Data Processing Agreement

Last updated June 15, 2026

BONDIFY — DATA PROCESSING AGREEMENT bondify.dev

BONDIFY

bondify.dev

DATA PROCESSING AGREEMENT

Version: 1.0

Effective Date: June 15, 2026

Last Updated: June 15, 2026

Processor: Bondify (bondify.dev)

Applicable Law: GDPR (EU) 2016/679 · UK GDPR · Swiss FADP

BACKGROUND AND INCORPORATION

(A) The Customer (as defined in the Bondify Terms of Service, the "Agreement") has entered into the Agreement with Bondify for the provision of developer authentication infrastructure Services.

(B) In connection with the provision of those Services, Bondify processes personal data of the Customer's end users on behalf of, and under the instructions of, the Customer.

(C) Article 28(3) of Regulation (EU) 2016/679 ("GDPR") requires that such processing be governed by a binding written contract. This Data Processing Agreement ("DPA") constitutes that contract and is incorporated into, and forms part of, the Agreement.

(D) In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail.

1. DEFINITIONS

1.1 In this DPA, the following terms have the meanings set forth below. Capitalized terms not defined herein have the meanings ascribed to them in the Agreement.

"Applicable Data Protection Laws" means all applicable laws and regulations concerning the protection of personal data, including without limitation: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); (ii) the UK GDPR as defined in s.3 of the UK Data Protection Act 2018 ("UK GDPR"); (iii) the Swiss Federal Act on Data Protection (revised FADP, in force 1 September 2023); and (iv) any applicable implementing legislation, guidance, and binding decisions of competent supervisory authorities, each as amended or replaced from time to time.

"Controller" means the Customer — the entity that determines the purposes and means of processing End User Personal Data in connection with its use of the Services.

"Customer Personal Data" means Personal Data processed by Bondify as Processor on behalf of the Controller in connection with the provision of the Services, as further described in Schedule 1.

"Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates. In the context of the Services, Data Subjects are End Users of the Customer's application.

"End User" means a natural person who authenticates with the Customer's application via the Bondify Services using a Supported Messenger Account.

"Personal Data" has the meaning given in Article 4(1) of the EU GDPR (any information relating to an identified or identifiable natural person).

"Processing" has the meaning given in Article 4(2) of the EU GDPR, and "process", "processes", and "processed" shall be construed accordingly.

"Processor" means Bondify, acting as the entity that processes Customer Personal Data on behalf of and under the instructions of the Controller.

"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Customer Personal Data transmitted, stored, or otherwise processed by Bondify in connection with the Services.

"Services" means the API, SDK, Dashboard, and related authentication infrastructure provided by Bondify as described in the Agreement.

"Standard Contractual Clauses (SCCs)" means Module Two (Controller-to-Processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced by the European Commission.

"Sub-processor" means any third party engaged by Bondify to process Customer Personal Data on behalf of the Controller.

"Supervisory Authority" means the competent data protection supervisory authority in the relevant Member State (or, in the UK, the Information Commissioner's Office).

"Supported Messenger" means Telegram, and any other messaging platform subsequently supported by the Services and notified by Bondify to the Controller.

2. ROLES OF THE PARTIES

2.1 The parties acknowledge that, for purposes of this DPA and the Applicable Data Protection Laws:

(a) The Customer acts as the Data Controller with respect to Customer Personal Data.

(b) Bondify acts as the Data Processor with respect to Customer Personal Data, processing such data only on behalf of and under the documented instructions of the Controller.

(c) Bondify acts as an independent Data Controller with respect to Developer account data (email addresses, billing records, and Dashboard usage data), which is governed by the Bondify Privacy Policy and is not subject to this DPA.

2.2 The Controller warrants that: (a) it has a lawful basis under Applicable Data Protection Laws for processing End User Personal Data and for instructing Bondify to process it; (b) it has provided End Users with appropriate notice and, where required, obtained their consent; and (c) its instructions to Bondify will not cause Bondify to violate Applicable Data Protection Laws.

3. NATURE AND PURPOSE OF PROCESSING

3.1 The subject matter, nature, and purpose of the processing carried out by Bondify under this DPA are as set out in Schedule 1 and summarised below.

