[PLATFORM] // BOUNDBOT OVERVIEW

Grounded AI that still works after the demo.

BoundBot combines grounded context, deterministic automation, and one shared inbox so teams can operate AI across channels without losing control.

FAQ + WEBSITE SOURCESRULES + ACTIONSHUMAN HANDOFFWEBCHAT TO DISCORD

SEE FEATURES

[PRODUCT] // WHAT YOU CAN DEPLOY

Features

Grounded knowledge, deterministic rules, and human takeover in one operational surface.

Integrations

Run one agent layer across WebChat, WhatsApp, Messenger, Telegram, Slack, and Discord.

[COMPANY] // HOW WE BUILD

About

The product principles behind BoundBot and why we care about grounded replies.

Careers

Roles for people who want to build the next layer of AI operations tooling.

[WHY TEAMS SWITCH] // OPERATING MODEL

One workspace instead of six disconnected tools.

Grounded replies using real business context.

Escalation paths when conversations become operational.

PRICING BLOG DOCS

START FREE

Data Processing Agreement

Last updated on March 20, 2026.

This Data Processing Agreement ("DPA") forms part of the agreement between BoundBot, Inc. ("Processor") and the customer ("Controller") who uses the BoundBot platform (the "Services"). This DPA governs the processing of personal data by BoundBot on behalf of the Controller in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Services.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

2. Scope and Purpose of Processing

2.1 Categories of Data Subjects

End users who communicate with the Controller's bots via messaging channels
The Controller's team members and employees
Leads and customers captured through the Services

2.2 Types of Personal Data

Contact information (names, email addresses, phone numbers)
Conversation content (messages, attachments)
Channel-specific identifiers (sender IDs, profile pictures)
Lead and order data (names, addresses, order details)
Knowledge base content that may contain personal data

2.3 Purpose of Processing

Personal Data is processed solely to provide the Services, including:

Routing and storing messages across connected channels
Generating AI-powered responses using Google Vertex AI
Creating and managing vector embeddings for semantic search
Executing automated workflows
Managing leads, orders, and customer interactions

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by law.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor implements the following technical and organizational measures (GDPR Article 32):

HTTPS/TLS encryption for all data in transit
AES-256-GCM encryption for sensitive credentials at rest
Tenant-level data isolation with row-level security (RLS)
Role-based access control (RBAC) for workspace members
JWT-based authentication with Supabase Auth
Automated data retention and cleanup policies
Regular security monitoring and logging
Secure backup procedures

3.4 Subprocessors

The Controller authorizes the Processor to engage the Subprocessors listed on our Subprocessors page. The Processor shall:

Maintain a current list of Subprocessors at the above URL
Notify the Controller of any intended changes to Subprocessors by updating the list at least 30 days before the change takes effect
Ensure that each Subprocessor is bound by data protection obligations no less protective than those in this DPA
Remain liable for the acts of its Subprocessors

3.5 Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, objection). The Processor provides self-service tools for data export and account deletion.

3.6 Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Where practicable, our initial notice will be sent within 72 hours of confirmation. The notification shall include:

The nature of the breach, including categories and approximate number of Data Subjects affected
The likely consequences of the breach
The measures taken or proposed to address the breach
Contact details for the Processor's privacy team

4. International Data Transfers

The Processor may transfer Personal Data outside the EEA to the United States or other countries where its Subprocessors operate. Such transfers are protected by:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
The EU-U.S. Data Privacy Framework, where applicable
Additional safeguards as required by applicable law

5. Data Retention and Deletion

Upon termination of the agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires retention. Specifically:

Workspace data is soft-deleted with a 30-day recovery window, after which it is permanently purged
Message history and conversation data are retained according to the Controller's subscription tier and then automatically deleted or trimmed from active product views
Webhook event logs are automatically deleted after 30 days
Data required for legal compliance (billing records) may be retained as required by law

6. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the underlying agreement between the parties.

8. Term

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. The obligations in this DPA shall survive termination to the extent necessary to complete the deletion or return of Personal Data.

9. Contact

For questions about this DPA or to request a signed copy, contact us at:

BoundBot, Inc.
Email: privacy@boundbot.com