Data Processing Agreement (DPA)

This Data Processing Agreement sets out how chatebot processes personal data when acting as a processor for customer data. For enterprise DPA requests, contact [email protected].

1. Data Controller

Name: CHATEBOT (SMC-Private) Limited

Country: Pakistan

2. Processing Locations and Transfers

Primary Region: EU Central (Frankfurt) (eu-central-1)

chatebot uses EU primary hosting. Some subprocessors may process personal data outside the EU/EEA, including in the United States, where required to provide AI features, embeddings, moderation, channels, and actions. AI processors may vary based on selected model, platform key routing, BYOK configuration, and custom model IDs.

For restricted transfers, chatebot applies transfer safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, and equivalent legal mechanisms where applicable.

3. Subprocessors

The following third-party subprocessors process personal data on our behalf:

Laravel Cloud

Cloud hosting and infrastructure (Primary)

Country: Germany

Data Types: all application data, chat messages, user data

View DPA

PostHog

Product analytics and feature flag evaluation (events sent only when analytics consent is granted)

Country: European Union

Data Types: pseudonymous product analytics events, feature flag context

View DPAView Subprocessors

Resend

Transactional email delivery

Country: Ireland

Data Types: recipient email address, delivery metadata, email content

View DPAView Subprocessors

OpenAI

AI/LLM processing for chat responses where OpenAI models or compatible routes are used

Country: United States

Data Types: chat messages, knowledge base content

View DPA

Google Cloud Vertex AI

AI model and embedding processing for configured Vertex AI routes

Country: European Union / United States

Data Types: chat messages, knowledge base content, embeddings

View DPAView Subprocessors

AWS Bedrock

AI model and moderation processing for configured Bedrock routes

Country: United States

Data Types: chat messages, knowledge base content, moderation payloads

View DPAView Subprocessors

Suby

Payment processing and subscription management

Country: Finland

Data Types: billing information, email address

View DPA

4. Security and Confidentiality

chatebot implements technical and organizational measures designed to protect personal data and requires confidentiality obligations for personnel and subprocessors with access to personal data.

5. Data Subject Requests and Assistance

chatebot will provide reasonable assistance to help customers respond to data subject requests, taking into account the nature of processing and the information available to chatebot.

6. Deletion and Return

Upon termination of applicable services and subject to legal retention obligations, chatebot will delete or anonymize personal data processed under this DPA according to documented retention schedules.

7. Data Protection Officer

Name: Data Protection Officer

Email: [email protected]

8. Data Subject Rights

Under GDPR and applicable data protection laws, data subjects have the right to access, rectify, erase, port, and object to processing of their personal data. Contact [email protected] to exercise these rights.