Attribute	Details
Subject matter	Messenger-based authentication of End Users on behalf of the Controller
Nature of processing	Collection, storage, structuring, retrieval, transmission, erasure, and expiry of session and identity data
Purpose	To authenticate End Users of the Customer's application via a Supported Messenger and to deliver confirmed identity attributes to the Controller via webhook or API
Duration	For the term of the Agreement; processing of individual session data ceases automatically upon session expiry, completion, or cancellation (maximum 10-minute pending window)
Data Subjects	End Users of the Customer's application who initiate an authentication flow via a Supported Messenger

3.2 Bondify processes Customer Personal Data solely: (a) to perform the Services as described in the Agreement and this DPA; (b) on the documented instructions of the Controller; and (c) as required by Applicable Data Protection Laws to which Bondify is subject, in which case Bondify shall notify the Controller before such processing unless prohibited by law.

3.3 Bondify shall not: (a) process Customer Personal Data for its own commercial purposes, including profiling, advertising, or the development of competing products; (b) sell, rent, or otherwise transfer Customer Personal Data to any third party except as expressly authorised by this DPA; or (c) combine Customer Personal Data with personal data collected from other sources, except where strictly necessary to perform the Services.

4. TYPES OF PERSONAL DATA AND DATA SUBJECTS

4.1 The categories of Customer Personal Data processed by Bondify in the course of providing the Services are set out in Schedule 1, Section 2. They include, but are not limited to, the following:

Category	Specific data elements
Messenger identity data	Telegram numeric user ID; Telegram display name (first name + last name); Telegram username (@handle, if set by the End User)
Contact data (optional)	End User telephone number — processed only when the Controller has expressly enabled phone-number collection in the Project settings and the End User has affirmatively shared their contact via Telegram's native contact-sharing mechanism
Session metadata	Session token (random 12-byte hex); session status (pending / confirmed / used / expired / cancelled); creation timestamp (UTC); confirmation timestamp (UTC); Telegram chat ID (used solely to deliver authentication messages)
Webhook delivery data	Outbound webhook payload to the Controller's registered URL: Telegram ID, display name, username, phone (if collected), confirmed_at timestamp; HTTP response codes and retry metadata retained for Pro/Business plan audit logs

4.2 Bondify does not intentionally collect or process: (a) special categories of personal data within the meaning of Article 9 GDPR; (b) personal data relating to criminal convictions or offences under Article 10 GDPR; (c) payment card data, financial account numbers, or government-issued identity numbers of End Users; or (d) precise geolocation data, biometric data, or health data of End Users.

4.3 If the Controller enables phone-number collection, the Controller warrants that it has obtained the End User's freely given consent for the transmission of their phone number through Telegram's contact-sharing interface, and that it maintains a publicly accessible privacy policy describing that processing. Bondify may technically disable or suspend phone-number collection (and other features that transmit sensitive data) for any Project that has not configured a valid privacy policy URL in the Dashboard, or that Bondify reasonably believes is collecting such data without a lawful basis. Bondify's exercise of this right does not make Bondify a Controller of the affected data.

4.4 The Services are not directed at children. The Controller is solely responsible for ensuring that End Users are of the applicable minimum age, and for obtaining parental consent where required by Applicable Data Protection Laws.

5. PROCESSING INSTRUCTIONS

5.1 Bondify shall process Customer Personal Data only on the documented instructions of the Controller. The Agreement and this DPA constitute the Controller's complete documented instructions for the purposes of Article 28(3)(a) GDPR. The Controller may issue further instructions in writing; Bondify shall comply with such instructions provided they are consistent with the Agreement and Applicable Data Protection Laws.

5.2 If Bondify reasonably determines that any instruction from the Controller would require Bondify to violate Applicable Data Protection Laws, Bondify shall: (a) promptly notify the Controller; (b) suspend performance of the relevant instruction until the Controller provides a lawful alternative instruction; and (c) not be in breach of this DPA by reason of such suspension.

