Bonmoniq legal
Data Processing Agreement
- Last updated
- 2026-06-21
This English version is provided for information as a free translation. The French version is the official legal version. If there is any conflict, the French version prevails.
Cloudflare Web Analytics is used for cookieless audience measurement and Core Web Vitals on the public website. It does not use cookies, does not track individual users, and is not used to process Customer content inside the Service.
Purpose
This Data Processing Agreement, or DPA, applies when Bonmoniq processes personal data on behalf of a Professional Customer in connection with the Service.
It supplements the Terms of Service and applies only to processing for which the Customer acts as controller and Bonmoniq acts as processor under Article 4 GDPR.
Parties
| Role | Party | Contact details |
|---|---|---|
| Controller | Professional Customer subscribing to the Service | Details entered in the Account or contract |
| Processor | Bonmoniq SASU, SIREN 104 435 557, SIRET 104 435 557 00012, Paris RCS | 47 rue Vivienne, 75002 Paris, France - privacy@bonmoniq.com (data protection), legal@bonmoniq.com (contractual matters) |
Bonmoniq is represented by Dmitrii Poroshkov, President.
Subject matter and duration
| Item | Description |
|---|---|
| Subject matter | Processing personal data to provide the online software Service to the Customer |
| Duration | Subscription term, then the period required for return, deletion, limited backup and legal obligations |
| End of processing | Deletion or return according to the Customer's documented instructions, unless EU or French law requires retention |
Nature and purpose of processing
| Nature of processing | Purpose |
|---|---|
| Hosting | Store Customer data in the Service infrastructure |
| Retrieval | Display data to authorized Customer Users |
| Organization | Enable configuration, search, sorting and actions in the Service |
| Backup | Maintain security and continuity backups |
| Support | Diagnose and resolve incidents requested by the Customer |
| Security | Log access, prevent abuse and protect the Service |
Bonmoniq processes Customer data only to provide the Service and according to the Customer's documented instructions.
Categories of data subjects and personal data
| Category | Examples of data | Data subjects |
|---|---|---|
| Customer Users | Name, email, identifier, role, activity logs | Customer employees, contractors, administrators |
| Contacts imported by the Customer | Name, email, company, information provided in the Service | Customer clients, prospects, partners |
| Customer operational data | Content, notes, files, free-text fields, metadata | Persons whose data is entered by the Customer |
| Technical data | IP address, user agent, timestamps, session identifiers | Authorized Users and administrators |
| Communications content, when enabled | Call audio, recordings, transcripts, AI-conversation content, messaging content, routing metadata | Call and message participants, including third parties contacted by the Customer |
The Customer undertakes not to import special categories of data under Article 9 GDPR, criminal-offence data under Article 10 GDPR or children's data through ordinary Service fields, unless there is prior written agreement and documented additional measures.
Voice and messaging features may, by their nature, incidentally capture special categories of data expressed by participants. Where this occurs, the Customer remains the controller and is responsible for identifying an Article 9(2) GDPR condition and for informing participants and obtaining any consent required by applicable recording-consent rules. Bonmoniq processes such content only as processor, on its own infrastructure, to provide the Service.
Processor obligations
In accordance with Article 28(3) GDPR, Bonmoniq undertakes to comply with the obligations below.
Documented instructions
Bonmoniq processes personal data only on the Customer's documented instructions, including the Terms, this DPA, Account settings and written Customer requests.
If Bonmoniq believes that an instruction infringes the GDPR, the Loi Informatique et Libertés or another applicable provision, Bonmoniq informs the Customer within 5 business days after identifying the issue.
Staff confidentiality
Bonmoniq limits access to personal data to persons who need access to provide the Service or support. These persons are subject to contractual or statutory confidentiality obligations.
Security measures
Bonmoniq applies the Article 32 GDPR security measures described below.
| Measure | Description |
|---|---|
| Encryption in transit | TLS for communications between browser, API and exposed services |
| Encryption at rest | Encryption of production data and backups according to the hosting platform mechanisms |
| Access control | Production access limited to authorized persons |
| Authentication | Mandatory strong authentication for administrative accounts |
| Logging | Technical access logs and security events |
| Backups | Technical backups with restricted access |
| Access review | Access checked at least every 6 months |
| Incident management | Analysis, containment, remediation and notification under Articles 33 and 34 GDPR |
Sub-processors
The Customer authorizes Bonmoniq to use the sub-processors listed in this DPA to provide the Service.
Bonmoniq notifies the Customer of any addition or replacement of a sub-processor at least 30 days in advance by email, in-Service notification or documented update accessible to the Customer. The up-to-date list of sub-processors is the one set out in the current version of this DPA, published at /en/legal/dpa with its last-updated date.
The Customer may object to a new sub-processor for a documented reason relating to processing location, lack of an Article 46 GDPR transfer safeguard, addition of data categories or an identified security risk. If the objection is not resolved, the Customer may terminate the affected part of the Service before the change takes effect.
Bonmoniq imposes on each sub-processor the same data protection obligations as those set out in this DPA, in accordance with Article 28(4) GDPR.
Assistance with data subject rights
Bonmoniq assists the Customer, taking into account the nature of processing, in responding to requests to exercise rights under Articles 15 to 22 GDPR.
If a data subject sends Bonmoniq a request concerning data processed on behalf of the Customer, Bonmoniq forwards the request to the Customer when the Customer is identifiable, unless a legal obligation requires otherwise.
Assistance with breach notification
Bonmoniq informs the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting data processed on behalf of the Customer.
The initial notice includes the facts known to Bonmoniq at the time of sending and is completed by successive updates when the investigation confirms new information:
- the nature of the breach;
- approximate categories and volumes of affected data;
- likely consequences;
- measures taken or proposed to address the breach;
- Bonmoniq contact point.
