Data Processing Agreement (GDPR-Compliant)

Last Updated: [Insert Date]

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms and Conditions (“Principal Agreement”) between:

(1) The Customer (“Controller”)
and
(2) GravixChat (“Processor”), a provider of AI-powered chatbot and analytics services.

Both parties agree to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all applicable data protection laws.

1. Definitions

  • “Personal Data”: Any information relating to an identified or identifiable natural person.
  • “Processing”: Any operation performed on Personal Data, such as collection, storage, retrieval, or deletion.
  • “Controller”: The party determining the purposes and means of processing Personal Data (the Customer).
  • “Processor”: The party processing Personal Data on behalf of the Controller (GravixChat).
  • “Sub-processor”: Any third party engaged by the Processor to assist with processing activities.

2. Scope of Processing

The Processor will process Personal Data solely for the purpose of providing the GravixChat platform, including:

  • Chatbot operation and message handling
  • Analytics, logging, and performance monitoring
  • Account creation and authentication
  • Workflow execution
  • Customer support
  • System maintenance and security

Processor will not process Personal Data for any purpose other than those described here.

3. Nature of Personal Data

Depending on Customer configuration, data may include:

  • User messages sent to the chatbot
  • Contact information voluntarily provided (e.g., email, phone number)
  • Website visitor interaction logs
  • IP addresses, device identifiers, browser metadata (anonymized where possible)
  • Account information of the Customer (profile details, billing info)

The Controller is responsible for ensuring Personal Data is lawfully collected.

4. Duration of Processing

Processor will process Personal Data for as long as the Customer uses the Service or until instructed to delete data.

5. Obligations of the Processor (GravixChat)

Processor agrees to:

5.1 Process Data Only on Documented Instructions

Processor will only process Personal Data according to the Controller’s written instructions.

5.2 Confidentiality

All GravixChat employees and subcontractors with data access are bound by strict confidentiality obligations.

5.3 Security Measures

Processor will implement appropriate technical and organizational measures including:

  • Encryption at rest and in transit
  • Access control and authentication
  • Firewall and intrusion detection
  • Regular security audits
  • Data minimization and anonymization practices

5.4 Data Breach Notification

Processor will notify the Controller without undue delay of any Personal Data breach.

5.5 Assistance with Data Subject Rights

Processor will reasonably assist the Controller in responding to:

  • Access requests
  • Rectification
  • Erasure (“Right to be Forgotten”)
  • Restriction or objection
  • Data portability requests

5.6 Deletion or Return of Personal Data

Upon termination, Processor will:

  • Delete all Personal Data, or
  • Return it to the Controller upon request
    unless applicable laws require retention.

6. Obligations of the Controller (Customer)

Controller agrees to:

  • Ensure all Personal Data is collected lawfully
  • Obtain all necessary consents and disclosures
  • Not upload prohibited or sensitive data (unless legally compliant)
  • Ensure chatbot usage complies with GDPR and privacy laws
  • Configure workflows, data collection forms, and prompts responsibly

Controller is fully responsible for data collected via the chatbot.

7. Sub-processors

Processor may engage third-party Sub-processors to support the Service.
Common Sub-processors include:

  • OpenAI (AI model processing)
  • Analytics platforms (Google Analytics, Log management tools)
  • Cloud hosting providers (AWS, DigitalOcean, etc.)
  • Payment processors (Stripe, Paddle)

Processor will:

  • Maintain an updated list of Sub-processors
  • Ensure all Sub-processors are GDPR-compliant
  • Impose data protection terms equivalent to this DPA

Controller will be notified of new Sub-processors where legally required.

8. International Data Transfers

Personal Data may be transferred to countries outside the EU/EEA.
When this occurs, Processor ensures that:

  • Transfers rely on adequacy decisions, or
  • Standard Contractual Clauses (SCCs), or
  • Other lawful transfer mechanisms under GDPR

Processor ensures an equivalent level of protection for all data transfers.

9. Audit Rights

Controller has the right to:

  • Request information demonstrating compliance
  • Perform or mandate audits, subject to:
    • Reasonable notice
    • Protection of Processor’s confidentiality and security
    • Non-disruptive scheduling

Processor will cooperate fully with compliance reviews.

10. Liability

Liability is governed by the Principal Agreement.
Each party remains responsible for its own GDPR compliance.

11. Termination

This DPA remains in effect as long as the Customer uses the Service.
Upon termination of the Principal Agreement:

  • Processor will delete or return Personal Data as requested
  • All obligations relating to confidentiality and security will survive termination

12. Contact Information

For data protection inquiries or GDPR requests, contact:

support@gravixchat.com

13. Signatures

By continuing to use GravixChat, both parties acknowledge and agree to this Data Processing Agreement.