Home
Bondi

GDPR Data Processing Agreement

Enterprise-grade data protection commitments and obligations

Last Updated: November 2025

Recitals

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between Bondi (“Bondi”, “we”, “us”, or “our”) and the customer identified in the Agreement (“Customer”, “you”, or “your”).

WHEREAS, Customer wishes to use the Services (as defined in the Agreement) provided by Bondi, which may involve the processing of Personal Data;

WHEREAS, the Parties wish to ensure that such processing complies with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”);

WHEREAS, Bondi Labs, Inc. is a US-based company with registered address at 2803 Philadelphia Pike, Suite B #356, Claymont, DE 19703, providing services to customers globally, including in the European Union;

WHEREAS, the Parties wish to establish their respective rights and obligations regarding the processing of Personal Data in accordance with GDPR;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or in the GDPR.

1.1 “Data Protection Laws” means all applicable laws and regulations relating to privacy and data protection, including but not limited to the GDPR, UK GDPR (as defined by the Data Protection Act 2018), ePrivacy Directive 2002/58/EC, and any national implementing legislation in each case as amended, replaced or superseded from time to time.

1.2 “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

1.3 “Processing” has the meaning given in Article 4(2) of the GDPR and includes any operation performed on Personal Data.

1.4 “Data Subject” means the natural person to whom the Personal Data relates, as defined in Article 4(1) of the GDPR.

1.5 “Controller” means the natural or legal person which determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) of the GDPR.

1.6 “Processor” means a natural or legal person which processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR.

1.7 “Sub-processor” means any Processor engaged by Bondi or by any other Sub-processor to process Personal Data on behalf of Customer in connection with the Agreement.

1.8 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission pursuant to Decision 2021/914 of 4 June 2021.

1.10 “Services” means Bondi’s cloud-based business management and workflow automation platform, including workspace management, data modeling, automation tools, collaboration features, and related services as described in the Agreement.

1.11 “EEA” means the European Economic Area.

2. Roles and Scope of Processing

2.1 Roles of the Parties

(a) Processor-Controller Relationship: With respect to Customer Data (as defined in the Agreement) that Customer submits to the Services, Customer is the Controller and Bondi acts as a Processor on behalf of Customer. Customer determines the purposes and means of processing Customer Data.

(b) Bondi as Controller: Bondi acts as a Controller with respect to:

  • Account and contact information provided during registration
  • Usage data and analytics collected to operate and improve the Services (privacy-enhanced, anonymized, non-profiling)
  • Billing and payment information
  • Communications between Customer and Bondi

(c) Customer Responsibilities as Controller: When acting as Controller, Customer is solely responsible for:

  • Ensuring lawful basis for processing Personal Data
  • Providing required notices to Data Subjects
  • Obtaining necessary consents where required
  • Complying with Data Subject rights requests
  • Determining retention periods for Personal Data

2.2 Scope of Processing

This DPA applies to the processing of Personal Data by Bondi on behalf of Customer in connection with the provision of the Services. The details of such processing are set out in Annex I (Details of Processing).

2.3 Customer Instructions

Bondi shall process Personal Data only:

  • In accordance with Customer’s documented instructions as set out in this DPA and the Agreement; or
  • As required by applicable law to which Bondi is subject.

If Bondi is required by applicable law to process Personal Data for any other purpose, Bondi shall inform Customer of that legal requirement before processing, unless prohibited from doing so by law.

3. Compliance with Data Protection Laws

3.1 General Compliance

Each Party shall comply with its respective obligations under applicable Data Protection Laws with respect to the processing of Personal Data under the Agreement.

3.2 Lawfulness of Customer’s Instructions

Customer warrants that it has all necessary rights and has obtained all necessary consents to provide Personal Data to Bondi for processing in accordance with this DPA. Customer shall ensure that its instructions for the processing of Personal Data comply with Data Protection Laws.

3.3 Notification of Unlawful Instructions

If, in Bondi’s opinion, any instruction from Customer infringes Data Protection Laws, Bondi will inform Customer without undue delay and may suspend the relevant processing until Customer confirms or modifies the instruction.

4. Confidentiality

4.1 Confidentiality Obligations

Bondi shall ensure that all personnel authorized to process Personal Data:

  • Are subject to binding confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
  • Have received appropriate training on Data Protection Laws and their obligations; and
  • Access Personal Data only to the extent necessary to perform their duties.

