Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", acting as Data Controller) and KVA di Andreas Zanin ("Processor", "we"), P.IVA 01199720077, REA AL-266378, Italy. It governs the Processor's processing of personal data on the Customer's behalf in connection with the Simple Chat service ("Service").

By accepting the Terms of Service the Customer is also accepting this DPA. No signature is required; this DPA is legally binding upon use of the Service.

1. Roles & subject matter

For Visitor data processed through chatbots — whether embedded on the Customer's own websites or accessed through a Customer-activated public Share Link at https://getsimplechat.com/chat/{token} — the Customer is the Controller and we are the Processor (Art. 28 GDPR). For Customer's own account data we are the Controller (covered by the Privacy Policy). The Customer is required to provide a URL to its own privacy notice before activating any Share Link; we surface that URL in the widget footer so Visitors can review the Customer's data-handling practices.

No joint controllership. The parties acknowledge and agree that they are not joint controllers within the meaning of Art. 26 GDPR with respect to Visitor data. Each party determines the means and purposes of its own processing independently: the Customer determines the purposes for which Visitor data is processed (operating the bot, capturing leads, follow-up communication); the Processor determines only the technical means of providing the Service. Should the parties at any point jointly determine purposes (e.g. through a future feature involving aggregated cross-Customer analytics), they will execute a separate Art. 26 joint-controller arrangement before such processing begins.

2. Categories of data subjects & data

The categories of data subjects, types of personal data, and processing operations are set out in Annex 1.

The Customer must NOT use the Service to process special categories of data (Art. 9 GDPR) such as health, biometrics, political/religious views, or data of children under 16, unless the Customer has implemented appropriate safeguards and obtained the necessary consents.

3. Duration

This DPA is in force for as long as we process Customer's Visitor data, and until all such data is returned or deleted at the end of the Service relationship.

4. Processor obligations

We will:

• process Visitor data only on the Customer's documented instructions (the Customer's bot configuration constitutes such instructions); we will inform the Customer immediately if, in our opinion, an instruction infringes the GDPR or other Union or Member State data-protection law;
• ensure persons authorized to process the data are bound by an obligation of confidentiality;
• implement the technical and organizational measures set out in Annex 2 (Art. 32 GDPR);
• assist the Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling its obligations to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection — Articles 15-22 GDPR);
• assist the Customer, taking into account the nature of processing and the information available to us, in ensuring compliance with the Customer's obligations under Articles 32-36 GDPR (security of processing, breach notification, Data Protection Impact Assessment, prior consultation with the supervisory authority);
• notify the Customer without undue delay (within 72 hours of becoming aware) of any personal-data breach affecting Customer's Visitor data, providing the information listed in Art. 33(3) GDPR insofar as available;
• delete or return all Visitor personal data at the end of the Service relationship, subject to legal retention obligations;
• make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits in accordance with Section 7 below.

5. Sub-processors

The Customer grants us general authorization to engage sub-processors to provide the Service, within the categories listed in Annex 3. The current named list of sub-processors (with company names, addresses, and processing roles) is available on request to [email protected].

We will inform the Customer of the addition or replacement of any sub-processor at least 30 days in advance, by email and/or in-dashboard notice. The Customer may object on reasonable data-protection grounds within 15 days of such notice. If the Customer objects, the parties will discuss the matter in good faith for a further 15 days; if no resolution is reached, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service with prorated refund of pre-paid unused fees. Pending resolution, we may continue to use the existing sub-processor.

6. International data transfers

For sub-processors outside the EU/EEA we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, supplementary technical measures (encryption in transit and at rest, pseudonymization of identifiers).

7. Audits

The Customer may, at its expense and no more than once per year (unless a data breach occurred), request audit information necessary to demonstrate compliance. We may satisfy this obligation through third-party certifications or detailed responses to a security questionnaire.

8. Liability & limitation

The Processor's liability under this DPA is governed by the limitation of liability clause in the Terms of Service, except where the GDPR or other mandatory law imposes higher liability that cannot be limited.

9. Order of precedence

In case of conflict between the Terms of Service and this DPA on data protection matters, this DPA prevails.

10. Contact

For DPA-related questions: [email protected].

---

Annex 1 — Categories of data subjects & data

A. Subject matter and nature of processing. Provision of an embeddable AI chatbot service that receives Visitor messages, generates responses through a third-party large language model, optionally captures contact information through lead-capture forms, and delivers chat transcripts and handoff requests to the Customer.

B. Purpose of processing. To enable the Customer to operate AI-powered chatbots on its websites or via a public Share Link, and to provide related features (lead capture, conversation history, analytics, transcript delivery, human handoff) chosen by the Customer.

