Boostie Data Processing Addendum (DPA)
Effective Date: 7/1/2025
This Data Processing Addendum (“DPA”) is incorporated by reference into the Terms of Use between Boostie, Inc. (“Boostie”) and the customer (“Customer”) that utilizes the Boostie platform and services (the “Agreement”).
This DPA governs Boostie’s processing of personal data on behalf of the Customer in connection with the Agreement. It is intended to satisfy the requirements of applicable data protection laws, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”), the General Data Protection Regulation (“GDPR”), and similar U.S. state laws.
---
1. Definitions
a. “Personal Data” means any information that identifies, relates to, describes, or can reasonably be linked to an individual, as defined under applicable data protection laws.
b. “Customer Data” means Personal Data provided or made available to Boostie by or on behalf of Customer in connection with the services.
c. “Service Provider” shall have the meaning set forth under the CCPA/CPRA. “Processor” shall have the meaning under the GDPR.
d. “Subprocessor” means a third party authorized by Boostie to process Personal Data in support of the services provided to Customer.
---
2. Roles of the Parties
a. Customer is the “Business” (under CCPA) or “Data Controller” (under GDPR). Boostie is the “Service Provider” (under CCPA) or “Data Processor” (under GDPR).
b. Boostie will process Personal Data only on behalf of and at the direction of Customer, and only for the specific purpose of delivering the services described in the Agreement.
---
3. Scope of Processing
a. Nature and Purpose:
Boostie processes Personal Data solely to provide services including, but not limited to:
- Sending emails and SMS messages on behalf of Customer
- Tracking user engagement (opens, clicks, website visits)
- Scoring applicants or assessing job fit
- Rediscovering and re-engaging candidates from Customer’s ATS
- Collecting application responses and website visitor data
b. Types of Personal Data Processed:
- Name, email address, and phone number (if provided)
- Resume, work history, and application responses
- Communication preferences
- IP address, city, region/state, country, browser, and device
c. Boostie does not collect or process sensitive personal information (e.g. health data, race/ethnicity, biometric data) as defined by applicable laws.
---
4. Compliance with Laws
Boostie will comply with all applicable data protection laws and regulations governing its processing of Personal Data, including the CCPA/CPRA, GDPR, and similar U.S. state laws.
Customer represents and warrants that it has obtained all necessary consents and lawful basis for the collection, use, and disclosure of Personal Data provided to Boostie.
---
5. Restrictions on Use
Boostie agrees to:
a. Process Personal Data only for the purposes described in this DPA and the Agreement;
b. Not retain, use, or disclose Personal Data for any purpose other than providing the services;
c. Not “sell” or “share” Personal Data (as defined under CCPA);
d. Not combine Personal Data with other data sets or use it for independent profiling, analytics, or product development without express written consent from Customer;
e. Promptly notify Customer if it determines it can no longer meet its obligations under this DPA or applicable law.
---
6. Data Subject Rights
a. Boostie will provide reasonable assistance to Customer in responding to data subject requests to access, correct, delete, or opt out of processing, in accordance with applicable laws.
b. Requests may be submitted to: privacy@boostie.com. Boostie will verify the identity of the requester and, where applicable, route the request to the Customer for appropriate action.
---
7. Security Measures
Boostie shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, access, destruction, alteration, or disclosure. These measures include:
a. Encryption of Personal Data in transit (TLS 1.2+) and at rest
b. Role-based access control and least-privilege principles
c. Multi-factor authentication for administrative access
d. Logging and monitoring of all access and system activities
e. Endpoint protection and patch management
f. Annual security assessments and employee training on data protection
g. Incident response procedures and disaster recovery planning
---
8. Breach Notification
In the event of a Personal Data Breach, Boostie will:
a. Notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach;
b. Provide details including the nature and scope of the breach, types of data involved, and remediation steps taken;
c. Cooperate with Customer in investigating and mitigating the breach and meeting any legal or contractual notification obligations.
---
9. Subprocessors
a. Boostie may engage subprocessors to support the services. Current subprocessors include:
- Microsoft Azure (infrastructure, hosting)
- OpenAI, Anthropic, Llama (AI processing)
- SendGrid, Twilio (email and SMS delivery)
- Stripe (payments)
- HubSpot, Attio (CRM and analytics)
b. Boostie ensures all subprocessors are contractually obligated to comply with privacy and security requirements that meet or exceed those in this DPA.
c. Boostie will provide at least fifteen (15) days’ prior notice of any new or replacement subprocessors by posting an updated list at boostie.com/privacy-center or via written notice.
d. Customer may object to a new subprocessor on reasonable data protection grounds within fifteen (15) days of notification. If objection is not resolved, Customer may terminate the Agreement without penalty.
---
10. Data Retention and Deletion
a. Boostie retains Personal Data for the duration of the Agreement and, at Customer’s request, up to twelve (12) months after termination for backup or compliance purposes.
b. Absent such a request, Customer Data will be scheduled for deletion within ninety (90) days of contract termination.
c. Upon written request, Boostie will return or delete Personal Data earlier. Deleted data will be securely and permanently removed from all systems and backups within a commercially reasonable timeframe.
---
11. International Data Transfers
Boostie processes and stores all Personal Data within the United States. Boostie does not currently transfer data outside the U.S.
If international expansion occurs, Boostie will:
- Store data regionally in the applicable country or jurisdiction, and
- Execute Standard Contractual Clauses (SCCs) or other valid transfer mechanisms as required by law.
---
12. Documentation and Audit
Upon written request, Boostie will make available reasonable documentation to demonstrate compliance with this DPA. This may include audit summaries, security policies, or attestations (e.g. SOC 2 reports when available).
Boostie will cooperate with Customer in meeting any regulatory audit or investigation requirements.
---
13. General Terms
a. This DPA remains in effect for the duration of the Agreement between Boostie and Customer.
b. In the event of conflict between this DPA and any other agreement, the terms of this DPA shall control as it relates to the processing of Personal Data.
c. Boostie may update this DPA from time to time to reflect changes in legal or technical requirements. Material changes will be communicated in advance.
---
For questions or to exercise your data rights, please contact:
privacy@boostie.com