Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AP Software ("Processor") and the Customer ("Controller") and sets out the terms applicable to the processing of Personal Data under the EU General Data Protection Regulation 2016/679 ("GDPR"), in particular Article 28.

This DPA is deemed accepted when the Controller accepts the Terms of Service or executes an Order Form. Customers requiring a countersigned DPA may email [email protected].

1. Definitions

Terms not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Data Subject", "Controller", "Processor" and "Sub-processor" have the meanings in Art. 4 GDPR.

2. Subject matter and duration

Processor processes Personal Data on behalf of Controller to deliver the Chatrix Service. Processing continues for the duration of the Service plus retention periods set in the Privacy Policy and applicable law.

3. Nature and purpose

Processing is necessary to: host, transmit and display Customer Data; provide AI features (reply suggestions, sentiment, summarization, RAG retrieval); deliver notifications; produce analytics; and support the Controller.

4. Categories of Data Subjects and Personal Data

• Data Subjects: Controller's website visitors, end customers, operators and administrators.
• Categories: identifiers (name, email), contact details, conversation content and metadata, technical data (IP, device, locale), optional messenger handles, any data voluntarily included by Data Subjects in messages.

Controller must not use the Service to process special categories of data (Art. 9 GDPR) unless agreed in writing.

5. Controller's obligations

• Ensure a lawful basis for processing;
• Provide privacy notices to Data Subjects;
• Give only documented, lawful instructions to Processor.

6. Processor's obligations

• Process Personal Data only on documented instructions;
• Ensure personnel are bound by confidentiality;
• Implement security measures appropriate to the risk (Art. 32) — see Security;
• Assist Controller in fulfilling Data Subject requests;
• Assist with Data Protection Impact Assessments where required;
• Notify Controller without undue delay after becoming aware of a Personal Data breach (Art. 33).

7. Sub-processors

Controller grants general authorization for engaging Sub-processors. Current Sub-processors include cloud hosting, email delivery, AI inference and payment providers. A current list is available on request at [email protected].

Processor notifies Controller of changes with at least 30 days' notice. Controller may object on reasonable grounds; if we cannot accommodate the objection, either party may terminate the affected Service with a pro-rata refund of prepaid fees.

8. International transfers

Primary processing takes place in the European Union. Where transfers outside the EU/EEA occur, Processor relies on the EU Standard Contractual Clauses (Commission Decision 2021/914/EU) and supplementary measures where required.

9. Security

Processor implements appropriate technical and organizational measures per Art. 32, including encryption in transit and at rest, access control, logging, regular backups, secure development practices, vendor risk assessment and personnel training.

10. Data Subject requests

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures to fulfil Data Subject requests (Art. 15–22 GDPR).

11. Audits

Controller may audit Processor's compliance with this DPA once per year, with at least 30 days' written notice, during business hours, in a manner that does not unreasonably disrupt operations, subject to confidentiality obligations. Processor may satisfy audit rights by providing attestations or third-party audit reports.

12. Return or deletion

On termination, at Controller's choice Processor returns or deletes Personal Data within 60 days, except copies required to be retained by law.

13. Liability and governing law

Liability under this DPA is subject to the limitations in the Terms of Service. Governing law: Poland, in line with the Terms.

14. Contact

AP Software, Poland — [email protected] / [email protected]