4.2 Access Restrictions

Bondi shall implement appropriate technical and organizational measures to ensure that access to Personal Data is limited to those personnel who need access to perform the Services.

5. Security Measures

5.1 Technical and Organizational Measures

Bondi shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as described in Annex II (Technical and Organizational Measures). Such measures shall be designed to:

  • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • Regularly test, assess and evaluate the effectiveness of security measures; and
  • Ensure a level of security appropriate to the risk presented by the processing.

5.2 Security Standards

Bondi maintains industry-standard security practices, including:

  • Encryption of Personal Data at rest and in transit
  • Multi-factor authentication for administrative access
  • Regular security assessments and penetration testing
  • Incident response procedures
  • Business continuity and disaster recovery plans

5.3 Updates to Security Measures

Bondi may update or modify the security measures from time to time, provided that such updates do not result in the degradation of the overall security of the Services.

6. Sub-Processors

6.1 Authorized Sub-Processors

Customer provides general authorization for Bondi to engage Sub-processors to process Personal Data on Customer’s behalf. A current list of Bondi’s Sub-processors is set out in Annex III (List of Sub-Processors).

6.2 Sub-Processor Obligations

Bondi shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations equivalent to those set out in this DPA;
  • Ensure that each Sub-processor complies with the obligations set out in this DPA; and
  • Remain fully liable to Customer for the performance of each Sub-processor’s obligations.

6.3 Changes to Sub-Processors

Bondi will provide Customer with at least thirty (30) days’ prior written notice (via email to Customer’s registered email address) before adding or replacing any Sub-processor.

6.4 Customer Right to Object

Customer may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Bondi in writing within thirty (30) days of receipt of Bondi’s notice. If Customer objects, the Parties shall discuss in good faith to address Customer’s concerns. If the Parties cannot reach a resolution, Customer may terminate the affected Services by providing written notice to Bondi.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, Bondi shall provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)
  • Rights related to automated decision-making (Article 22 GDPR)

7.2 Request Handling

If Bondi receives a request from a Data Subject directly, Bondi will promptly forward the request to Customer. Customer shall be responsible for responding to such requests, and Bondi will provide commercially reasonable assistance as requested by Customer.

7.3 Data Portability

Upon Customer’s written request, and subject to technical feasibility, Bondi will provide Customer with Personal Data in a structured, commonly used, and machine-readable format to facilitate data portability.

7.4 Response Timeframe

Bondi will respond to Customer’s reasonable requests for assistance within thirty (30) days or such shorter period as may be required by applicable Data Protection Laws.

8. International Data Transfers

8.1 Data Residency

Bondi processes and stores Customer Data in the European Union using Amazon Web Services (AWS) data centers located in Frankfurt, Germany and/or Dublin, Ireland for customers in the EEA. Customer Data from EEA customers does not leave the EEA except for limited processing by authorized Sub-processors with appropriate safeguards as described in Section 8.2 and Annex III.

8.2 Transfers Outside the EEA

Where processing of Personal Data involves transfers to countries outside the EEA that are not subject to an adequacy decision by the European Commission, Bondi ensures that appropriate safeguards are in place:

(a) Standard Contractual Clauses: Bondi has entered into Standard Contractual Clauses with relevant Sub-processors located outside the EEA, as approved by the European Commission.

(b) Supplementary Measures: In addition to SCCs, Bondi implements supplementary technical and organizational measures, including:

  • End-to-end encryption of data in transit and at rest
  • Pseudonymization where appropriate
  • Access controls and logging
  • Contractual restrictions on Sub-processor access to data

8.3 U.S. Sub-Processors

Certain Sub-processors are located in the United States (see Annex III). Transfers to these Sub-processors are protected by:

  • Standard Contractual Clauses
  • Contractual commitments equivalent to GDPR
  • Technical security measures (encryption, access controls)

8.4 Adequacy Decisions

Bondi will monitor developments in adequacy decisions and will implement appropriate transfer mechanisms as required by applicable Data Protection Laws.

9. Security Incidents and Data Breach Notification

9.1 Notification to Customer

Bondi shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer’s Personal Data.

9.2 Incident Information

The notification shall include, to the extent possible:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The name and contact details of Bondi’s Data Protection Officer or other contact point;
  • A description of the likely consequences of the Security Incident;
  • A description of measures taken or proposed to address the Security Incident and mitigate its potential adverse effects.

