Data Processing Addendum
Last updated: June 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Boom Interactive Inc. (“Boom”, “Processor”) and the customer accepting it (“Customer”, “Controller”) for use of the CoreSpec 3D service (the “Service”). It applies where Boom processes personal data contained in Customer Content on the Customer’s behalf. By accepting the Terms of Service or using the Service, the Customer agrees to this DPA.
1. Roles & Instructions
The Customer is the Controller and Boom is the Processor of personal data within Customer Content. Boom processes such personal data only on the Customer’s documented instructions (the agreement and this DPA constituting the complete instructions) and as required by law.
2. Confidentiality
Boom ensures that persons authorised to process the personal data are bound by confidentiality obligations and granted access on a least-privilege, need-to-know basis.
3. Security Measures
Boom maintains appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS 1.2+) and at rest (AES-256); access control with enforced multi-factor authentication; logical tenant isolation; automated backups with tested restore; logging and monitoring; secure development practices; personnel confidentiality and screening; and vendor security governance.
4. Sub-processors
The Customer provides general authorisation for Boom to engage the sub-processors listed on our Sub-processors page. Boom imposes data-protection obligations on each sub-processor no less protective than those in this DPA, remains liable for their performance, and will give at least 30 days’ notice of any intended addition or replacement of a sub-processor, allowing the Customer to object on reasonable grounds.
5. Assistance to the Controller
Taking into account the nature of processing, Boom assists the Customer, so far as possible, in fulfilling its obligations to respond to data-subject requests and to ensure security, breach notification, and data protection impact assessments under the GDPR.
6. Personal Data Breach
Boom will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer’s personal data, and will provide information reasonably necessary for the Customer to meet its own obligations.
7. Return & Deletion
On termination of the Service, and at the Customer’s choice, Boom will delete or return all personal data and delete existing copies, unless applicable law requires continued storage.
8. Audit
Boom makes available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits. Boom may satisfy this obligation by providing third-party audit reports (including its sub-processors’ SOC 2 / ISO 27001 reports and, when available, Boom’s own certifications), subject to confidentiality.
9. International Data Transfers
Where Boom processes personal data of EEA or UK data subjects in the United States, the parties incorporate by reference the EU Standard Contractual Clauses (Module Two, Controller to Processor, Commission Implementing Decision (EU) 2021/914) and, for UK data, the UK International Data Transfer Addendum. The Standard Contractual Clauses prevail over this DPA in the event of any conflict regarding the transfer.
10. General
This DPA supplements the agreement for the Service; in the event of a conflict on data-protection matters, this DPA controls. Enterprise customers requiring a countersigned copy of this DPA may request one at info@cs3d.ai.
Contact
Boom Interactive Inc — info@cs3d.ai