5.3 Bondify shall ensure that all personnel authorised to process Customer Personal Data: (a) are bound by appropriate obligations of confidentiality (whether contractual or statutory); and (b) process Customer Personal Data only as necessary to perform the Services or comply with Applicable Data Protection Laws.

6. DATA RETENTION AND DELETION

6.1 Bondify applies the following automated retention and deletion schedule to Customer Personal Data, which directly reflects the technical implementation of the Services:

Data category	Retention and deletion
Pending session records	Automatically transitioned to "expired" status after 10 minutes; End User is notified via Telegram. Bondify runs an expiry job every 60 seconds.
Completed session records (confirmed / used / cancelled)	Permanently deleted at the end of a plan-dependent retention window: 1 day (Hobby), 14 days (Pro), 90 days (Business). This window is the actual deletion time; a scheduled purge job enforces it automatically. No separate longer-retention process applies to completed session records.
Hard deletion (all session records)	No session record is retained beyond its plan-dependent window (maximum 90 days, on the Business plan). A scheduled purge job permanently deletes records at the end of that window. Hobby and Pro records are deleted sooner, as set out above.
MAU deduplication records (telegram_id per month)	Rolled over on a monthly cycle after MAU accounting is finalised for the billing period. Not retained as a permanent user profile.
Webhook delivery logs (Pro/Business)	Retained for 7 days from delivery or final failure. Logs contain only payload structure and HTTP status, not decrypted End User data in isolation.

6.2 Upon termination or expiry of the Agreement, Bondify shall, within thirty (30) days and at the Controller's choice: (a) delete all Customer Personal Data in Bondify's possession; or (b) where technically feasible, export such data in a structured, machine-readable format and then delete it. Bondify shall certify such deletion in writing upon request. Notwithstanding the foregoing, Bondify may retain Customer Personal Data to the extent required by Applicable Data Protection Laws, for the minimum period required.

6.3 The Controller may at any time export End User data visible in the Dashboard (project user list, session logs) in CSV or JSON format via the /export endpoint. This export facility constitutes the primary mechanism for data portability requests under Article 20 GDPR.

7. SECURITY MEASURES

7.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects, Bondify shall implement and maintain the technical and organisational security measures set out in Schedule 2 (the "Security Measures") to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

7.2 The Security Measures implemented by Bondify include, at minimum, the following, each reflecting measures implemented in the production Services:

Developer account passwords are protected using a strong, industry-standard one-way hashing algorithm. Plaintext passwords are never persisted.

API secret keys are stored only in irreversible hashed form. Full keys are displayed only once at creation; subsequent Dashboard views show only a short preview. Keys cannot be recovered from stored data.

Custom bot tokens (white-label feature) stored encrypted at rest.

All API, Dashboard, and webhook communications enforced over TLS 1.2 or higher. HTTP access is not permitted on production endpoints.

Outbound webhook deliveries authenticated with HMAC-SHA256 signatures (X-Bondify-Signature header); receiving Controllers can verify payload integrity.

Inbound webhooks from third-party payment providers are subject to source IP allowlist enforcement in production environments.

Rate limiting is applied at API and authentication endpoints. The rate-limiting layer is designed to operate across multiple instances where the Services are horizontally scaled.

Session tokens are generated using a cryptographically secure random number generator and provide a high level of entropy, making them non-guessable.

Pending sessions are enforced to expire automatically after 10 minutes, at both the database and application layers.

Session confirmation uses atomic database operations to prevent double-confirmation race conditions.

Concurrency controls are applied to webhook queue processing to ensure safe concurrent access.

7.3 Bondify shall review and, where necessary, update the Security Measures periodically and following any material Security Incident. Bondify shall provide the Controller with a summary of its then-current Security Measures upon reasonable written request.

7.4 The Controller acknowledges that the Security Measures are subject to technical progress and development, and that Bondify may update the Security Measures from time to time, provided that any such update does not materially reduce the overall level of protection afforded to Customer Personal Data.

8. SUB-PROCESSORS

8.1 The Controller grants Bondify general written authorisation to engage Sub-processors, subject to the requirements of this Section 8. The current list of Sub-processors engaged by Bondify is set out in Schedule 3.