9.3 Investigation and Remediation

Bondi shall:

  • Promptly investigate the Security Incident and take reasonable steps to remediate the cause;
  • Provide Customer with reasonable assistance in investigating the Security Incident;
  • Provide updates on the investigation and remediation efforts as they become available;
  • Cooperate with Customer in meeting any notification obligations to Data Subjects or supervisory authorities.

9.4 No Acknowledgment of Fault

Bondi’s notification or response to a Security Incident under this Section shall not be construed as an acknowledgment by Bondi of any fault or liability.

10. Data Protection Impact Assessments and Prior Consultation

10.1 Assistance with DPIAs

Upon Customer’s written request, Bondi shall provide reasonable assistance to Customer in conducting data protection impact assessments (DPIAs) required under Article 35 GDPR, taking into account the nature of processing and information available to Bondi.

10.2 Prior Consultation

If Customer is required to consult with a supervisory authority under Article 36 GDPR, Bondi shall provide reasonable assistance to Customer in such consultation, to the extent the consultation relates to Bondi’s processing of Personal Data.

10.3 Information Provision

Bondi will provide Customer with such information as is reasonably necessary to demonstrate compliance with the obligations under this DPA and to facilitate audits or inspections by Customer or an authorized auditor.

11. Audit Rights

11.1 Documentation

Bondi shall maintain records of its processing activities as required by Article 30 GDPR and make available to Customer such information as is reasonably necessary to demonstrate compliance with this DPA.

11.2 Third-Party Certifications

Bondi is working towards obtaining industry-standard security certifications (such as SOC 2 Type II and/or ISO 27001) and maintains security practices aligned with these standards. Upon request and subject to confidentiality obligations, Bondi will provide Customer with available security documentation, assessment reports, or certifications as evidence of compliance.

11.3 Customer Audit Rights

Customer may, at its own expense and upon thirty (30) days’ prior written notice, conduct an audit or inspection of Bondi’s relevant processing facilities to verify compliance with this DPA, subject to:

  • Audits being conducted no more than once per year, unless required by a supervisory authority;
  • Audits being conducted during business hours and in a manner that does not unreasonably interfere with Bondi’s operations;
  • Customer or its auditor entering into a confidentiality agreement with Bondi;
  • The scope of the audit being reasonable and proportionate to the Services provided.

11.4 Costs

Customer shall bear all costs associated with any audit, including reasonable costs incurred by Bondi in facilitating the audit. If an audit reveals non-compliance with this DPA, Bondi shall promptly remedy such non-compliance at its own expense.

12. Data Retention and Deletion

12.1 Retention Periods

Bondi will retain Personal Data for the duration of the Services and as necessary to comply with applicable legal obligations, resolve disputes, and enforce agreements.

12.2 Deletion Upon Termination

Upon termination or expiration of the Agreement, Bondi shall, at Customer’s choice:

(a) Return all Personal Data to Customer in a commonly used electronic format within thirty (30) days; or

(b) Delete all Personal Data and provide written certification of such deletion within thirty (30) days.

12.3 Exceptions to Deletion

Bondi may retain Personal Data to the extent required by applicable law or regulation, provided that Bondi shall:

  • Notify Customer of any such requirement;
  • Continue to protect the confidentiality of the Personal Data;
  • Process such Personal Data only for the purposes required by such law; and
  • Delete the Personal Data once the legal retention requirement expires.

12.4 Backup Copies

Personal Data may remain in Bondi’s backup systems for up to thirty (30) days following deletion. Such backup copies shall remain subject to the terms of this DPA and shall be securely deleted in accordance with Bondi’s backup retention policies.

13. Liability and Indemnification

13.1 GDPR Liability Chain

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. The Parties acknowledge that under Article 82 GDPR:

(a) Each Party may be held liable for damages caused by processing that infringes the GDPR;

(b) A Processor shall be liable for damages only where it has not complied with obligations specifically directed to Processors or has acted outside or contrary to lawful instructions of the Controller;

(c) A Party is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

13.2 Limitation of Liability

Except as expressly set out in this DPA or as prohibited by applicable law, Bondi’s total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

Notwithstanding the foregoing, nothing in this DPA or the Agreement shall limit or exclude either Party’s liability for:

  • Death or personal injury caused by negligence;
  • Fraud or fraudulent misrepresentation;
  • Breach of confidentiality obligations under Section 4;
  • Violation of Data Protection Laws where such limitation is prohibited by law;
  • Gross negligence or willful misconduct;
  • Any other liability that cannot be limited or excluded under applicable law, including liabilities under GDPR Article 82.

