Data Processing Agreement

This DPA defines key terms including Data Protection Law, Personal Data, Processing, Services, and Sub-processor with references to GDPR and related regulations.

2.1 Scope and Nature: Subject matter covers AI agent and customer support services provision. Duration is the agreement term plus legal obligation requirements. Nature includes collection, recording, storage, analysis, retrieval, and deletion.

2.2 Categories of Data Subjects: Customer's end users and website visitors, employees and representatives, customers and prospects.

2.3 Categories of Personal Data: Contact information (name, email, phone), communication data (chat messages, conversation history), technical data (IP address, browser info, device identifiers), usage data (interaction patterns, timestamps, session data).

Customer warrants possession of necessary rights and consents for data provision, appropriate privacy notices to data subjects, Data Protection Laws compliance, restrictions on sensitive personal data unless agreed, and prompt notification of subject requests or complaints.

InsertChat commits to processing per documented instructions only, ensuring confidentiality bindings, implementing appropriate security measures, obtaining proper sub-processor safeguards, assisting with subject requests, notifying of breaches without undue delay, and deleting or returning data upon service termination.

5.1 Technical Measures: 256-bit AES encryption for data at rest, TLS 1.3 encryption for data in transit, multi-factor authentication for system access, regular security monitoring and intrusion detection, secure software development lifecycle.

5.2 Organizational Measures: Role-based access controls and least privilege principle, regular employee security training and background checks, incident response and business continuity procedures, regular security audits and penetration testing, enterprise security certification and compliance monitoring.

6.1 Authorized Sub-processors: Hetzner (Cloud infrastructure and hosting), Cloudflare (Cloud infrastructure and hosting), Stripe (Payment processing), AWS (Email delivery).

6.2 Sub-processor Changes: InsertChat will provide 30 days' prior notice of any changes to sub-processors. Customer may object to new sub-processors within 30 days of notification.

Personal Data may be transferred outside the European Economic Area with protection through Standard Contractual Clauses, adequacy decisions, additional safeguards, and data localization options.

InsertChat assists with fulfilling access, rectification, erasure, processing restriction, portability, and objection rights. Customer remains responsible for directing requests within reasonable timeframes.

Upon breach, InsertChat commits to notifying within 72 hours, providing breach information, taking immediate containment steps, assisting authority notifications, and cooperating with investigation.

10.1 Regular Audits: InsertChat undergoes regular third-party security audits and maintains enterprise security certification. Audit reports are available to customers upon request under appropriate confidentiality agreements.

10.2 Customer Audits: Customer may conduct audits of InsertChat's processing activities upon reasonable notice and at Customer's expense, subject to confidentiality obligations and operational requirements.

Data retained only for service provision and legal compliance. Upon termination: customer data exportable for 30 days, deletion within 90 days with certification available, legal holds respected.

Liability subject to Terms of Service limitations. InsertChat indemnifies against non-compliance claims with requirements for prompt notice, cooperation, and InsertChat control of defense.

DPA effective on agreement date, continues for service term duration, terminates automatically with Terms of Service except for surviving obligations.