Data Processing Agreement
This DPA governs how BOMvault processes personal data on your behalf in compliance with GDPR, CCPA, and other applicable data protection laws.
DPA Overview
Full DocumentEffective Date: January 1, 2025 | Version: 1.0
Summary
This Data Processing Agreement ("DPA") establishes the terms under which BOMvault, Inc. ("Processor") processes personal data on behalf of our customers ("Controller"). It forms part of your Master Services Agreement or Terms of Service.
Key Points
- Your Role: You are the Controller - you determine why and how personal data is processed
- Our Role: We are the Processor - we only process data according to your documented instructions
- Data Protection: We implement robust security measures including encryption, access controls, and Row Level Security
- Sub-processors: We maintain a transparent list of approved sub-processors with 30-day advance notice of changes
- International Transfers: We use Standard Contractual Clauses (SCCs) for transfers outside the EEA/UK
Data We Process
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, job title | Provide access to Services |
| Authentication Data | Hashed passwords, SSO tokens | Secure authentication |
| Usage Data | IP addresses, access logs | Security monitoring |
| Audit Trail | User actions, timestamps | Compliance records |
| SBOM Metadata | Author names (if in SBOM) | SBOM processing |
Security Measures
Technical Controls
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Row Level Security (600+ policies)
- Role-based access control
- API key hashing (SHA-256)
Organizational Controls
- Annual security training
- Quarterly access reviews
- Incident response procedures
- Disaster recovery (RTO < 4h)
- Vendor security assessments
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | USA (us-east-1) |
| Vercel | Frontend hosting | USA / Global |
| Stripe | Payment processing | USA |
| Sentry | Error tracking | USA |
View the full DPA for the complete sub-processor list with detailed data categories.
Your Rights
- Data Subject Requests: We assist you in responding to access, rectification, erasure, and portability requests
- Audit Rights: You may audit our compliance once per year with 30 days notice
- Breach Notification: We notify you within 72 hours of any security incident
- Data Deletion: Upon termination, we delete your data within 30 days (backups within 90 days)
International Transfers
For transfers of personal data outside the European Economic Area, United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- UK Addendum to the EU SCCs for UK transfers
- Supplementary technical measures including encryption and access controls
Need a Signed Copy?
Enterprise customers requiring physical signatures or custom DPA terms should contact our legal team.
Contact Legal TeamContact
For data protection inquiries or to exercise your rights under this DPA:
- Email: privacy@bomvault.com
- Legal: legal@bomvault.com
Last Updated: January 1, 2025