13.3 Indemnification

Bondi shall indemnify and hold Customer harmless from any claims, damages, losses, or expenses (including reasonable attorneys’ fees) arising from Bondi’s breach of its obligations under this DPA, except to the extent such claims arise from Customer’s breach of this DPA or the Agreement.

14. Term and Termination

14.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect for so long as Bondi processes Personal Data on behalf of Customer, or until the termination of the Agreement, whichever is later.

14.2 Effect of Termination

Upon termination of this DPA:

  • Bondi shall cease all processing of Personal Data (except as required by law);
  • Bondi shall return or delete Personal Data as set out in Section 12 (Data Retention and Deletion);
  • The obligations under Sections 4 (Confidentiality), 13 (Liability), and this Section 14 shall survive.

14.3 Termination for Breach

Either Party may terminate this DPA with immediate effect if the other Party materially breaches any of its obligations under this DPA and fails to remedy such breach within thirty (30) days of receiving written notice thereof.

15. General Provisions

15.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data to the extent of such conflict or inconsistency.

15.2 Amendments

Bondi may amend this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or Bondi’s data processing practices. Bondi will provide notice of material changes via email or through the Services at least thirty (30) days before such changes take effect. Customer’s continued use of the Services after such notice constitutes acceptance of the amended DPA.

15.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid provision that most closely approximates the intent of the original provision.

15.4 Governing Law

This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement, except where Data Protection Laws require otherwise.

15.5 Dispute Resolution

Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Agreement.

16. Contact Information

16.1 Data Protection Officer

For all matters relating to data protection and this DPA, please contact:

Data Protection Officer
Email: dpo@heybondi.com
Address: 2803 Philadelphia Pike, Suite B #356, Claymont, DE 19703, United States

16.2 EU Representative Status

As a US-based company processing EU Personal Data on an occasional basis through privacy-enhanced analytics only (no systematic monitoring or behavioral targeting), Bondi qualifies for the exception under Article 27(2)(a) GDPR and is not required to appoint an EU representative.

Note: This assessment is based on current operations as of November 2025 and may be revised as our business evolves.

EU residents may contact Bondi directly at the addresses above.

16.3 Customer Contact

Customer contact information shall be as specified in the Agreement or as updated by Customer through the Services.

ANNEX I: DETAILS OF PROCESSING

A. Nature and Purpose of Processing

Nature: Provision of cloud-based SaaS platform services, including:

  • Customer workspace and project management
  • Data storage, hosting, and backup
  • User authentication and access management
  • Business logic execution and workflow automation
  • Collaboration and communication features
  • Analytics for service improvement and performance monitoring

Purpose: To provide the Services as described in the Agreement, enabling Customer to use Bondi’s platform for managing business processes, workflows, and collaboration.

B. Duration of Processing

The processing will be conducted for the duration of the subscription term as specified in the Agreement, plus a post-termination period of up to thirty (30) days for data return or deletion, and up to thirty (30) additional days for backup deletion.

C. Types of Personal Data

Bondi may process the following categories of Personal Data on behalf of Customer:

  • Identity Data: First name, last name, username, job title
  • Contact Data: Email address, telephone number, business address
  • Account Data: Account credentials, subscription details, license information
  • Business Data: Company name, organization structure, role assignments
  • Usage Data: Login times, feature usage, activity logs, session information
  • Content Data: Files, documents, text, images, and other content uploaded by Customer
  • Communication Data: Messages, comments, notifications within the platform
  • Technical Data: IP addresses (anonymized for analytics), browser type, device information, cookies
  • Payment Data: Billing information (processed by Stripe as Sub-processor)

Special Categories of Data: Bondi does not require or expect to process special categories of Personal Data as defined in Article 9 GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data). If Customer uploads such data, Customer acknowledges this is done in violation of the Agreement and Customer remains solely responsible for compliance with applicable laws.

