Effective date: 3/28/2026
This Data Processing Agreement (“DPA”) is entered into between:
Together referred to as the “Parties.”
This DPA supplements and forms part of the agreement between the Parties for the provision of the Bomdiu B2B platform for the food & beverage industry, as governed by the Terms of Service (the “Agreement”). In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
Terms not defined herein shall have the meaning given to them in the Agreement or in Regulation (EU) 2016/679 (“GDPR”).
The Processor processes Personal Data on behalf of the Controller to provide the Bomdiu B2B platform for the food & beverage industry, including ordering, catalog management, data synchronization, business intelligence, and AI-assisted document processing.
Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 11 of this DPA shall apply.
The Processor processes Personal Data for the following purposes:
The Controller shall:
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification.
The Parties agree that the Agreement (including this DPA) and the Controller’s use of the Service constitute the Controller’s complete and final documented instructions to the Processor. Any additional or alternative instructions must be agreed upon separately in writing.
The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
The Processor shall regularly review and update these measures to reflect changes in technology, threats, and the nature of the data processed.
The Processor shall, taking into account the nature of processing and the information available to the Processor, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller’s obligations to respond to data subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection).
The Processor shall also assist the Controller in ensuring compliance with:
Where such assistance requires significant effort beyond the standard operation of the Service, the Processor may charge a reasonable fee based on the Processor’s actual costs.
The Controller hereby grants the Processor general written authorization to engage Sub-processors to carry out specific processing activities on behalf of the Controller. The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
The Processor’s current Sub-processors as of the date of this DPA are listed in Annex B. An up-to-date list is also maintained in the Privacy Policy.
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days before the new Sub-processor begins processing Personal Data, thereby giving the Controller the opportunity to object to such changes.
If the Controller has a reasonable, documented objection to a new Sub-processor based on data protection grounds, the Controller shall notify the Processor in writing within fifteen (15) days of receiving the Processor’s notification. The Parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution.
If no resolution can be reached within thirty (30) days of the Controller’s objection, the Controller may terminate the Agreement (or the affected portion of the Service) by providing written notice, without penalty. The Processor shall refund any prepaid fees for the unused portion of the subscription period following the effective date of termination.
The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations under this DPA.
The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place as required by Chapter V of the GDPR.
Where transfers outside the EEA are necessary, the Processor relies on one or more of the following mechanisms:
The Processor conducts Transfer Impact Assessments for data transfers to third countries and shall make summaries available to the Controller upon reasonable request.
The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.
The notification shall include, to the extent known at the time:
If it is not possible to provide all information at the same time, the Processor shall provide information in phases without undue further delay.
The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall not inform any third party of a Data Breach without first consulting with the Controller, unless required by law.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
Audits shall be subject to the following conditions:
The Processor may satisfy audit requests by providing the Controller with relevant third-party audit reports, certifications (e.g., SOC 2, ISO 27001), or other evidence of compliance, provided that such evidence reasonably addresses the Controller’s audit objectives.
The Processor uses artificial intelligence and machine learning technologies as part of the Service to assist with extracting, organizing, and processing business data from documents such as invoices, orders, and catalogs.
Personal Data processed through AI features may be transmitted to the following AI Sub-processors (also listed in Annex B):
Only the data strictly necessary to provide the relevant AI feature is transmitted to AI Sub-processors.
Personal Data processed through AI features is used solely for inference and is not used to train AI models. The Processor ensures that its AI Sub-processors are contractually prohibited from retaining or using Personal Data for model training purposes.
AI-generated outputs are presented for human review and confirmation before any action is taken. No automated decisions with legal or similarly significant effects are made solely by AI without human review.
The Processor does not engage in automated individual decision-making or profiling that produces legal effects concerning data subjects or similarly significantly affects them, as defined in Article 22 GDPR. If this changes, the Processor will notify the Controller and update this DPA accordingly.
