Last Updated: February 4, 2026
This page forms the Provider-Specific Cover Page (and "DPA Setup Page") for the Bonterms OneDPA (the "OneDPA"). It incorporates the OneDPA Standard Terms by reference and sets Provider-specific details.
OneDPA Standard Terms: https://www.bonterms.com/onedpa/standard
These Provider-Specific terms together with the OneDPA Standard Terms form the full data processing addendum ("DPA") between Board Box Inc ("Provider") and each Customer when referenced by an Order or the Terms.
Unless otherwise specified in an Order or written amendment, the DPA Effective Date is the effective date of the Agreement between Customer and Provider.
Provider: Board Box Inc, a Delaware corporation.
Provider role: Processor/service provider for Customer Personal Data; controller for Service Metadata where applicable.
Customer: As identified in the applicable Order. Customer is the controller (or processor on behalf of its controller) of Customer Personal Data.
Subject matter: Processing Customer Personal Data to provide the Service, including hosting, storage, support, and security.
Duration: For the term of the Agreement and as required to wind down the relationship (for example, limited backup retention), unless a longer period is required by law.
Hosting and storage, transmission, display, and other processing necessary to provide the Service; account administration; customer support; security and incident response; and other activities described in the Agreement.
If Customer enables AI-assisted features, processing may include transmitting relevant portions of Customer Personal Data (for example, document excerpts and user prompts) to approved subprocessors solely to provide those features and return results to Customer.
Customer personnel and end users; community association managers and staff; homeowners and residents whose data is processed by Customer through the Service; vendors and service providers to the HOA/COA/community association.
Name, contact details (email, phone), account identifiers, device/usage data, communications and uploads, property/unit details, and other data that Customer chooses to submit.
Not intended. Customer should not upload special categories of data or other Sensitive Data unless strictly necessary, permitted by law, and expressly authorized under the Agreement (for example, in an Order or written amendment), and then only at Customer's direction and subject to appropriate safeguards.
Where the OneDPA requires EU Standard Contractual Clauses, the 2021 SCCs apply as set forth in the OneDPA (including the applicable modules for controller-to-processor and processor-to-subprocessor transfers). The governing law for the SCCs will follow the OneDPA defaults unless the parties agree otherwise in writing.
Provider may use subprocessors to support the Service. A current list of subprocessors is available upon request as described at /subprocessors. Customer may subscribe to subprocessor updates by emailing privacy@boardbox.ai with the subject line: "Subscribe to subprocessor updates."
The technical and organizational measures at /security are incorporated by reference.
At termination or upon written request, Provider will delete or return Customer Personal Data as described in the OneDPA, subject to permitted retention (for example, backups) and legal requirements.
Provider is a "service provider" under the CPRA. Provider does not sell or share Personal Information as defined by the CPRA and will not retain, use, or disclose Personal Information outside the direct business relationship except as permitted by the OneDPA.
privacy@boardbox.ai (primary)
legal@boardbox.ai (back-up)
Version 1.0 - Bonterms Data Protection Addendum