Data Processing Agreement (DPA) / Auftragsverarbeitungsvertrag (AVV)

Last updated: April 7, 2026


DATA PROCESSING AGREEMENT

pursuant to Article 28 of the General Data Protection Regulation (GDPR)

between

the Customer (hereinafter "Controller")

who has entered into a service agreement for the use of Chaterimo,

and

David Langr
Business Registration No. (ICO): 04617002
V olsinach 1451/20, 100 00, Prague 10 — Strasnice, Czech Republic
Email: info@chaterimo.com
(hereinafter "Processor" or "Chaterimo")

collectively referred to as the "Parties."

1. Subject Matter and Duration

1.1. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Controller's use of the Chaterimo platform ("Service").

1.2. The duration of this DPA corresponds to the duration of the Controller's subscription to the Service. Upon termination of the subscription, the provisions of Section 10 (Data Deletion) shall apply.

2. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller for the following purposes:

  • AI-powered customer support chatbot: Receiving, processing, and responding to end-user chat messages using artificial intelligence models
  • Knowledge base management: Indexing and searching the Controller's product catalog and website content to provide relevant responses
  • Lead management: Collecting and storing contact information voluntarily provided by end-users through the chat widget
  • Email processing (if enabled): Receiving, classifying, and drafting responses to customer emails
  • Ticket management (if enabled): Processing customer support tickets
  • E-commerce integration: Synchronizing product and order data from the Controller's e-commerce platform (e.g., Shopify, Shoptet, WooCommerce)
  • Analytics: Generating aggregated usage statistics and performance reports
  • CRM integration (if enabled): Syncing lead data to the Controller's CRM system (Zoho, HubSpot, Pipedrive)

3. Types of Personal Data Processed

The following categories of personal data may be processed:

a) End-user (chat visitor) data:

  • Chat messages and conversation content
  • Email addresses, names, and phone numbers (when voluntarily provided via lead forms)
  • Language preferences
  • Product interaction data (viewed/discussed products)
  • Order information (order IDs, tracking numbers — when order verification is enabled)

b) Controller's account data (processed by Chaterimo as independent controller for account management and billing — not covered by this DPA):

  • Email address, name, username
  • Organization details
  • Payment identifiers (Stripe customer ID — no card data is stored by Chaterimo)
Note: The Controller's own account and billing data listed in (b) is processed by Chaterimo for its own legitimate business purposes (contract performance, billing, compliance). This processing is governed by Chaterimo's Privacy Policy, not this DPA.

c) Email data (if email integration is enabled):

  • Sender and recipient email addresses and names
  • Email subject lines and body content
  • Email metadata (headers, timestamps)

d) Technical data:

  • Session identifiers
  • Platform identifiers (web, Facebook Messenger)
  • IP addresses (used for rate limiting and security; cached temporarily for blocking purposes and included in application logs shipped to the logging provider)

4. Categories of Data Subjects

  • End-users: Visitors of the Controller's website or e-commerce store who interact with the chat widget
  • Customers: Individuals whose order data is accessed via e-commerce integrations
  • Email correspondents (if email integration is enabled)

5. Obligations of the Controller

The Controller shall:

5.1. Ensure that the processing of personal data through the Service is lawful, including obtaining any necessary consents from data subjects or establishing another legal basis under Art. 6 GDPR. In particular, the Controller confirms that: (a) it has collected all personal data entrusted to the Processor in compliance with applicable laws, including the GDPR; (b) it has provided data subjects with all required information about the processing of their data pursuant to Articles 13 and 14 GDPR; and (c) where the Controller uses the Service for direct marketing or email communication, it has obtained all legally required consents (including consent to send commercial communications by electronic means where applicable).

5.2. Inform end-users about the use of AI-powered chatbot services and the associated data processing through an appropriate privacy notice displayed on or linked from the Controller's website.

5.3. Be responsible for the accuracy, quality, and legality of the personal data provided to the Processor.

5.4. Promptly notify the Processor of any data subject requests that require the Processor's assistance.

5.5. Not submit, and not encourage or require data subjects to submit, any special categories of personal data within the meaning of Article 9 GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation) through the Service, unless the Processor has given prior written consent. The Controller acknowledges that the Service is not designed to process special categories of personal data.

6. Obligations of the Processor

The Processor shall:

6.1. Process personal data only on documented instructions from the Controller, unless required to do so by European Union or Member State law. The Service's functionality as configured by the Controller constitutes the Controller's documented instructions.

6.2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Take all measures required pursuant to Article 32 GDPR (security of processing) as described in Annex 2.

6.4. Assist the Controller, taking into account the nature of the processing, in fulfilling the Controller's obligation to respond to data subject requests (access, rectification, erasure, portability, restriction, objection).

6.5. Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments), taking into account the nature of processing and the information available to the Processor.