The Customer remains responsible for notifications to the supervisory authority and data subjects when acting as controller, unless otherwise agreed in writing.
Assistance with DPIA
Bonmoniq provides the Customer with documentation held by Bonmoniq on Service architecture, sub-processors, processing locations, security measures and confirmed incident history concerning the Service to help conduct a data protection impact assessment where Article 35 GDPR requires it.
Deletion or return
At the end of the contract, Bonmoniq deletes or returns personal data processed on behalf of the Customer according to the Customer's documented instructions.
Bonmoniq may retain certain data where French or EU law requires it, including for evidence, accounting, security or legal defence.
Audits
Bonmoniq makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR.
The Customer may request a documentary audit once per year, with 30 days' notice. If the documentary audit does not verify a specific Article 28 GDPR point, an on-site audit may be organized under a confidentiality agreement, without access to other customers' data, during business hours and with a scope limited to the uncovered point.
Sub-processor list
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Cloudflare Inc. | Delivery of the website and Service interface, CDN, DNS, DDoS protection, network security and edge caching | United States, with a global edge network | Standard Contractual Clauses, DPF where certified and applicable contractual safeguards |
| Cloudflare Web Analytics | Cookieless audience measurement and Core Web Vitals | United States, with a global edge network | Cookieless analytics meeting CNIL exemption conditions |
| Stripe Technology Europe Limited | Payment processing when enabled | Ireland, EU (registered office: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2) | EU processor, GDPR-native |
| Qonto / Olinda SAS | Business banking and related payment services | France, EU | Payment institution regulated by the ACPR, GDPR-native |
| Twilio Inc. | Telephony number provisioning, voice and SMS routing for US and international numbers | United States | Standard Contractual Clauses and EU-US Data Privacy Framework |
| Sinch AB | Telephony number provisioning, voice and SMS routing for EU numbers | Sweden, EU | EU processor, GDPR-native |
| Telnyx LLC / Telnyx Ireland Limited | Telephony number provisioning, voice and SMS routing | United States and Ireland, EU | Standard Contractual Clauses and EU-US Data Privacy Framework for US processing |
The AI voice agent runs on Bonmoniq's own infrastructure using Bonmoniq's own language models; AI conversation content is not disclosed to any third-party AI sub-processor. Bonmoniq plans to offer WhatsApp Business messaging; this feature is not active yet, and Meta Platforms Ireland Limited will be added to this list, with onward US transfers, before the feature is enabled.
International transfers
Where personal data is transferred outside the EU, Bonmoniq uses the mechanisms provided by Articles 44 to 49 GDPR.
Customer AI conversation content is processed on Bonmoniq's own infrastructure within the European Union and is not transmitted to any third-party AI provider. The professional telephony layer (numbers, voice, SMS) relies on a mix of EU and US carriers depending on the country of the number: voice and SMS for EU numbers are routed through EU-based carriers, while US and international numbers, together with certain routing metadata, are handled by US carriers under the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Cloudflare remains in use for website delivery, DNS, and edge protection. Bonmoniq holds the electronic communications identifier assigned by ARCEP (BNMQ).
| Destination | Mechanism | Comment |
|---|---|---|
| United States | Standard Contractual Clauses, Article 46 GDPR | Used for providers not covered by an applicable adequacy decision |
| United States | EU-US Data Privacy Framework, Article 45 GDPR | Usable where the recipient is certified and listed under the DPF |
| Other third countries | SCC or other valid safeguard | Assessment before provider activation |
Bonmoniq does not present this architecture as full independence from US law. US-established sub-processors, or their US parent companies, may be subject to US legislation such as the CLOUD Act, which can in principle require disclosure of data they hold regardless of storage location. Bonmoniq applies supplementary measures (data minimisation, encryption in transit and at rest, EU-based routing for EU numbers, and self-hosted AI processing) alongside the transfer mechanisms above. A transfer impact assessment is maintained and made available to the Customer on request.
The Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914) are incorporated into this DPA by reference: the controller-to-processor module between the Customer and Bonmoniq, and, where Bonmoniq engages a sub-processor outside the EU, the relevant module of the sub-processing chain. Their Annexes are completed by the parties' details, the description of processing in this DPA, the security measures in this DPA, and the sub-processor list above.
Liability and indemnification
Each party is liable for breaches attributable to it under the GDPR, the Loi Informatique et Libertés and the contract.
Bonmoniq is not liable for processing determined by the Customer, data imported by the Customer, unlawful Customer instructions or processing carried out by the Customer outside the Service.
Any limitation of liability agreed in the Terms or main contract applies to inter-party contractual liability under this DPA within the limits permitted by French law. No such limitation affects the liability of either party towards data subjects under Article 82 GDPR, nor applies where prohibited by law.
Term and termination
This DPA takes effect on the date the Customer accepts the Terms or signs a contract including the DPA. It remains applicable for the duration of processing carried out by Bonmoniq on behalf of the Customer.
Termination of the main contract ends the DPA after deletion or return of data, except for statutory retention obligations.
Contact
| Topic | Contact |
|---|---|
| Contractual questions | legal@bonmoniq.com |
| Personal data | privacy@bonmoniq.com |
| Security | security@bonmoniq.com |
Governing law and jurisdiction
This DPA is governed by French law and EU law applicable to personal data protection.
For disputes between professionals relating to this DPA, the Paris Commercial Court has exclusive jurisdiction, subject to mandatory contrary provisions.
Last updated
This DPA was last updated on 21 June 2026.
Last updated: 21 June 2026 For any question regarding this document, contact us at legal@bonmoniq.com.