Data Processing Addendum
Update Date: 9-23-2025
This page forms the Provider-Specific Cover Page for the Bonterms OneDPA (the "OneDPA"). It incorporates the OneDPA Standard Terms by reference and sets Provider-specific details.
Standard Terms: https://www.bonterms.com/onedpa/standard
These Provider-Specific terms together with the OneDPA form the full DPA between Board Box Inc ("Provider") and each Customer when referenced by an Order or the Terms.
Parties and Roles
Provider: Board Box Inc, a Delaware corporation.
Provider Role: Processor/service provider for Customer Personal Data; controller for Service Metadata where applicable.
Customer: As identified in the applicable Order. Customer is the controller (or processor on behalf of its controller) of Customer Personal Data.
Subject Matter and Duration
Subject Matter: Processing Customer Personal Data to provide the Service, including hosting, storage, support, and security.
Duration: For the term of the Agreement and as required to wind down the relationship (for example, limited backup retention), unless a longer period is required by law.
Nature and Purpose of Processing
Hosting and storage, transmission, display, and other processing necessary to provide and improve the Service; account administration; support; security and incident response; and other activities described in the Agreement.
Categories of Data Subjects
Customer personnel and end users; community association managers and staff; homeowners and residents whose data is processed by Customer through the Service; vendors and service providers to the HOA.
Categories of Personal Data
Name, contact details (email, phone), account identifiers, device/usage data, communications and uploads, property/unit details, and other data that Customer chooses to submit. Customer should avoid uploading special categories unless strictly necessary and permitted by law.
Special Categories and Sensitive Data
Not intended. If processed, only at Customer’s direction and subject to additional safeguards.
International Transfers and SCCs
Where the OneDPA requires EU Standard Contractual Clauses, the 2021 SCCs apply. Module 2 (Controller to Processor) and Module 3 (Processor to Sub-processor) are selected as applicable. The governing law for the SCCs will follow the OneDPA defaults unless the parties agree otherwise.
Subprocessors
Provider may use subprocessors to support the Service. Current subprocessors are listed at /legal/subprocessors. Customer may subscribe to updates by emailing privacy@boardbox.ai.
Security Measures
The measures at /legal/security are incorporated.
Deletion and Return
At termination or upon written request, Provider will delete or return Customer Personal Data as described in the OneDPA, subject to permitted retention (for example, backups).
CPRA Service Provider Terms
Provider is a "service provider" under the CPRA. Provider does not sell or share Personal Information as defined by the CPRA and will not retain, use, or disclose Personal Information outside the direct business relationship except as permitted by the OneDPA.
Contacts for Data Subject Requests
privacy@boardbox.ai (primary)
legal@boardbox.ai (back-up)
Bonterms OneDPA referenced above can be downloaded following the link below.