaded to the Service

8. Processor Obligations

The Processor shall:

  • Process Personal Data only in accordance with this DPA
  • Ensure confidentiality of personnel
  • Implement appropriate technical and organizational measures
  • Assist the Controller in fulfilling its obligations

9. Security Measures

The Processor shall implement appropriate measures to ensure a level of security appropriate to the risk, including:

  • Encryption where appropriate
  • Access controls
  • Monitoring and logging
  • Data isolation

However, the Controller acknowledges that no system is completely secure.

10. Sub-processors

The Controller authorizes the Processor to engage sub-processors.

Sub-processors may include:

The Processor shall ensure that sub-processors are bound by data protection obligations equivalent to this DPA.

Where the Service routes Personal Data to third-party LLM APIs (for example, Google Gemini or OpenAI ChatGPT, including models such as Gemini 3.1 Pro or ChatGPT 5.4), the Processor shall engage such providers under written terms requiring appropriate confidentiality and security measures. The Controller acknowledges that additional subprocessors may be listed in the Terms of Service or Privacy Policy.

11. International Transfers

The Processor may transfer Personal Data outside the EEA, UK, or Switzerland.

Where required, the Processor shall implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Equivalent protections

12. Data Subject Rights

The Processor shall, to the extent possible, assist the Controller in responding to requests from data subjects, including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Data portability

13. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach.

The notification shall include:

  • Nature of the breach
  • Categories of data affected
  • Likely consequences
  • Measures taken

14. Data Retention and Deletion

Upon termination of the Service, the Processor shall:

  • Delete or return Personal Data, unless retention is required by law

15. Audits

The Processor shall make available information necessary to demonstrate compliance with this DPA.

Audits shall be:

  • Reasonable
  • Limited in scope
  • Subject to confidentiality

16. Liability

Each party shall be liable for damages caused by its own breach of this DPA.

Liability shall be subject to the limitations set forth in the Terms of Service.

17. Term

This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.

18. Governing Law

This DPA shall be governed by the laws of Switzerland, unless otherwise required by applicable data protection laws.

19. Contact

Boostrad AI

info@boostrad.ai

Data Processing Agreement (DPA) | Boostrad | Boostrad