Effective Date: 6/25/2026
This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Use between Boostie, Inc. ("Boostie") and the customer ("Customer") that utilizes the Boostie platform and services (the "Agreement"). Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
This DPA governs Boostie's processing of Personal Data on behalf of Customer in connection with the Agreement. It is intended to satisfy the requirements of applicable U.S. data protection laws, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act, "CCPA/CPRA") and comparable U.S. state privacy laws. This DPA is scoped to U.S. residents only; if Customer requires processing of data belonging to individuals in the EU/EEA or other international jurisdictions, the parties will enter into a separate addendum addressing such requirements.
1. Definitions
(a) "Personal Data" means any information that identifies, relates to, describes, or can reasonably be linked to an individual who is a U.S. resident, as defined under applicable U.S. state privacy laws.
(b) "Customer Data" means Personal Data provided or made available to Boostie by or on behalf of Customer in connection with the Services, including information about Customer's employees, contacts, and Applicants.
(c) "Applicant Data" means personal information submitted by or on behalf of job applicants ("Applicants") in connection with the Platform, including but not limited to resumes, application responses, job preferences, behavioral data, device metadata, and interaction logs, as further described in the Agreement.
(d) "Service Provider" shall have the meaning set forth under applicable U.S. state privacy laws, including CCPA/CPRA. Boostie acts as a Service Provider with respect to Personal Data it processes on behalf of Customer.
(e) "Subprocessor" means a third party authorized by Boostie to process Personal Data in support of the Services provided to Customer.
(f) "Personal Data Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Boostie.
2. Roles of the Parties
Customer is the "Business" under applicable U.S. state privacy laws, including CCPA/CPRA. Boostie is the "Service Provider" under those laws.
Boostie will process Personal Data only on behalf of and pursuant to Customer's documented instructions, and only for the specific purposes described in this DPA and the Agreement. Boostie will promptly inform Customer if, in its reasonable opinion, any instruction violates applicable data protection law.
3. Scope of Processing
3.1 Nature and Purpose
Boostie processes Personal Data solely to provide Services, including:
- Sending emails and SMS messages on behalf of Customer
- Tracking applicant engagement (opens, clicks, website visits)
- Scoring, ranking, and matching applicants or assessing job fit using AI features
- Re-engaging candidates from Customer's ATS or talent pool
- Collecting application responses and website visitor data
- Delivering candidate lead notifications via integrations such as Boostie Bot (Microsoft Teams)
3.2 Types of Personal Data Processed
- Name, email address, and phone number (if provided)
- Resume, work history, skills, and application responses
- Communication preferences and opt-in/opt-out choices
- IP address, approximate city, region/state, country, browser type, and device type
- Behavioral engagement signals (e.g., email opens, link clicks, page visits)
3.3 Categories of Data Subjects
- Job applicants and candidates (Applicants)
- Customer's existing talent pool contacts and former applicants
- Website visitors interacting with Boostie-powered career sites
- Employer representatives and users of the Boostie platform
3.4 Sensitive Personal Information
Boostie does not intentionally collect sensitive personal information (as defined under applicable law, including race/ethnicity, health data, biometric data, and similar categories) as part of its standard Services. Customer is prohibited from submitting sensitive personal information to the Platform without a prior written agreement with Boostie specifically addressing such processing. Boostie assumes no responsibility for sensitive personal information submitted by Customer in violation of this restriction.
4. Compliance with Laws
Boostie will comply with all applicable U.S. data protection laws and regulations governing its processing of Personal Data in its capacity as a Service Provider, including CCPA/CPRA and comparable state privacy laws.
Customer represents and warrants that it has obtained all necessary consents and has a lawful basis for the collection, use, and disclosure of Personal Data provided to Boostie, including all consents required under applicable automated employment decision tool (AEDT) laws.
5. Restrictions on Use
Boostie agrees to:
(a) Process Personal Data only for the purposes described in this DPA and the Agreement;
(b) Not retain, use, or disclose Personal Data for any purpose other than providing the Services, including not using it for Boostie's own commercial purposes;
(c) Not "sell" or "share" Personal Data as those terms are defined under CCPA/CPRA or comparable state laws;
(d) Not combine Personal Data with other data sets or use it for independent profiling, analytics, or product development without express written consent from Customer; provided that nothing in this section restricts Boostie's use of de-identified, aggregated, or anonymized data (from which individual identities cannot reasonably be reconstructed) for platform improvement, benchmarking, and product development, consistent with the Agreement;
(e) Promptly notify Customer if it determines it can no longer meet its obligations under this DPA or applicable law.
6. Data Subject Rights
Boostie will provide reasonable assistance to Customer in responding to data subject or consumer rights requests to access, correct, delete, or opt out of processing, in accordance with applicable U.S. state privacy laws.
Requests from individuals may be submitted directly to Boostie at privacy@boostie.com. Boostie will verify the identity of the requester and, where applicable, coordinate with Customer to respond appropriately within the timeframes required by applicable law.
7. Security Measures
Boostie shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, access, destruction, alteration, or disclosure. These measures include:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest
- Role-based access control and least-privilege principles
- Multi-factor authentication for administrative access
- Logging and monitoring of all system access and activities
- Endpoint protection and patch management
- Annual security assessments and employee training on data protection
- Incident response procedures and disaster recovery planning
8. Breach Notification
In the event of a Personal Data Breach, Boostie will:
(a) Notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach;
(b) Provide details including the nature and scope of the breach, types of data involved, number of individuals affected (to the extent known), and remediation steps taken or planned;
(c) Cooperate with Customer in investigating and mitigating the breach and in meeting any legal or contractual notification obligations to individuals or regulators.