D. Categories of Data Subjects

  • Customer’s employees and contractors: Users who have been granted access to the Services by Customer
  • Customer’s team members: Individuals within Customer’s organization using the platform
  • Customer’s end users: Where Customer uses the Services to provide services to its own customers (B2B2C scenarios)
  • Customer’s business contacts: Third parties whose information is entered into the Services by Customer
  • Website visitors: Individuals who visit Bondi’s website (for analytics purposes only, with anonymized data)

E. Processing Operations

The Personal Data may be subject to the following processing operations:

  • Collection and recording
  • Organization and structuring
  • Storage and hosting
  • Retrieval and consultation
  • Use and analysis
  • Disclosure by transmission
  • Alignment and combination
  • Restriction and blocking
  • Erasure and destruction

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

Bondi implements and maintains the following technical and organizational security measures to protect Personal Data:

A. Technical Measures

1. Encryption

Data at Rest:

  • AES-256 encryption for all data stored in databases
  • AWS RDS encryption for database storage
  • AWS S3 server-side encryption for file storage
  • Encrypted backups

Data in Transit:

  • TLS 1.3 or higher for all data transmissions
  • HTTPS enforced for all web interfaces
  • Encrypted API connections
  • Encrypted database connections

2. Access Controls

Authentication:

  • Multi-factor authentication (MFA) available for all users
  • MFA required for administrative access
  • Strong password requirements (minimum length, complexity)
  • Password encryption using industry-standard hashing (bcrypt, Argon2)
  • Session timeout after inactivity

Authorization:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Granular permission management
  • Workspace-level isolation
  • Audit logging of all access and actions

Administrative Access:

  • Restricted to authorized personnel only
  • Logged and monitored
  • Requires MFA and VPN access
  • Time-limited access tokens

3. Network Security

  • AWS Virtual Private Cloud (VPC) isolation
  • Firewall protection on all network boundaries
  • DDoS protection (AWS Shield)
  • Intrusion detection and prevention systems
  • Network segmentation and zoning
  • IP whitelisting options for enterprise customers
  • Security groups restricting inbound/outbound traffic

4. Application Security

Secure Development:

  • Secure coding standards and guidelines
  • Code reviews and pair programming
  • Automated static application security testing (SAST)
  • Dynamic application security testing (DAST)
  • Dependency vulnerability scanning
  • Security testing in CI/CD pipeline

Regular Testing:

  • Annual third-party penetration testing
  • Quarterly vulnerability scans
  • Security audits and assessments

Input Validation:

  • Server-side input validation
  • Protection against SQL injection
  • Cross-site scripting (XSS) prevention
  • Cross-site request forgery (CSRF) protection
  • API rate limiting and throttling

5. Data Segregation and Isolation

  • Multi-tenant architecture with logical data separation
  • Database-level tenant isolation
  • Row-level security policies
  • Separate storage per workspace
  • No cross-customer data access
  • Data backup segregation

6. Monitoring and Logging

  • Centralized logging infrastructure
  • Real-time security monitoring and alerting
  • Audit trails for all data access and modifications
  • Automated anomaly detection
  • Log retention for security analysis (minimum 90 days)

7. Backup and Disaster Recovery

  • Automated daily backups
  • Encrypted backup storage
  • Geographically redundant backup locations (within EU)
  • Regular backup restoration testing
  • Business continuity and disaster recovery plans
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined

B. Organizational Measures

1. Policies and Procedures

Information Security Policy:

  • Comprehensive security policy framework
  • Regular policy reviews and updates
  • Board-level security oversight
  • Security governance structure

Standard Operating Procedures:

  • Incident response plan
  • Vulnerability management procedures
  • Change management process
  • Access management procedures
  • Data retention and deletion policy
  • Business continuity plan

2. Personnel Security

Hiring:

  • Background checks for employees with access to Personal Data (where legally permitted)
  • Reference verification
  • Security and privacy awareness evaluation

Confidentiality:

  • All employees sign confidentiality agreements
  • GDPR and data protection training
  • Role-specific security training
  • Annual security awareness refresher training

Access Management:

  • Access provisioned based on job role (need-to-know basis)
  • Regular access reviews and recertification
  • Immediate access revocation upon termination
  • Offboarding procedures to ensure data protection

3. Vendor and Sub-Processor Management

Due Diligence:

  • Security and privacy assessments of all Sub-processors
  • Review of Sub-processor certifications (SOC 2, ISO 27001, etc.)
  • Contractual data protection obligations
  • Regular vendor security reviews

