Bonmoniq legal
Data Processing Agreement
- Last updated
- 2026-05-11
This English version is provided for information as a free translation. The French version is the official legal version. If there is any conflict, the French version prevails.
The analytics tool marked [ANALYTICS_TOOL] will be completed before activation or before signing a specific contract with the Customer.
Purpose
This Data Processing Agreement, or DPA, applies when Bonmoniq processes personal data on behalf of a Professional Customer in connection with the Service.
It supplements the Terms of Service and applies only to processing for which the Customer acts as controller and Bonmoniq acts as processor under Article 4 GDPR.
Parties
| Role | Party | Contact details |
|---|---|---|
| Controller | Professional Customer subscribing to the Service | Details entered in the Account or contract |
| Processor | Bonmoniq SASU, SIREN 104 435 557, Paris RCS | 47 rue Vivienne, 75002 Paris, France, legal@bonmoniq.com |
Bonmoniq is represented by Dmitrii Poroshkov, President.
Subject matter and duration
| Item | Description |
|---|---|
| Subject matter | Processing personal data to provide the online software Service to the Customer |
| Duration | Subscription term, then the period required for return, deletion, limited backup and legal obligations |
| End of processing | Deletion or return according to the Customer's documented instructions, unless EU or French law requires retention |
Nature and purpose of processing
| Nature of processing | Purpose |
|---|---|
| Hosting | Store Customer data in the Service infrastructure |
| Retrieval | Display data to authorized Customer Users |
| Organization | Enable configuration, search, sorting and actions in the Service |
| Backup | Maintain security and continuity backups |
| Support | Diagnose and resolve incidents requested by the Customer |
| Security | Log access, prevent abuse and protect the Service |
Bonmoniq processes Customer data only to provide the Service and according to the Customer's documented instructions.
Categories of data subjects and personal data
| Category | Examples of data | Data subjects |
|---|---|---|
| Customer Users | Name, email, identifier, role, activity logs | Customer employees, contractors, administrators |
| Contacts imported by the Customer | Name, email, company, information provided in the Service | Customer clients, prospects, partners |
| Customer operational data | Content, notes, files, free-text fields, metadata | Persons whose data is entered by the Customer |
| Technical data | IP address, user agent, timestamps, session identifiers | Authorized Users and administrators |
The Customer undertakes not to import special categories of data under Article 9 GDPR, criminal-offence data under Article 10 GDPR or children's data, unless there is prior written agreement and documented additional measures.
Processor obligations
In accordance with Article 28(3) GDPR, Bonmoniq undertakes to comply with the obligations below.
Documented instructions
Bonmoniq processes personal data only on the Customer's documented instructions, including the Terms, this DPA, Account settings and written Customer requests.
If Bonmoniq believes that an instruction infringes the GDPR, the Loi Informatique et Libertés or another applicable provision, Bonmoniq informs the Customer within 5 business days after identifying the issue.
Staff confidentiality
Bonmoniq limits access to personal data to persons who need access to provide the Service or support. These persons are subject to contractual or statutory confidentiality obligations.
Security measures
Bonmoniq applies the Article 32 GDPR security measures described below.
| Measure | Description |
|---|---|
| Encryption in transit | TLS for communications between browser, API and exposed services |
| Encryption at rest | Encryption of production data and backups according to the hosting platform mechanisms |
| Access control | Production access limited to authorized persons |
| Authentication | Mandatory strong authentication for administrative accounts |
| Logging | Technical access logs and security events |
| Backups | Technical backups with restricted access |
| Access review | Access checked at least every 6 months |
| Incident management | Analysis, containment, remediation and notification under Articles 33 and 34 GDPR |
Sub-processors
The Customer authorizes Bonmoniq to use the sub-processors listed in this DPA to provide the Service.
Bonmoniq notifies the Customer of any addition or replacement of a sub-processor at least 30 days in advance by email, in-Service notification or documented update accessible to the Customer.
The Customer may object to a new sub-processor for a documented reason relating to processing location, lack of an Article 46 GDPR transfer safeguard, addition of data categories or an identified security risk. If the objection is not resolved, the Customer may terminate the affected part of the Service before the change takes effect.
Bonmoniq imposes data protection obligations on each sub-processor that are substantially equivalent to those in this DPA.
Assistance with data subject rights
Bonmoniq assists the Customer, taking into account the nature of processing, in responding to requests to exercise rights under Articles 15 to 22 GDPR.