Notification by Boostie of a Personal Data Breach does not constitute an acknowledgment of fault or liability.
9. Subprocessors
Customer hereby provides general authorization for Boostie to engage the Subprocessors listed at boostie.com/legal/subprocessors/ to assist in delivering the Services, subject to the notice and objection process in this Section 9.
Current Subprocessors include:
- Microsoft Azure — infrastructure and hosting
- OpenAI, Anthropic, Llama — AI processing features
- SendGrid, Twilio, Vonage — email and SMS delivery
- Stripe — payment processing
Boostie ensures all Subprocessors are contractually obligated to comply with privacy and security requirements that meet or exceed those in this DPA.
Boostie will provide at least 30 days' prior written notice of any new or replacement Subprocessors by updating the list at boostie.com/legal/subprocessors/ and providing email or in-platform notification to Customer.
Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 15 days of notification. Boostie will work in good faith to address Customer's objection. If the objection cannot be resolved within 30 days, Customer may terminate the Agreement without penalty upon written notice.
10. Data Retention and Deletion
(a) Boostie retains Personal Data for the duration of the Agreement and, at Customer's written request, for up to twelve (12) months after termination for backup or compliance purposes.
(b) Absent such a request, Customer Data will be scheduled for deletion within ninety (90) days of Agreement termination.
(c) Upon Customer's written request, Boostie will return or delete Personal Data in a format reasonably agreed upon by the parties. Deleted data will be securely and permanently removed from all active systems within thirty (30) days of the deletion request. Data contained in encrypted backup archives will be purged within ninety (90) days of the scheduled backup rotation cycle.
11. International Data Transfers
Boostie processes and stores all Personal Data within the United States. Boostie does not currently transfer Personal Data outside the United States.
This DPA is scoped to data belonging to U.S. residents. If Customer requires processing of data belonging to individuals in the EU/EEA, United Kingdom, Canada, or other international jurisdictions, the parties will enter into a separate written addendum addressing the applicable transfer mechanisms and legal requirements before any such processing commences.
12. Audit and Compliance Documentation
Upon Customer's written request no more than once per calendar year (or at any time following a confirmed Personal Data Breach), Boostie will make available its then-current SOC 2 Type II report (or equivalent third-party security attestation, when available) to demonstrate compliance with the security and data protection requirements of this DPA.
Boostie will cooperate with Customer in meeting any regulatory audit or investigation requirements, including providing reasonable documentation upon written request. Where a SOC 2 report covers the relevant scope, it shall satisfy Customer's audit right under this Section.
Note: Boostie is in the process of obtaining SOC 2 Type II certification. Until certification is obtained, Boostie will provide equivalent documentation including security policies, controls summaries, and third-party assessment results upon request.
13. Personnel Confidentiality
Boostie shall ensure that all personnel with access to Personal Data:
- Are bound by written confidentiality obligations no less protective than those in this DPA;
- Receive appropriate training on applicable data protection requirements and security practices; and
- Are authorized to process Personal Data only to the extent necessary to perform their role in delivering the Services.
14. General Terms
(a) Term. This DPA remains in effect for the duration of the Agreement between Boostie and Customer and survives termination to the extent necessary to fulfill Boostie's obligations regarding deletion and return of data.
(b) Order of Precedence. In the event of conflict between this DPA and any other agreement between the parties, the terms of this DPA shall control with respect to the processing of Personal Data.
(c) Updates. Boostie may update this DPA from time to time to reflect changes in legal or technical requirements. Material changes (including changes to data processing scope, security standards, or Customer rights) will be communicated with at least 30 days' advance notice via email or in-platform notification. Customer's continued use of the Services after the effective date of any update constitutes acceptance.
(d) Entire Agreement on Data Processing. This DPA, together with the Agreement and any exhibits hereto, constitutes the entire agreement between the parties with respect to the processing of Personal Data.
15. Contact
For questions about this DPA or to exercise data subject rights, contact:
Boostie, Inc.
Email: privacy@boostie.com
Schedule A — Data Processing Details
This Schedule A forms part of the DPA and describes the details of Boostie's processing of Personal Data on behalf of Customer.
| Field | Details |
|---|---|
| Subject Matter | Processing of Personal Data to deliver Boostie's talent marketing, recruiting automation, and AI-assisted evaluation services. |
| Duration | For the term of the Agreement, plus any post-termination retention period as specified in Section 10 of this DPA. |
| Nature of Processing | Collection, storage, use, disclosure, analysis, AI-assisted scoring and ranking, messaging, and deletion of Personal Data on behalf of Customer. |
| Purpose of Processing | Delivering Services including: job application processing; candidate scoring, ranking, and matching; email and SMS outreach; talent pool management; career site delivery; recruiter workflow support; and AI-assisted evaluation and summarization. |
| Categories of Personal Data |
|
| Categories of Data Subjects |
|
| Sensitive Personal Information | Not processed as part of standard Services. Customer is prohibited from submitting sensitive personal information without a separate written agreement. See DPA Section 3.4. |
| Subprocessors | See current list at boostie.com/legal/subprocessors/ |
| Transfers Outside the U.S. | None. All Personal Data is processed and stored within the United States. See DPA Section 11. |