Sub-Processor Oversight:

  • Monitoring of Sub-processor performance
  • Incident notification requirements
  • Right to audit Sub-processors
  • Annual Sub-processor risk assessments

4. Compliance and Audits

Security Assessments:

  • Working towards SOC 2 Type II certification
  • Working towards ISO 27001 certification
  • Regular penetration testing reports
  • Vulnerability assessment reports

Internal Audits:

  • Quarterly internal security audits
  • Annual comprehensive security review
  • Compliance monitoring and reporting
  • Management review of security posture

External Audits:

  • Third-party security assessments
  • Independent penetration testing
  • Compliance audits as required by customers
  • Regulatory audits as applicable

5. Incident Response

Incident Management:

  • 24/7 security monitoring
  • Defined incident classification and escalation procedures
  • Incident response team with clear roles and responsibilities
  • Post-incident analysis and remediation
  • Customer notification within 72 hours of confirmed breach
  • Coordination with law enforcement and regulators as required

6. Physical Security

Data Center Security (AWS): Bondi leverages AWS data centers, which maintain:

  • 24/7 physical security monitoring
  • Biometric access controls
  • Video surveillance
  • Environmental controls (fire suppression, climate control)
  • Physical access logging
  • ISO 27001 and SOC 2 certified facilities

Office Security:

  • Secure office premises with access controls
  • Visitor management and logging
  • Clean desk and clear screen policies
  • Secure disposal of physical documents (shredding)
  • Device encryption for all laptops and mobile devices

ANNEX III: LIST OF SUB-PROCESSORS

Bondi engages the following Sub-processors to process Personal Data on behalf of Customer:

Sub-ProcessorService ProvidedLocationPurposeSafeguards
Amazon Web Services (AWS)Cloud infrastructureEU (Frankfurt/Ireland)Hosting, data storage, database, backupsSCCs, EU Data Residency, ISO 27001, SOC 2
Google LLCAnalyticsUSAWebsite analytics only (anonymized, IP-truncated, no profiling or cross-site tracking)SCCs, IP anonymization, Privacy-enhanced configuration
Mixpanel IncProduct analyticsUSAOptional product usage analytics (privacy-enhanced, anonymized, customer-controlled)SCCs, Privacy settings, Opt-out mechanism
Stripe IncPayment processingUSASubscription billing, payment processingSCCs, PCI-DSS Level 1, SOC 2, ISO 27001
Mailgun Technologies IncEmail deliveryUSATransactional emails, notificationsSCCs, DPA, SOC 2, EU data routing options

Note on Analytics Sub-Processors: Google Analytics and Mixpanel are used solely for operational analytics and service improvement purposes. All analytics data is anonymized (IP addresses truncated), and no behavioral profiling, remarketing, or cross-site tracking is performed on EU data subjects. These tools are configured with privacy-enhanced settings in compliance with GDPR Article 27(2)(a) (occasional processing exception). This assessment is based on current operations as of November 2025 and may be revised as our business evolves.

Sub-Processor Update Mechanism

Notification Process:

  • Customers will be notified at least thirty (30) days in advance of any new Sub-processor additions
  • Notification will be sent via email to the primary account holder’s registered email address
  • Current Sub-processor list will be maintained and accessible at: https://heybondi.com/legal/subprocessors (or via the Services)

Customer Objection Rights:

  • Customer may object to a new Sub-processor within fifteen (15) days of notification
  • Objections must be based on reasonable data protection grounds
  • If objection cannot be resolved, Customer may terminate the affected Services

Sub-Processor Changes:

  • Bondi may replace existing Sub-processors with equivalent service providers
  • Replacement Sub-processors will meet or exceed the data protection standards of the replaced Sub-processor
  • Customers will be notified of replacements in advance

Sub-Processor Security Requirements

All Sub-processors are required to:

  • Enter into written data processing agreements with data protection terms equivalent to this DPA
  • Implement appropriate technical and organizational security measures
  • Process Personal Data only as instructed by Bondi
  • Maintain confidentiality of Personal Data
  • Assist with Data Subject rights requests
  • Notify Bondi of any Security Incidents
  • Delete or return Personal Data upon termination
  • Submit to audits and inspections as required

END OF DATA PROCESSING AGREEMENT

This DPA is effective as of the date of acceptance of the Terms of Service and supplements the Terms of Service between Bondi and Customer.