8.2 Prior to engaging any new Sub-processor, or replacing an existing Sub-processor, Bondify shall:

publish an updated Sub-processor list at bondify.dev/legal/subprocessors and notify the Controller via email or Dashboard notification at least fourteen (14) days before the new Sub-processor begins processing Customer Personal Data (the "Notice Period");

ensure that the Sub-processor is bound by a written contract that imposes data protection obligations on the Sub-processor that are no less protective than those imposed on Bondify under this DPA, in accordance with Article 28(4) GDPR.

8.3 During the Notice Period, the Controller may object to the new Sub-processor on reasonable, documented grounds relating to data protection by notifying Bondify in writing at [email protected]. Bondify shall use commercially reasonable efforts to make available a change to the Services to avoid processing by the objected-to Sub-processor. If Bondify is unable to accommodate the objection, either party may terminate the affected portion of the Services on thirty (30) days' written notice, without penalty.

8.4 Bondify remains fully liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if Bondify had performed the processing directly.

8.5 Where a Sub-processor fails to fulfil its data protection obligations, Bondify shall notify the Controller without undue delay and shall, at the Controller's request, take reasonable steps to terminate or replace the non-compliant Sub-processor.

9. SECURITY INCIDENT NOTIFICATION

9.1 In the event that Bondify becomes aware of a confirmed Security Incident affecting Customer Personal Data, Bondify shall notify the Controller without undue delay and, in any event, within seventy-two (72) hours of Bondify becoming aware of the Security Incident. This timeframe is intended to enable the Controller to meet its own supervisory authority notification obligations under Article 33(1) GDPR. Bondify will provide an initial notification as soon as reasonably practicable, even where full details are not yet available.

9.2 Bondify's initial notification shall be provided to the Controller's registered email address and shall include, to the extent then known:

a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate volume of Customer Personal Data records affected;

the name and contact details of Bondify's data protection contact (or equivalent) from whom further information can be obtained;

a description of the likely consequences of the Security Incident;

a description of the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects.

9.3 Where it is not possible to provide all required information within the 72-hour period, Bondify shall provide the information in phases as it becomes available, without undue further delay. The initial notification shall clearly state that it is a preliminary notice and that further details will follow.

9.4 Bondify's notification of a Security Incident shall not constitute an acknowledgement of fault or liability. Bondify shall reasonably cooperate with the Controller in investigating the Security Incident and in fulfilling the Controller's notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 GDPR.

9.5 The Controller is solely responsible for determining whether to notify Data Subjects and/or Supervisory Authorities of any Security Incident, and for making such notifications in accordance with Applicable Data Protection Laws.

9.6 Bondify shall maintain an internal record of all Security Incidents, including those that are not notifiable under Article 33(1) GDPR, in accordance with Article 33(5) GDPR.

10. ASSISTANCE TO THE CONTROLLER

10.1 Bondify shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance to the Controller in complying with its obligations under Applicable Data Protection Laws with respect to:

the security of processing (Article 32 GDPR);

notification of Security Incidents to supervisory authorities and Data Subjects (Articles 33–34 GDPR);

data protection impact assessments and prior consultation (Articles 35–36 GDPR);

responding to Data Subject requests to exercise their rights (Articles 15–22 GDPR), including requests for access, rectification, erasure, restriction, objection, and data portability.

10.2 In respect of Data Subject requests: Bondify shall promptly forward to the Controller any request received directly from an End User relating to Customer Personal Data, and shall not respond to such requests independently except to direct the Data Subject to the Controller, unless otherwise instructed by the Controller or required by law. The Controller retains sole responsibility for responding to such requests.

10.3 Bondify shall provide reasonable assistance with any data protection impact assessment (DPIA) required by Article 35 GDPR in connection with the Controller's use of the Services. Upon reasonable request, Bondify shall provide the Controller with sufficient information about the technical and organisational measures implemented in the Services to enable the Controller to conduct such a DPIA.

11. AUDIT RIGHTS

11.1 Bondify shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, in accordance with this Section 11.

11.2 Audit procedure: The Controller shall: (a) provide Bondify with at least thirty (30) days' prior written notice of any intended audit; (b) conduct audits during normal business hours and in a manner that minimises disruption to Bondify's operations; and (c) ensure that the auditor is bound by obligations of confidentiality.

