Data Processing Agreement

GDPR Article 28 compliant. Last updated: May 30, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ChatbotSaaS ("Processor") and the Customer ("Controller") and is entered into to ensure compliance with Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

Controller: The Customer who determines the purposes and means of processing personal data
Processor: ChatbotSaaS, who processes personal data on behalf of the Controller
Data Subjects: End users who interact with the chatbot widget
Personal Data: Any information relating to an identified or identifiable natural person

2. Processing Details

Subject matter: Operation of AI chatbot on Controller's website

Nature and purpose: Processing visitor messages, capturing leads, providing automated support responses

Type of personal data: Names, email addresses, phone numbers, chat messages, IP addresses (anonymized), user agents

Categories of data subjects: Visitors to Controller's website who interact with the chatbot

Duration: For the term of the service agreement

3. Processor Obligations

ChatbotSaaS shall:

Process personal data only on documented instructions from the Controller
Ensure persons authorized to process personal data are bound by confidentiality
Implement appropriate technical and organizational security measures
Not engage sub-processors without prior consent from the Controller
Assist the Controller in responding to data subject rights requests
Delete or return all personal data upon termination of the agreement
Provide all information necessary to demonstrate compliance with GDPR Article 28
Notify the Controller of personal data breaches within 72 hours

4. Sub-Processors

We use the following sub-processors for data processing:

Sub-Processor	Purpose	Location	Safeguards
OpenAI, L.L.C.	AI language model processing	USA	SCCs, Data Processing Addendum
Upstash Inc.	Database storage (Redis, Vector)	USA/EU	SCCs, GDPR compliant
PayPal Inc.	Payment processing	USA	SCCs, PCI DSS compliant
Resend Inc.	Transactional email	USA	SCCs, Data Processing Addendum
Vercel Inc.	Hosting and CDN	USA/Global	SCCs, GDPR compliant
Sentry Inc.	Error monitoring (no PII)	USA	SCCs, anonymized data only

5. Security Measures

Technical and organizational measures include:

HTTPS/TLS encryption for all data in transit
Encryption at rest for all stored data
HMAC-SHA256 hashing for API keys (raw keys never stored)
IP-based and key-based rate limiting
Prompt injection detection and filtering
Role-based access controls
Comprehensive audit logging
Automated data retention policies

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling requests from data subjects including:

Right of Access: GDPR export endpoint at DELETE /api/admin/logs?type=gdpr_export
Right to Erasure: Full deletion via DELETE /api/admin/clients/[key]
Data Portability: JSON export includes all personal data

7. Governing Law

This DPA is governed by the law of the European Union, in particular the GDPR (Regulation 2016/679).

8. Contact

Data Protection Officer: dpo@chatbotsaas.com

See also: Privacy Policy | Terms of Service