This agreement is concluded between the customer as controller (“Controller”) and Julia Kalder, Bold Bloom, c/o Autorenglück #80461, Albert-Einstein-Str. 47, 02977 Hoyerswerda, Germany, as processor (“Processor”).
The Processor provides cloud-based coaching and organisational development services. This agreement is effective for the duration of the main service agreement. Upon termination, the deletion and return provisions in section 10 apply.
Processing is limited to providing, maintaining, and improving the Bold Bloom platform (user accounts, team and client records, notes, files, scheduling and mood surveys), delivering support, billing, and ensuring platform security.
Data may include: identification and contact details (name, email, roles), team and client data, coaching notes, survey and feedback responses, uploaded files, calendar tokens, log data, and billing information. Data subjects include users, their team members, coachees, employees, and any individuals recorded by the Controller on the platform.
The Controller remains responsible for the lawfulness of processing, providing required notices to data subjects, and selecting appropriate legal bases. Instructions must be issued in written or textual form and will be documented by the Processor.
The Processor acts only on documented instructions, ensures confidentiality of authorised personnel, maintains the technical and organisational measures in section 6, supports the Controller in fulfilling data subject rights, keeps records of processing activities, reports personal data breaches without undue delay under section 11, and enables evidence and audits in line with section 9.
Measures include at minimum: encryption in transit and at rest; application-layer field-level encryption of special category data under Art. 9 GDPR (coaching notes, session notes, feedback free-text fields, and persisted mood-check content including response payloads) so that a database dump exposes ciphertext only; role- and permission-based access controls; logging of access and administrative events; hardened and regularly patched infrastructure; separation of test and production; backup and restore with periodic testing; data deletion and blocking routines; multi-factor authentication for administrative access; regular security awareness training.
The processing of special categories of personal data has been subjected to a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR. The DPIA is reviewed on a regular cadence and made available to the Controller on request.
The Controller grants a general authorisation for subprocessors provided they are bound by Art. 28 GDPR terms. Current subprocessors are: (a) EU-based cloud/hosting provider for infrastructure and databases; (b) Stripe Payments Europe Ltd. for billing and PayPal (Europe) S.à r.l. et Cie, S.C.A. as an alternative payment provider (transfers to the USA rely on EU Standard Contractual Clauses); (c) Google LLC for OAuth/calendar integrations (SCC); (d) email delivery service (Postmark/Wildbit LLC or Amazon Web Services, Inc., depending on configuration, each under SCC); (e) Slack Technologies LLC and Microsoft Corporation (Microsoft Teams) for optional outbound webhook notifications (SCC); (f) Functional Software, Inc. (Sentry) for error tracking and Better Stack (Logtail) for log aggregation, each with PII scrubbing enabled (SCC); (g) ip-api.com (Kloudend Ltd., UK) for consent-gated GeoIP enrichment; (h) optional when the AI Session Proposal feature (BYOK) is enabled: OpenAI, L.L.C., Anthropic, PBC, and Google LLC (Gemini API) (SCC; transmission of Art. 9 coaching content only after explicit consent under Art. 9(2)(a) GDPR). Material changes will be notified and may be objected to for justified reasons.
In line with Art. 30(2) GDPR the Processor maintains a Record of Processing Activities (ROPA) that lists the subprocessors above together with the processing purposes, data categories, and retention periods. The ROPA is made available to the Controller on request.
In addition the Processor maintains an internal Sub-Processor DPA Register under Art. 28(3) GDPR recording, for each sub-processor, the vendor's standard DPA URL, the DPA acceptance date, the DPA version, the internal contract owner, and the next review date. The register is reviewed at least annually and is made available to the Controller on a justified request.
The Processor assists the Controller, through appropriate technical and organisational means, in responding to requests for access, rectification, erasure, restriction, data portability, or objection where feasible.
Upon request the Processor provides reasonable evidence (e.g., policy summaries, logs, extracts from audit or penetration tests). Audits may be performed with prior notice during normal business hours, respecting confidentiality, trade secrets, and security requirements.
After termination of services, personal data will be deleted or returned as instructed unless statutory retention duties apply. Where technically feasible, backups are deleted after regular rotation periods; production account data is removed no later than 30 days after contract end.
The Processor notifies the Controller without undue delay of any personal data breach, including details required for assessment and mitigation.
Liability follows the main agreement. Otherwise, the statutory rules for data processing on behalf of a controller apply. German law governs; venue, where permitted, is Düsseldorf. Amendments to this agreement require text form.
Contact for data protection matters: info@bold-bloom.com
Version: 2026-05-20