If a data subject sends Bonmoniq a request concerning data processed on behalf of the Customer, Bonmoniq forwards the request to the Customer when the Customer is identifiable, unless a legal obligation requires otherwise.
Assistance with breach notification
Bonmoniq informs the Customer without undue delay after becoming aware of a personal data breach affecting data processed on behalf of the Customer.
The initial notice includes the facts known to Bonmoniq at the time of sending and is completed by successive updates when the investigation confirms new information:
- the nature of the breach;
- approximate categories and volumes of affected data;
- likely consequences;
- measures taken or proposed to address the breach;
- Bonmoniq contact point.
The Customer remains responsible for notifications to the supervisory authority and data subjects when acting as controller, unless otherwise agreed in writing.
Assistance with DPIA
Bonmoniq provides the Customer with documentation held by Bonmoniq on Service architecture, sub-processors, processing locations, security measures and confirmed incident history concerning the Service to help conduct a data protection impact assessment where Article 35 GDPR requires it.
Deletion or return
At the end of the contract, Bonmoniq deletes or returns personal data processed on behalf of the Customer according to the Customer's documented instructions.
Bonmoniq may retain certain data where French or EU law requires it, including for evidence, accounting, security or legal defence.
Audits
Bonmoniq makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR.
The Customer may request a documentary audit once per year, with 30 days' notice. If the documentary audit does not verify a specific Article 28 GDPR point, an on-site audit may be organized under a confidentiality agreement, without access to other customers' data, during business hours and with a scope limited to the uncovered point.
Sub-processor list
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Cloudflare Inc. | Delivery of the website and Service interface, CDN, DNS, DDoS protection, network security and edge caching | United States, with a global edge network | Standard Contractual Clauses, DPF where certified and applicable contractual safeguards |
| Sinch AB | Communications infrastructure: numbers, voice, SMS, and RCS | Sweden, EU | EU operator, GDPR-native |
| Mistral AI SAS | AI voice agent processing when enabled | France, EU | EU operator, GDPR-native |
| Stripe Payments Europe or Mollie B.V. | Payment processing (only one provider active at a time) | European Union, with possible operations outside the EU | EU, SCC + DPF depending on entity and transfer |
| Google Workspace | Business email and office tools | EU/USA | SCC + DPF where certified |
International transfers
Where personal data is transferred outside the EU, Bonmoniq uses the mechanisms provided by Articles 44 to 49 GDPR.
Customer voice, messaging, and AI conversation content on the European product path is processed by Sinch AB and Mistral AI SAS in the European Union. Bonmoniq does not present this architecture as an absence of US technology: Cloudflare and certain business tools may remain US providers for delivery, security, email, or payment functions.
| Destination | Mechanism | Comment |
|---|---|---|
| United States | Standard Contractual Clauses, Article 46 GDPR | Used for providers not covered by an applicable adequacy decision |
| United States | EU-US Data Privacy Framework, Article 45 GDPR | Usable where the recipient is certified and listed under the DPF |
| Other third countries | SCC or other valid safeguard | Assessment before provider activation |
Liability and indemnification
Each party is liable for breaches attributable to it under the GDPR, the Loi Informatique et Libertés and the contract.
Bonmoniq is not liable for processing determined by the Customer, data imported by the Customer, unlawful Customer instructions or processing carried out by the Customer outside the Service.
Any limitation of liability agreed in the Terms or main contract applies to this DPA within the limits permitted by French law. No limitation applies where prohibited by law.
Term and termination
This DPA takes effect on the date the Customer accepts the Terms or signs a contract including the DPA. It remains applicable for the duration of processing carried out by Bonmoniq on behalf of the Customer.
Termination of the main contract ends the DPA after deletion or return of data, except for statutory retention obligations.
Contact
| Topic | Contact |
|---|---|
| Contractual questions | legal@bonmoniq.com |
| Personal data | privacy@bonmoniq.com |
| Security | security@bonmoniq.com |
Governing law and jurisdiction
This DPA is governed by French law and EU law applicable to personal data protection.
For disputes between professionals relating to this DPA, the Paris Commercial Court has exclusive jurisdiction, subject to mandatory contrary provisions.
Last updated
This DPA was last updated on 11 May 2026.
Last updated: 11 May 2026 For any question regarding this document, contact us at legal@bonmoniq.com.