6.6. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of the Service, and delete existing copies unless Union or Member State law requires storage of the personal data.

6.7. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the following conditions:

  • Audit requests must be submitted with at least 30 days' prior written notice.
  • Audits are limited to once per calendar year, unless a personal data breach has occurred or a supervisory authority requires additional audits.
  • Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.
  • The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.
  • The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or security documentation. On-site inspections shall only be conducted if the documentation provided is insufficient to verify compliance.

The Processor shall immediately inform the Controller if, in its opinion, an instruction violates the GDPR or other data protection provisions.

6.8. The Processor ensures, through its agreements with AI sub-processor providers, that the Controller's personal data transmitted via API calls is used solely for the purpose of generating responses and is not used to train, improve, or develop the sub-processors' foundational AI models. The Processor uses API/enterprise-tier access to all AI sub-processors, which contractually prohibit training on customer data.

6.9. The Parties agree that the Processor shall be entitled to reimbursement from the Controller for reasonable costs incurred in providing assistance beyond the standard scope of the Service, including but not limited to: responding to data subject access requests requiring manual data retrieval, providing support for data protection impact assessments, and facilitating audits or inspections. The Processor shall inform the Controller of the estimated costs before commencing such assistance.

7. Sub-processors

7.1. The Controller grants the Processor general written authorization to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within 30 days. If the Controller objects, the Processor shall refrain from engaging the sub-processor for the Controller's data or, if this is not feasible, the Controller may terminate the Service.

7.2. The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract.

7.3. The current list of sub-processors is provided in Annex 1.

8. Data Transfers Outside the EEA

8.1. Some sub-processors (see Annex 1) are located outside the European Economic Area (EEA), primarily in the United States. For such transfers, the Processor relies on:

  • The European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (where the sub-processor is certified), or
  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR — where SCCs apply, the Parties agree that the standard contractual clauses approved by European Commission Decision (EU) 2021/914 (Module Two: Transfer controller to processor) are hereby incorporated by reference, or
  • Other applicable safeguards under Chapter V GDPR.

8.2. Where available, the Processor contracts with the EU/EEA subsidiary of sub-processors (e.g., Google Ireland Limited, Meta Platforms Ireland Limited, OpenAI Ireland Ltd.) to minimize cross-border data transfer requirements.

8.3. The Processor shall inform the Controller if any sub-processor transfer mechanism changes materially.

9. Data Breach Notification

9.1. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and shall use best efforts to do so within 72 hours (aligned with the Art. 33 GDPR notification deadline to supervisory authorities).

9.2. The notification shall include:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records concerned
  • The name and contact details of the Processor's contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

10. Data Deletion and Return

10.1. Upon termination of the Service subscription, the Processor shall:

  • Delete the Controller's personal data from all active systems within 30 days
  • Data residing in immutable backup archives will be protected from further processing and will be allowed to naturally expire or be overwritten according to the Processor's 90-day backup retention schedule. The Processor is not required to reconstruct backup archives to delete individual data records.
  • Prior to deletion, provide the Controller with an export of their data upon request. Self-service exports are available for leads (CSV) and chat history (CSV) via the administrative interface. For other data categories, the Controller may request an export by contacting the Processor directly.

10.2. The Controller may delete knowledge base data, product data, and URL data at any time via the Service's administrative interface. For deletion of other data categories (e.g., chat sessions, email data), the Controller may contact the Processor directly.

11. Governing Law and Jurisdiction

11.1. This DPA shall be governed by the laws of the Czech Republic, without prejudice to the mandatory provisions of the GDPR.

11.2. Any disputes arising from this DPA shall be subject to the jurisdiction of the competent courts in Prague, Czech Republic.

12. Liability

12.1. Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the main Service Agreement (Terms of Service) between the Parties.

12.2. Without prejudice to the mandatory provisions of the GDPR (in particular Articles 82 and 83), the Processor's total aggregate liability under this DPA shall not exceed the total fees paid by the Controller to the Processor during the twelve (12) months immediately preceding the event giving rise to the claim. The Processor shall not be liable for indirect, incidental, or consequential damages, including lost profits, regardless of the cause of action.

12.3. The Controller shall indemnify and hold the Processor harmless from any claims, damages, or expenses arising from: (a) the Controller's breach of its obligations under this DPA or the GDPR; (b) the Controller's processing of personal data in violation of applicable law; or (c) claims by data subjects resulting from the Controller's failure to provide adequate privacy notices or obtain required consents.

13. Final Provisions

13.1. This DPA forms an integral part of the service agreement between the Controller and the Processor.

13.2. In case of conflict between this DPA and the service agreement, this DPA shall prevail with respect to data protection matters.

