Legal
Data Processing Agreement
Effective date: April 24, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kabinary LLC ("Processor", "we") and the customer ("Controller", "you") whenever we process personal data on your behalf as part of the Boundrify Services.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined by the GDPR (EU 2016/679).
- Data Protection Laws — GDPR, UK GDPR, the French Loi Informatique et Libertés, the CCPA, and any other applicable privacy law.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Sub-processor — any third party we engage to process Personal Data on your behalf.
- Data Subject — the individual to whom the Personal Data relates.
2. Scope and purpose
This DPA applies to all Processing of Personal Data carried out by us on your behalf while delivering the Services. The subject matter, duration, nature, and purpose of Processing, the categories of Data Subjects, and the types of Personal Data are described in Annex 1 below.
3. Our obligations
- Process Personal Data only on your documented instructions and in accordance with Data Protection Laws.
- Ensure that anyone we authorize to process Personal Data is bound by confidentiality.
- Implement the technical and organizational security measures listed in Annex 2.
- Only engage Sub-processors with your prior general authorization (see Section 6) and flow down equivalent obligations to them.
- Assist you in responding to Data Subject requests and in meeting your obligations under Data Protection Laws.
- Delete or return all Personal Data upon termination of the Services, at your choice, within 30 days.
- Make available all information necessary to demonstrate compliance with this DPA.
4. Your obligations
- Ensure you have a lawful basis for the Personal Data you upload into the Services (for example, you must have a lawful basis for the client contact data you enter).
- Provide clear and documented instructions for Processing.
- Inform the Data Subjects concerned, as required by applicable law.
- Comply with your own obligations under Data Protection Laws.
5. Security measures
We implement and maintain:
- Encryption in transit — HTTPS enforced by HSTS (TLS 1.2+) on every endpoint.
- Encryption at rest — provided by our hosting provider at the storage-volume level.
- Password storage — PBKDF2-SHA256 with 100,000 iterations (ASP.NET Identity default); plaintext passwords are never stored.
- Access control — principle of least privilege, role-based access, and optional two-factor authentication for all accounts.
- Rate limiting and anti-abuse — IP-based throttling on authentication endpoints (10 req/min), Idempotency-Key protection on critical write endpoints.
- Device trust — 2FA "remember device" tokens stored only as SHA-256 hashes; plaintext never returned to the server after issuance.
- Logging and monitoring — security events, failed sign-ins, and application errors are centrally logged.
- Backup and recovery — daily database backups with 7 daily / 4 weekly / 6 monthly retention (GFS rotation).
- Secure software development — automated dependency update monitoring (GitHub Dependabot), centralized error reporting, and pre-merge self-review.
6. Sub-processors
You grant us general authorization to engage the Sub-processors listed below. We will notify you of any intended change to this list at least 30 days in advance, giving you a chance to object on reasonable grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hostinger International Ltd. | Application and database hosting | European Union |
| Stripe, Inc. | Payment processing | United States (EU-U.S. DPF certified) |
| Resend Inc. | Transactional email delivery | United States (EU-U.S. DPF certified) |
| Functional Software, Inc. (Sentry) | Frontend crash and error reporting | European Union (Germany) |
| Google LLC (OAuth) | Optional "Sign in with Google" | United States (EU-U.S. DPF certified) |
| LinkedIn Corporation (OAuth) | Optional "Sign in with LinkedIn" | United States (EU-U.S. DPF certified) |
| Google LLC (reCAPTCHA) | Anti-bot protection on public forms | United States (EU-U.S. DPF certified) |
| ip-api.com (Tria Consulting) | IP-to-city lookup for security alerts | Germany |
7. International transfers
Where Personal Data is transferred outside the European Economic Area, the UK, or Switzerland, we rely on:
- The EU-U.S. Data Privacy Framework where the Sub-processor is certified, or
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), as incorporated into the Sub-processor contracts, or
- Any additional supplementary measure required by applicable law (for example, encryption before transfer).
8. Personal data breach
In the event of a confirmed Personal Data breach affecting your data, we will:
- Notify you without undue delay and in any case within 72 hours of becoming aware of the breach.
- Provide the information you need to notify your supervisory authority and Data Subjects (nature of the breach, data and records affected, likely consequences, measures taken).
- Take reasonable steps to mitigate the effects of the breach.
- Cooperate with you and provide further assistance as reasonably required.
9. Data Subject rights
We will assist you in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. If we receive a request directly from a Data Subject, we will promptly inform you and will not respond without your instruction, unless required to do so by law.
10. Audits
On reasonable advance written notice, and during business hours, you may request information necessary to demonstrate our compliance with this DPA, or engage an independent auditor bound by confidentiality to conduct an audit. Audits must not unreasonably disrupt our operations.
11. Term and return / deletion of data
This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination of the Services, at your choice, we will delete or return all Personal Data within 30 days, subject to retention required by applicable law.
Annex 1 — Details of Processing
Categories of Data Subjects
- The Controller's users (freelancers, consultants, agency team members).
- The Controller's own clients, contacts, and projects (to the extent data is entered into the Services).
Categories of Personal Data
- Identification data (name, email, profile picture).
- Business data (company, role, country, currency).
- Project data (tasks, contracts, milestones, invoices, time entries).
- Financial data (invoice amounts, payment status — card details stay at Stripe).
- Technical data (IP address, browser, approximate location, logs).
Nature and purpose
We process the above data to provide the Boundrify Services — project and client management, contract and scope tracking, billing, reminders, reporting — and to secure and improve the Services.
Duration
Processing lasts for the duration of the agreement, plus any retention period required by law (typically 10 years for invoicing data under French/EU accounting law).
Annex 2 — Security measures summary
- HTTPS enforced by HSTS (TLS 1.2+); at-rest encryption provided by the hosting provider.
- PBKDF2-SHA256 password hashing (100,000 iterations), optional 2FA.
- SHA-256 hashing of 2FA trusted-device tokens; plaintext never retained server-side.
- Role-based access, least privilege, audit trail.
- IP rate limiting on authentication (10 req/min) and public forms (5 req/min).
- Idempotency keys on sensitive write operations (invoices, proposals, projects, time entries, waiting list).
- Daily backups with GFS retention (7d / 4w / 6m).
- Isolated Docker containers running as non-root (backend uid 1654, frontend uid 1000).
- Automated dependency update monitoring (GitHub Dependabot, weekly).
Contact
Questions about this DPA: [email protected].