boundlesstelecom
Boundless 2.0
All legal & governance documentsLegal · data

Data Processing Agreement

The Article 28 controller-to-processor agreement that applies whenever Boundless processes personal data on a business customer's behalf - sub-processors, transfers, audits, and breach notification.

Version
v1.0
Effective
22 April 2026
Last reviewed
22 April 2026
Jurisdiction
United Kingdom + EEA
Owner
Data Protection Officer
Review cycle
Annual, plus on material change
UK GDPR Art. 28EU GDPR Art. 28UK IDTA + Addendum

1. Subject-matter, duration, nature & purpose (Annex 1)#

Subject matter: provision of the Boundless services described in your Order Forms. Duration: term of the MSA. Nature: collection, storage, transmission, deletion of personal data needed to deliver telecoms services. Purpose: service delivery, fault diagnosis, lawful regulatory reporting.

2. Categories of data subject and personal data#

Data subjects: your end users, employees and contractors. Personal data: identifiers, contact data, communications metadata (CDRs), authentication data. We do not handle special-category data unless you specifically instruct us in writing.

3. Processor obligations (Art. 28(3))#

  • Process only on documented instructions from you.
  • Ensure persons with access are bound by confidentiality.
  • Implement Art. 32 security measures - see Annex 3.
  • Engage sub-processors only with general written authorisation (Annex 2). 30-day notice of changes; right to object.
  • Assist you with Arts. 32–36 and with data-subject requests.
  • On end of services: return or delete personal data at your choice.
  • Make available all information necessary to demonstrate compliance, and allow audits.
Sovereign by default. UK + EEA storage, encrypted in transit and at rest.

4. Personal data breach#

We notify you of a personal-data breach without undue delay and, in any event, within 24 hours of becoming aware - well inside the 72-hour controller obligation. Notification includes the Art. 33(3) particulars to the extent known.

5. International transfers#

Where any sub-processor is outside the UK or EEA, we use the UK IDTA + EU SCC Addendum (or an equivalent transfer tool) and document a transfer risk assessment.

Annex 2 - Sub-processors#

Sub-processorPurposeLocation
Carrier core partner (UK + EEA only)ConnectivityUK / EEA
Stripe Payments UK LtdPayment processingUK + US (under SCCs)
Lovable Cloud (Supabase EU)Application data and audit storageEU
Cloudflare Workers EUEdge computeEU

Annex 3 - Technical & organisational measures (Art. 32)#

  • Encryption: TLS 1.3 in transit; AES-256 at rest.
  • Access control: SSO + MFA mandatory; least-privilege; quarterly access reviews.
  • Logging: every regulator-relevant event signed and replayable (Abel Layer 23).
  • Resilience: active-active across UK + EEA; tested BCP per BCP.
  • Vendor management: ISO 27001 / SOC 2 evidence required of every sub-processor.

Counter-signature#

Counter-signature

This DPA is automatically incorporated into your MSA. A counter-signed copy is provided on request - email legal@boundless.tel.

Full name
Role / capacity
Organisation (if applicable)
Date
Signature

Version history

VersionDateChange
v1.022 April 2026Initial publication.

This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.