11.3 Where the Controller's audit right would require access to information relating to other Bondify customers or to Bondify's proprietary systems or security configurations, Bondify may, at its reasonable discretion, provide access to relevant portions of recent third-party audit reports (such as SOC 2 Type II or ISO 27001 certification) as a substitute for direct inspection of such information. Bondify shall notify the Controller if it elects to do so.

11.4 Costs: Each party shall bear its own costs in connection with any audit. Where the Controller's audit request requires Bondify to incur material additional costs (e.g., engaging external auditors or counsel), Bondify may seek reimbursement of reasonable, documented costs, with prior written notice.

12. INTERNATIONAL DATA TRANSFERS

12.1 Bondify may transfer Customer Personal Data outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland (each a "Restricted Transfer") where necessary for the provision of the Services (including transfers to Sub-processors). All such Restricted Transfers shall be subject to an appropriate transfer mechanism under Applicable Data Protection Laws.

12.2 The applicable transfer mechanisms are:

For transfers from the EEA: the Standard Contractual Clauses (Module Two — Controller to Processor) adopted by Commission Implementing Decision (EU) 2021/914, which are incorporated by reference into this DPA for the relevant transfers.

For transfers from the United Kingdom: the International Data Transfer Agreement (IDTA) issued by the UK ICO, or the UK Addendum to the EU SCCs (B.1.0), as applicable.

For transfers from Switzerland: the Swiss Standard Contractual Clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or the EU SCCs adapted for Switzerland.

12.3 Where SCCs are relied upon, the parties are deemed to have accepted and signed the SCCs in Module Two (Controller to Processor), with Bondify acting as "data importer" and the Controller acting as "data exporter." The Appendices to the SCCs are completed as follows: Annex I (processing description) — as set out in Schedule 1 of this DPA; Annex II (technical and organisational measures) — as set out in Schedule 2 of this DPA; Annex III (sub-processors) — as set out in Schedule 3 of this DPA.

12.4 The parties shall update the transfer mechanism relied upon in clause 12.2 upon reasonable written notice if required by a binding decision of a competent supervisory authority or court, or if an existing mechanism ceases to be valid.

13. LIABILITY

13.1 Each party's liability to the other under or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA shall limit or exclude either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited or excluded under Applicable Data Protection Laws, including any liability owed directly to Data Subjects under Article 82 GDPR.

13.2 Where a Data Subject brings a claim against Bondify under Article 82 GDPR for damages caused by processing that was the Controller's responsibility, Bondify may seek contribution or indemnification from the Controller to the extent that Bondify was not at fault for the damage giving rise to the claim.

14. TERM AND TERMINATION

14.1 This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon expiry or termination of the Agreement. Sections 6.2, 9, 11, 12, and 13 shall survive termination.

14.2 Upon termination of the Agreement for any reason, Bondify's obligations under Section 6.2 (return and deletion of Customer Personal Data) shall apply.

15. GENERAL PROVISIONS

15.1 Governing law. This DPA shall be governed by the same governing law as the Agreement (the law of the State of Delaware, United States). The only exception is the governing law that the Standard Contractual Clauses themselves require: solely for the purpose of the SCCs (including Clause 17 of the EU SCCs), the governing law shall be the law of Ireland for EEA transfers and English law for UK transfers, unless the parties agree otherwise in writing. This limited, clause-specific choice of law is required by the SCCs and does not change the governing law of the DPA or the Agreement as a whole.

15.2 Amendments. Bondify may update this DPA to reflect changes in Applicable Data Protection Laws or guidance from Supervisory Authorities by publishing an updated version at bondify.dev/legal/dpa and providing the Controller with at least thirty (30) days' prior notice. The Controller's continued use of the Services after the effective date of an updated DPA constitutes acceptance of the update.

15.3 Precedence. In case of conflict between this DPA and the body of the Agreement with respect to the processing of Customer Personal Data, this DPA prevails.

