Legal / Data Processing Addendum
How MyChatBot processes personal data on your behalf as your processor.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer,” the controller) and MyChatBot (the processor) and applies whenever we process Personal Information contained in Customer Content on your behalf and subject to data-protection law (including the EU/UK GDPR and applicable US state privacy laws).
“Personal Information” (or “personal data”) means information relating to an identified or identifiable person that we process on your behalf. “Processing,” “controller,” “processor,” and “data subject” have the meanings given under applicable data-protection law. “Subprocessor” means a third party we engage to process Personal Information.
You are the controller and we are the processor for Customer Content. We will process Personal Information only on your documented instructions, which include your configuration and use of the Service, except where law requires otherwise, in which case we will notify you unless prohibited.
| Item | Details |
|---|---|
| Subject matter | Provision of the MyChatBot Service. |
| Duration | The Subscription Term; Customer Content is retained for no more than two (2) months, then deleted. |
| Purpose | Operating the agents, automations, and integrations you configure. |
| Data subjects | Your users, customers, contacts, and other individuals whose data you route through the Service. |
| Data types | As determined by you; you must not submit Sensitive Personal Data. |
We maintain the technical and organizational measures described in the Annex below and on our Data Security page, designed to protect Personal Information against unauthorized access, loss, or disclosure, taking into account the state of the art and the risks of processing.
You authorize us to engage the subprocessors listed at our Subprocessors page. We impose data-protection obligations on each subprocessor at least as protective as this DPA and remain responsible for their performance. We will give notice of new subprocessors and a reasonable opportunity to object on legitimate grounds.
Taking account of the nature of processing, we will assist you with responding to data-subject requests and with your obligations regarding security, breach notification, and data-protection impact assessments. If we receive a request directly, we will refer it to you unless legally required to respond.
We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Content and provide information reasonably available to help you meet your notification obligations.
Where we transfer Personal Information internationally, we rely on appropriate safeguards including the Standard Contractual Clauses (which are incorporated by reference) and the EU, US Data Privacy Framework. See our Data Transfer Impact Assessment.
On termination, and on your request, we will delete or return Customer Content as described in our Data Retention / Deletion / Export schedule, except where retention is required by law.
We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and subject to confidentiality, allow audits, which we may satisfy by providing third-party certifications or reports.
Encryption of data in transit and at rest; role-based access controls and least-privilege access; network and application security controls; logging and monitoring; secure development practices; vendor risk management; business-continuity and incident-response procedures; and personnel confidentiality and training.
← All legal documents