Legal
Data Processing Addendum
Last updated June 4, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Bossy ("Processor") and the Customer ("Controller") for the use of Bossy, and applies where Bossy processes personal data on the Customer's behalf.
1. Roles
For personal data about the Customer's team members and the people whose data the Customer enters into Bossy, the Customer is the controller and Bossy is the processor. Bossy processes that data only to provide the service and on the Customer's documented instructions (including as configured through the product), except where required by law.
2. Subject matter and duration
Bossy processes personal data for the duration of the agreement and as needed to provide the service. The subject matter is the operation of a people-ops and operations platform.
3. Nature and purpose of processing
Hosting, storage, transmission, display, and processing of the Customer's content and team data to deliver the service's features (tasks and verification, scheduling, reporting, people-ops, messaging, and notifications).
4. Types of data and data subjects
Data subjects: the Customer's owners, administrators, managers, supervisors, and workers. Data types: identifiers and contact data; role and organizational data; operational content including task records and photos, schedules, performance, feedback, goals, journal entries, and messages; and usage data.
5. Confidentiality
Bossy ensures that personnel authorized to process personal data are bound by confidentiality.
6. Security
Bossy maintains technical and organizational measures appropriate to the risk, including tenant isolation enforced by row-level security, encryption in transit and at rest, access controls, two-factor authentication, and audit logging. See our Security & Trust page.
7. Subprocessors
The Customer authorizes Bossy to engage the subprocessors listed on our Subprocessors page. Bossy imposes data-protection obligations on each subprocessor and remains responsible for their performance. Bossy will provide a mechanism to be notified of new subprocessors and a reasonable opportunity to object.
8. Data subject requests
Taking into account the nature of the processing, Bossy will assist the Customer, by appropriate technical and organizational measures, in responding to requests from data subjects to exercise their rights. Where Bossy receives such a request directly, it will route it to the Customer.
9. Personal data breach
Bossy will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide information reasonably available to assist the Customer's own notification obligations. This commitment is consistent with our incident-response practices.
10. Deletion and return
On termination, and at the Customer's choice, Bossy will delete or return the Customer's personal data, except where retention is required by law. See Account Deletion & Data Requests.
11. International transfers
Where personal data is transferred across borders, the parties will rely on appropriate safeguards as required by applicable law.
12. Audits
Bossy will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits to the extent required by applicable law, subject to reasonable confidentiality and security conditions.
Contact
To request a signed copy of this DPA or ask questions: privacy@bossyhq.com · Bossy LLC.