Data Processing Agreement (DPA)

Last modified: June 7, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ChatData LLC ("Processor"), a company specializing in AI-powered chat solutions, and the customer ("Controller") for the provision of services. This DPA sets out the terms and conditions for the processing of personal data by the Processor on behalf of the Controller in accordance with the requirements of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Purpose and Scope

ChatData provides an AI chat function that may be offered to its clients. This Agreement establishes the terms under which ChatData will process personal data on behalf of its clients in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

3. Definitions

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including but not limited to the GDPR and FADP.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "AI Chat Function" means the artificial intelligence-powered chat solution provided by ChatData.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed.
  • "Data Protection Impact Assessment (DPIA)" means an assessment of the impact of the envisaged processing operations on the protection of personal data.

4. Processing of Personal Data

4.1 Processing Scope and Legal Basis

ChatData processes data solely for the purpose of enabling and improving its AI chat function for clients and their end users. The legal basis for processing includes:

  • Processing necessary for the performance of a contract
  • Processing based on legitimate interests
  • Processing based on explicit consent where required
  • Processing necessary for compliance with legal obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Assist the Controller in responding to requests from data subjects
  • Assist the Controller in ensuring compliance with security obligations, data breach notifications, and data protection impact assessments
  • Delete or return all Personal Data after the end of services
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28

4.2 Data Storage and Processing Locations

ChatData maintains the following data storage and processing infrastructure:

  • All conversation data and training data are stored in Switzerland, which has been recognized by the European Commission as providing an adequate level of data protection
  • Primary server infrastructure is provided by Oracle Cloud Infrastructure
  • Blob storage is provided by Azure Cloud Service
  • Training data is stored in our own vector database storage on Oracle Cloud Infrastructure servers
  • We do not use any third-party vendors for storing training data
  • Training data will not be shared with any vendors

Any transfer of personal data outside the European Economic Area (EEA) is conducted in compliance with GDPR Chapter V requirements, including:

  • Use of Standard Contractual Clauses (SCCs) where applicable
  • Ensuring adequate safeguards for data transfers
  • Maintaining records of data transfer mechanisms

4.3 Data Access and Usage

ChatData may access the data only for:

  • Debugging purposes
  • Troubleshooting
  • Service analysis and improvement
  • Quality assurance

4.4 Data Sharing Restrictions

ChatData shall not:

  • Resell any client data
  • Share client data with third parties
  • Disclose client data without prior written consent
  • Use client data for purposes other than those specified in this agreement

5. Sub-processors and Service Providers

ChatData engages the following Sub-processors and Service Providers:

5.1 Language Model Providers

  • OpenAI - Provides LLM API
    • We maintain a Business Associate Agreement (BAA) with OpenAI
    • OpenAI does not retain or use data for model training purposes
  • Anthropic - Provides LLM API
    • We maintain a Business Associate Agreement (BAA) with Anthropic
    • Anthropic does not retain or use data for model training purposes
  • Google Gemini - Provides LLM API
    • Natively restricts the use of API calls for model training
    • Data is not used for training purposes
  • Cohere - Provides reranking LLM API service
    • We have enabled the option to prevent data usage for training purposes
    • Data is not used for model training
  • DeepSeek - Accessed through OpenRouter
    • We do not have a direct contract with DeepSeek
    • Data processed through DeepSeek models may be used for training purposes
    • Users should be aware that their data might be used for training if they use DeepSeek models

5.2 Infrastructure Providers

  • Oracle Cloud Infrastructure
    • Provides server hosting
    • Provides database storage
    • Hosts our vector database for training data
  • Azure Cloud Service
    • Provides file storage
    • Provides backup LLM API services
  • Cloudflare
    • Provides DNS hosting
    • Provides CDN service
    • Provides caching
    • Provides rate limiting

5.3 Analytics Providers

  • PostHog
    • Provides frontend session analysis
  • Google Analytics
    • Provides frontend session analysis

The Processor may engage Sub-processors to process Personal Data, provided that:

  • The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors
  • The Controller shall have the right to object to such changes
  • The Processor shall impose the same data protection obligations on Sub-processors

6. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, and availability
  • Regular testing and evaluation of security measures
  • Access control and authentication procedures
  • Incident detection and response procedures
  • Regular security assessments and audits
  • Employee confidentiality agreements
  • Secure data transmission protocols

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests by:

  • Implementing appropriate technical and organizational measures
  • Providing necessary information and assistance
  • Facilitating the exercise of data subject rights, including:
    • Right to access personal data
    • Right to rectification
    • Right to erasure ("right to be forgotten")
    • Right to restriction of processing
    • Right to data portability
    • Right to object to processing
    • Right to withdraw consent
  • Responding to data subject requests within the timeframes specified by applicable data protection laws
  • Maintaining records of data subject requests and responses

8. Data Protection Impact Assessment

The Processor shall:

  • Assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where required
  • Provide necessary information about processing operations
  • Implement measures to address identified risks
  • Maintain records of processing activities
  • Consult with supervisory authorities where necessary

9. Data Breach Notification

The Processor shall:

  • Notify the Controller without undue delay after becoming aware of a personal data breach
  • Provide necessary information to assist the Controller in meeting its breach notification obligations
  • Document all personal data breaches, including the facts, effects, and remedial actions taken

10. Audit Rights

The Controller may:

  • Conduct audits or inspections of the Processor's facilities
  • Request information necessary to demonstrate compliance
  • Require the Processor to contribute to audits

11. Liability

The Processor shall be liable for any damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

12. Term and Termination

This DPA shall remain in effect as long as the Processor processes Personal Data on behalf of the Controller. Upon termination, the Processor shall securely delete or return all processed data as instructed by the Controller.

13. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the United States, without regard to its conflict of law principles.

14. Contact Information

For any questions regarding this DPA, data subject requests, or to exercise your rights under GDPR, please contact us at [email protected].

Our Data Protection Officer can be contacted at [email protected].