15.4 Severability. If any provision of this DPA is found to be unenforceable under applicable law, it shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

15.5 Entire agreement. This DPA, together with the Agreement, the Schedules, and the incorporated SCCs, constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data, and supersedes all prior oral or written agreements, representations, and understandings relating thereto.

15.6 Contact. All notices and communications under this DPA shall be directed to Bondify at: [email protected]. Bondify will endeavour to respond to all data protection enquiries within ten (10) business days.

Section 1 — Parties

Role	Controller (Customer)
Identity	The Developer entity that has registered for the Bondify Services
Contact	As registered in the Bondify Dashboard
Role under GDPR	Data Controller — determines the purposes and means of processing End User Personal Data

Role	Processor (Bondify)
Identity	Bondify, operator of bondify.dev
Contact	[email protected]
Role under GDPR	Data Processor — processes Customer Personal Data solely on behalf of and under the instructions of the Controller

Section 2 — Description of Processing

Element	Description
Subject matter	Messenger-based end-user authentication: generating session tokens, routing authentication requests via Telegram (and other Supported Messengers), confirming session status, and delivering identity attributes to the Controller
Duration of processing	For the duration of the Agreement. Individual session processing is transient: pending sessions expire after 10 minutes; completed session records are permanently deleted at the end of the plan-dependent retention window (1 day Hobby, 14 days Pro, 90 days Business)
Nature of processing	Collection via API request; storage in PostgreSQL; retrieval and status update on authentication event; transmission of confirmed attributes to Controller webhook; scheduled deletion via cron job
Purpose of processing	To verify End User identity via a Supported Messenger and to return a cryptographically signed confirmation (session proof JWT) to the Controller application
Categories of Personal Data	See table in Clause 4.1: Telegram ID, display name, username, phone number (optional), session token, timestamps, Telegram chat ID
Categories of Data Subjects	End Users of the Controller's application who initiate an authentication flow
Special category data	None (see Clause 4.2). Controllers must not use the Services to process special category data.
Sensitive data / high-risk data	Phone numbers (when enabled). Telecom-linked identifiers processed only where the End User affirmatively shares their contact via Telegram's built-in request_contact flow
Frequency of transfer	Continuous (on-demand, per-authentication-event) during the term of the Agreement
Retention	As specified in Clause 6.1 and the table therein

Section 3 — Controller's Instructions

The Controller instructs Bondify to process Customer Personal Data as follows:

Generate and validate session tokens upon request via the /generate or /generate/public API endpoint.

Deliver authentication prompt messages to End Users via Telegram (or other Supported Messengers) using Bondify's default bot or, where configured, the Controller's custom bot token.

Update session status upon End User confirmation or cancellation.

Transmit confirmed End User identity attributes (Telegram ID, display name, username, phone number if enabled) to the Controller's registered webhook URL and/or return them in the /verify API response.

Maintain a materialised project_users record (for the Controller's user management use case) and monthly MAU deduplication records for billing purposes.

Apply retention and deletion schedules as described in Clause 6.1.

Export project user data to the Controller on demand via the Dashboard export function.

The following measures are implemented by Bondify in production and constitute the security measures referred to in Clause 7 of this DPA.

1. Pseudonymisation and minimisation

Session tokens are randomly generated, non-guessable strings with no embedded user or project information.

API secret keys are stored only in irreversible hashed form; the Dashboard displays only a short preview. Full keys are unrecoverable from stored data.

Webhook payloads include only the minimal identity fields required by the Controller's application (ID, name, username, phone if enabled).

2. Encryption

All data in transit between clients, the API, and the Database is encrypted via TLS 1.2 or higher. HTTP is not supported in production.

Custom bot tokens (white-label feature) are stored encrypted at rest.

Developer passwords are stored using a strong one-way hashing algorithm. Plaintext passwords are never persisted or logged.

3. Access control and authentication

Developer accounts are protected by password-based authentication with signed, expiring session tokens.

API access to project data is controlled by per-project secret keys, verified against irreversibly hashed values.

Organisation-level RBAC (owner / admin / developer / viewer) enforced on all Dashboard and API operations for Business-plan customers.