13.3. Amendments to this DPA must be in writing (email is sufficient). The Processor reserves the right to update this DPA to reflect changes in applicable law, sub-processor list, or technical measures. The Controller will be notified of material changes via email at least 30 days before they take effect. Continued use of the Service after the effective date of the updated DPA constitutes acceptance of the changes.

13.4. Neither Party may assign or transfer the rights and obligations under this DPA without the prior written consent of the other Party, except in connection with a merger, acquisition, or sale of all or substantially all of the assigning Party's assets.

13.5. The Processor shall not be liable for any failure or delay in performing its obligations under this DPA to the extent that such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to: natural disasters, war, terrorism, riots, epidemics or pandemics, government actions, power or telecommunications failures, or failures of third-party infrastructure providers (force majeure). The Processor shall notify the Controller of such events without undue delay and shall use reasonable efforts to mitigate their impact on the processing of personal data.

ANNEX 1: List of Sub-processors

Sub-processor Purpose Data Processed Location
Hetzner Online GmbH Infrastructure hosting (dedicated server) All data stored in the Service Germany
DigitalOcean LLC File storage (Spaces/CDN) Uploaded files, product images, static assets EU (Amsterdam) / US
OpenAI, Inc. AI language model for chat responses Chat messages, conversation context, knowledge base excerpts USA
Anthropic, PBC AI language model (Claude) for chat responses Chat messages, conversation context, knowledge base excerpts USA
Google LLC AI language model (Gemini) for chat responses; Gmail OAuth for email integration (if enabled) Chat messages, conversation context; email content (if Gmail enabled) USA
Microsoft Corporation Outlook/Microsoft 365 OAuth for email integration (if enabled) Email content, sender/recipient data (if Outlook enabled) USA / Ireland
Meta Platforms, Inc. Facebook Messenger integration (if enabled) Messenger messages, user profile data from Facebook page interactions USA / Ireland
Groq, Inc. AI language model for chat responses Chat messages, conversation context, knowledge base excerpts USA
Stripe, Inc. Payment processing for Chaterimo subscriptions (Chaterimo acts as independent controller for billing — listed here for transparency only) Stripe customer ID, subscription data (no card data stored by Chaterimo) USA
Better Stack (Logtail) Application logging and monitoring Application logs including IP addresses, error details, email processing metadata, and request/response data from all application modules EU
Zoho Corporation CRM integration (if enabled by Controller) Lead data: name, email, phone, chat transcript USA / India
HubSpot, Inc. CRM integration (if enabled by Controller) Lead data: name, email, phone, chat transcript USA
Pipedrive OU CRM integration (if enabled by Controller) Lead data: name, email, phone, chat transcript EU (Estonia) / USA
Jina AI GmbH Web page content extraction (fallback) Website URLs and page content Germany

Note: CRM, email, and messaging sub-processors are only engaged when the Controller explicitly enables the respective integration. AI model sub-processors depend on the Controller's chosen model configuration.

ANNEX 2: Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

Access Control

  • Role-based access control: Each organization's data is isolated (multi-tenant architecture)
  • User authentication via email-based accounts with password hashing
  • Administrative access restricted to authorized personnel

Encryption

  • In transit: All external communication encrypted via TLS/HTTPS with automatic certificate management
  • At rest: Sensitive credentials (API keys, OAuth tokens) encrypted using industry-standard symmetric encryption
  • Database connections secured within an isolated internal network

Infrastructure Security

  • Dedicated server (not shared hosting) located in Germany
  • All services run in isolated containers on an internal network
  • Only ports 80 and 443 exposed externally via reverse proxy with automatic TLS
  • Automated security middleware: IP blocking, rate limiting, malicious pattern detection
  • Real-time connection throttling for WebSocket and API endpoints

Data Isolation

  • Multi-tenant architecture with organization-based data scoping
  • Each organization's data (chatbots, knowledge base, sessions, leads) is logically separated
  • Database connection pooling with transaction-level isolation

Availability and Resilience

  • Redundant storage configuration
  • Database with regular automated backups
  • Persistent data services with health checks and automatic restart policies

Monitoring

  • Real-time infrastructure monitoring
  • Centralized log management and aggregation
  • Application-level error tracking

Data Minimization

  • AI API calls send only the necessary conversation context and relevant knowledge base excerpts
  • Analytics data is aggregated and anonymized where possible
  • IP addresses are used for security purposes (rate limiting, abuse detection); temporarily cached for blocking and included in application logs with standard retention periods

Sub-processor Management

  • Written agreements with all sub-processors
  • Regular review of sub-processor data protection practices
  • Controller notification of sub-processor changes

Personnel

  • Confidentiality obligations for all personnel with access to personal data
  • Access limited to personnel who require it for operational purposes

By using the Chaterimo Service, the Controller agrees to this Data Processing Agreement as part of the Terms of Service.

chaterimo logo

Copyright © Chaterimo

about-icon