Data Processing Addendum (DPA)

• The EU General Data Protection Regulation (GDPR)
• The UK General Data Protection Regulation (UK GDPR)
• Applicable EU and UK data protection laws

• Controller means the entity that determines the purpose and means of processing personal data
• Processor means the entity that processes personal data on behalf of the Controller
• Personal Data means any information relating to an identified or identifiable natural person
• Processing means any operation performed on personal data
• Subprocessor means any third party engaged by the Processor to process personal data

• Chat processing and automation
• Product recommendation and order status features
• Account creation and authentication
• Analytics and performance monitoring
• Customer support
• Platform integrations requested by the Controller

The Processor will not process personal data for any purpose other than as instructed by the Controller.

By using the Service, the Controller instructs the Processor to:

• Process personal data transmitted through the chatbot
• Store chat transcripts as configured by the Controller
• Access connected third party systems such as eCommerce platforms for order information
• Perform operational tasks necessary to deliver the Service

• Contact details such as names and email addresses
• Order and transaction information
• Customer service queries
• Chat content generated by users
• Technical identifiers such as IP addresses and device information
• Any data voluntarily submitted through the chatbot, including potential sensitive information

As stated in the Privacy Policy, the Service does not intentionally collect special category data, but may temporarily process such data if submitted by end users.

• Customers of the Controller
• Employees or agents of the Controller
• Website visitors and chatbot users

• Cloud hosting providers
• Database providers
• Logging and analytics tools
• Customer support and communication tools
• eCommerce platforms integrated by the Controller

A current list of Subprocessors will be provided upon request.

The Processor will ensure all Subprocessors implement equivalent data protection measures.

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Additional contractual security measures

• Encryption in transit and at rest
• Access controls and authentication
• Secure development practices
• System monitoring and logging
• Regular security reviews

Upon request, the Processor will provide a summary of security measures.

• Are subject to confidentiality obligations
• Receive appropriate training
• Only access personal data when necessary for their role

• Responding to data subject rights requests
• Conducting data protection impact assessments
• Meeting breach notification requirements
• Complying with GDPR and UK GDPR obligations

Where necessary, the Processor will allow audits or inspections, provided they:

• Are reasonable and not disruptive
• Protect the confidentiality of other customers and system security
• Are limited to once per year unless legally required