IP allowlisting applied to inbound webhook handlers from known third-party payment providers in production environments.

4. Availability, integrity, and resilience

Sessions are enforced to expire at the database level (expires_at column) in addition to application-layer enforcement, preventing stale session data from persisting.

Atomic database operations prevent double-confirmation race conditions.

Concurrency controls protect the webhook queue during concurrent processing.

Stuck webhook jobs (process crash mid-delivery) are automatically re-queued after 5 minutes.

5. Rate limiting and abuse prevention

API endpoints are subject to IP-based rate limiting.

Bot interactions are subject to per-user rate limiting.

Public mobile SDK endpoints are subject to project-ID-based rate limiting.

Payment webhook endpoints are excluded from API rate limits to prevent missed notifications.

6. Monitoring and logging

All payment webhook ingestion events are logged with timestamps and body previews (no full card data) to facilitate incident investigation.

All session lifecycle events (creation, confirmation, expiry, cancellation) are logged with UTC timestamps.

Webhook delivery attempts, outcomes, and errors are logged per attempt.

7. Organisational measures

All personnel with access to production systems are subject to confidentiality obligations.

Access to production databases is restricted to engineering personnel on a need-to-know basis.

Dependencies are reviewed for security vulnerabilities as part of the development process.

8. Incident response

Security incidents are investigated and documented internally.

Controllers are notified without undue delay, and in any event within 72 hours, of confirmed Security Incidents in accordance with Clause 9.

Schedule 3 — Authorised Sub-processors

The following Sub-processors are currently engaged by Bondify to process Customer Personal Data in connection with the Services. The specific providers named below are identified for transparency as of the date of this DPA and may be added to, removed, or replaced by Bondify in accordance with Clause 8.2; naming a provider here does not commit Bondify to continue using that particular provider. The current list is maintained at bondify.dev/legal/subprocessors, and changes are notified in accordance with Clause 8.2.

Sub-processor / Entity	Purpose and data processed
Cloud infrastructure provider (e.g., AWS, GCP, or equivalent) Location: EU / US (as configured)	Hosting of the Bondify API, application server, and PostgreSQL database. Processes all categories of Customer Personal Data described in Schedule 1, Section 2 by virtue of hosting the infrastructure on which the Services run. Data Processing Agreement in place.
Aeza Group (https://aeza.net) Location: Netherlands (EU)	Cloud infrastructure hosting. Processes all categories of Customer Personal Data described in Schedule 1, Section 2 by virtue of hosting the infrastructure on which the Services run. Data Processing Agreement in place.
Telegram Messenger (Telegram FZ-LLC, Dubai, UAE)	Delivery of authentication prompt messages to End Users and receipt of callback_query (confirmation/cancellation) events. Processes Telegram chat IDs and message content as part of the Telegram Bot API interaction. Bondify acts as a Bot API integrator; Telegram's own privacy policy governs Telegram's processing of End User data on its platform.
Creem (Creem Inc., United States)	Processing of USD-denominated international card payments. Does not process End User Personal Data; processes Developer billing data only.
NOWPayments (NOWPayments Ltd.)	Processing of cryptocurrency payment invoices. Does not process End User Personal Data; processes Developer billing data only.

Note: Creem and NOWPayments process Developer (Controller) billing data only, not End User Personal Data. They are listed here for completeness and transparency.

EXECUTION

By accessing or using the Bondify Services after the Effective Date of this DPA, or by executing a separate Order Form that references this DPA, the Controller agrees to be bound by the terms of this Data Processing Agreement on behalf of itself and, to the extent applicable, its authorised end users.

If the Controller is an entity located in the EEA, UK, or Switzerland, and requires a countersigned DPA for its own compliance records, please send a request to [email protected] with the subject line "DPA Countersignature Request" and your company name and registration number.

FOR: Bondify (Data Processor)	FOR: Customer (Data Controller)
Signature: _______________________	Signature: _______________________
Name: _______________________	Name: _______________________
Title: _______________________	Title: _______________________
Date: _______________________	Date: _______________________
Entity: Bondify (bondify.dev)	Entity: _______________________

Questions about this document? Email [email protected].