Last Updated: March 2026
This GDPR Compliance Statement describes how Bosys complies with the General Data Protection Regulation (EU) 2016/679 when processing personal data in connection with our AI-powered enterprise platform and related services.
This statement applies to customers located in the European Union, organizations processing EU personal data, users accessing BOSYS from the EEA, and data subjects whose data is processed within the platform — including employees, customers, suppliers, partners, and end users.
Data Controller: BOSYS acts as controller when determining the purpose and means of processing personal data — such as account registration, billing management, support communication, and security monitoring. Data Processor: BOSYS acts as processor when processing personal data on behalf of customers, such as business records, employee data, customer records, and operational data. In these cases, the customer remains the Data Controller.
BOSYS processes personal data based on lawful grounds under GDPR including: contractual necessity (providing software services, processing payments), legal obligations (complying with legal requirements), legitimate interests (maintaining system security), and user consent.
Individuals have the following rights under GDPR: Right of access, Right to rectification, Right to erasure, Right to restriction of processing, Right to data portability, Right to object, and Right to withdraw consent. Requests may be submitted to privacy@bosys.ai.
BOSYS enters into Data Processing Agreements (DPAs) with customers where required. DPAs define data processing responsibilities, security obligations, confidentiality requirements, data transfer safeguards, and breach notification procedures.
Technical and organizational measures protecting personal data include: encryption, access control, multi-factor authentication, continuous monitoring, logging, backup systems, and regular security testing.
When personal data is transferred outside the European Union, we implement safeguards including Standard Contractual Clauses (SCCs), secure infrastructure, and data protection agreements to ensure adequate protection.
Personal data is retained only as long as necessary. Retention depends on legal requirements, operational needs, contractual obligations, and security considerations. Account data is retained while active; backup data temporarily; financial records for compliance.
In the event of a data breach affecting personal data, BOSYS will investigate the incident, contain the breach, notify affected customers, and report to regulators in accordance with GDPR notification timelines (72 hours where applicable).
BOSYS incorporates privacy protections into system architecture including secure configuration, access restrictions, data minimization, encryption, and audit logging. Privacy settings are designed to protect data automatically.
BOSYS evaluates third-party vendors for compliance with data protection requirements. Sub-processors including cloud providers, backup providers, security services, and payment processors must meet security controls, confidentiality agreements, and data protection safeguard requirements.
Where required, BOSYS appoints a Data Protection Officer or responsible privacy contact. Responsibilities include monitoring compliance, handling data requests, managing privacy risks, and advising on data protection matters.
BOSYS maintains internal documentation describing types of data processed, processing purposes, data recipients, retention periods, and security measures — supporting regulatory compliance and accountability.
BOSYS maintains governance processes including risk assessment, security review, policy management, training programs, and compliance monitoring to ensure ongoing adherence to GDPR requirements.
This statement may be updated periodically to reflect legal changes, technology changes, or operational changes. Updated versions will be published on the website.
Privacy Office: privacy@bosys.ai. Legal Department: legal@bosys.ai. Security Team: security@bosys.ai.