Upon termination or expiry of the Agreement, the Controller shall have a period of ninety (90) days (“Retrieval Window”) to export its Personal Data from the Service. The Processor shall make data available for export in a structured, commonly used, and machine-readable format (e.g., CSV or JSON via the platform’s export features or API).
After the Retrieval Window, the Processor shall delete or anonymize all Personal Data processed on behalf of the Controller, unless retention is required by EU or Member State law. The Processor shall confirm deletion in writing upon the Controller’s request.
Personal Data may persist in encrypted backups for a maximum of thirty (30) days following deletion from production systems, in accordance with the Processor’s backup rotation schedule. Backup data is not actively processed and is only restored in disaster recovery scenarios.
The Processor may retain limited Personal Data where required to comply with legal obligations (e.g., tax records under Greek Law 4987/2022, Art. 36: 5 years, extendable to 10 years for pending audits), resolve disputes, or enforce the Agreement. Where feasible, such retained data will be isolated and access-restricted.
The Parties’ liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except to the extent that Applicable Data Protection Law requires otherwise.
This DPA shall take effect on the date the Controller accepts the Agreement and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.
This DPA may be amended by the Processor to reflect changes in Applicable Data Protection Law or supervisory authority guidance. Material amendments shall be notified to the Controller at least thirty (30) days in advance. The Controller’s continued use of the Service after the amendment takes effect constitutes acceptance. If the Controller does not agree to the amendment, it may terminate the Agreement in accordance with Section 17 of the Terms of Service.
This DPA shall be governed by the laws of the Hellenic Republic (Greece) and subject to the exclusive jurisdiction of the Courts of Thessaloniki, consistent with the Agreement.
| Element | Description |
|---|---|
| Subject matter | Processing of Personal Data to provide the Bomdiu B2B platform for the food & beverage industry |
| Duration | Duration of the Agreement plus post-termination retention periods as described in Section 11 |
| Nature of processing | Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, destruction |
| Purpose | Platform hosting, order facilitation, data synchronization, AI-assisted document processing, analytics, transactional communications, customer support |
| Types of Personal Data | Contact details (name, email, phone, address), employee information (name, job title), order/transaction data, chat messages, technical identifiers (IP address, hashed credentials) |
| Categories of data subjects | Employees and contractors of Controller, contact persons of Controller’s customers/suppliers, delivery/logistics personnel |
The following Sub-processors are authorized as of the publication date of this DPA:
| Sub-processor | Service | Data Processed | Data Location | Transfer Mechanism |
|---|---|---|---|---|
| Cloudflare | CDN, database (D1), hosting (Workers/Pages), web analytics, AI inference (Workers AI) | Technical data, account data, operational data | EU (primary), US | EU-US DPF; SCCs |
| PlanetScale | Database hosting | Account data, operational data | EU | SCCs |
| UpCloud | Infrastructure hosting | Account data, operational data | EU | N/A (EEA only) |
| Fly.io | Hosting of services | Account data, operational data | EU | N/A (EEA only) |
| Resend | Transactional email delivery | Contact details (name, email), notification content | US | EU-US DPF; SCCs |
| PostHog | Product analytics, session replay (EU Cloud) | Usage analytics events, session replay data (including on-screen content and interaction data, which may include personal data depending on what is displayed), internal organization/customer identifiers | EU | N/A (EEA only) |
| Google (Vertex AI) | AI inference (document processing) | Document content (invoices, orders, catalogs) which may contain contact details | EU region | SCCs; Google DPA |
| Better Auth | Authentication infrastructure (dashboard, abuse protection, audit logging) | Account data, authentication events, security events (IP addresses, browser fingerprints, login locations), email addresses | US | SCCs |
Note: Umami analytics is self-hosted on Bomdiu’s own infrastructure and is not a Sub-processor.
For questions regarding this DPA, please contact:
Bomdiu SINGLE MEMBER PC
GEMI: 190310106000
VAT: EL803131996
Geor. Gennimata 21
555 35 Thessaloniki
Greece
Phone: +30 231 176 8265
Email: privacy@bomdiu.com
Website: https://bomdiu.com