C. Duration of processing. For the duration of the Service relationship, plus any retention period required by mandatory law or chosen by the Customer in the dashboard. Visitor conversations and leads remain available until the Customer deletes them or the account closes (+30 days).

D. Categories of data subjects.

• Visitors interacting with chatbots embedded on the Customer's websites.
• Visitors accessing chatbots through the Customer-activated public Share Link.
• Lead-capture submitters (visitors who submit a contact form).
• Recipients of chat transcripts or handoff notifications, where the Customer's bot configuration enables those features.

E. Categories of personal data.

• Conversation content — text messages and optional images uploaded by the visitor, AI-generated responses.
• Technical identifiers — salted SHA-256-hashed IP, language preference, user agent, page URL where the chat originated.
• Geographic data — country derived from IP geolocation prior to hashing.
• Lead-form data — name, email, phone, and any custom fields configured by the Customer.
• Session identifiers — random session ID stored in the visitor's browser localStorage to preserve conversation continuity.

F. Special categories. The Customer must NOT submit Art. 9 GDPR special-category data (health, biometrics, political/religious views, sexual orientation, etc.) or Art. 10 criminal-conviction data, or data of children under 16, unless the Customer has implemented appropriate safeguards and obtained the necessary consents.

Annex 2 — Technical & organizational measures (Art. 32 GDPR)

We implement and maintain the following technical and organizational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.

A. Confidentiality (Art. 32.1.b GDPR).

• Encryption in transit: all traffic to and from the Service is served over HTTPS/TLS 1.2+ with strong cipher suites; HSTS enabled on all subdomains.
• Encryption at rest: file-system encryption on infrastructure level where supported by the underlying hosting provider. Customer passwords are managed entirely by our authentication provider (Firebase Auth) and never reach our infrastructure in plaintext. We apply salted SHA-256 hashing for API keys, password-reset tokens, email-verification tokens, and Visitor IPs.
• Access control: role-based access in the dashboard (customer / admin); audit log of every administrative action retained for one year; brute-force throttling and CAPTCHA on authentication endpoints. Two-factor authentication is enforced on the super-admin surface; for end-customer accounts, additional authentication factors are available through our authentication provider's account-security settings.
• Pseudonymization: Visitor IPs are stored only as salted SHA-256 hashes; we never persist the raw IP.
• Network security: Cloudflare-fronted CDN with DDoS protection and Web Application Firewall; rate limiting at application layer; SQL prepared statements throughout; HTMLPurifier on user-generated HTML.
• Confidentiality obligations: all personnel and contractors with access to personal data are bound by written confidentiality undertakings.

B. Integrity (Art. 32.1.b GDPR).

• Cryptographically signed JWT tokens (HS256) for widget sessions, bound to ip_hash and parent-page origin.
• CSRF tokens on all state-changing dashboard requests; same-site cookie flags.
• Strict input validation on all API endpoints; magic-byte verification + EXIF stripping on uploaded images.
• Code-review and security-test gating before production deployment; dependency vulnerability scanning.

C. Availability and resilience (Art. 32.1.b GDPR).

• Backups: automatic daily full database snapshots retained by the hosting provider for 30 days; point-in-time restore available.
• Monitoring: uptime monitoring; production error tracking; admin anomaly-detection cron alerts.
• Capacity: rate limits and tier caps prevent runaway resource usage by individual accounts.

D. Restoration (Art. 32.1.c GDPR). We test restore procedures from backup at least annually. Maximum tolerated outage target: 24 hours; maximum tolerated data loss target: 24 hours.

E. Regular testing and evaluation (Art. 32.1.d GDPR).

• Internal security review on every release that modifies authentication, payment, or data-export code paths.
• Vulnerability disclosures: [email protected]; we patch known vulnerabilities within 7 days of disclosure for HIGH severity, 30 days for MEDIUM.

F. Data minimization and retention.

• Per-table retention policies enforced by automated cleanup jobs (AI call logs 90 days, audit log 365 days, email send log 90 days).
• Visitor IPs hashed at intake; raw IPs never persisted.
• Account deletion within 30 days of Customer request, except for fiscal-retention obligations (7 years for invoicing data under Italian law).

G. Sub-processor governance. Each sub-processor is bound to data-protection obligations no less protective than those imposed on us by this DPA, including by Standard Contractual Clauses where transfers outside the EU/EEA occur. See Annex 3.

Annex 3 — Sub-processor categories

The Customer authorizes us to engage sub-processors in the following categories of service. The current named list of sub-processors (with company names, addresses, and processing roles) is available on request to [email protected].

KVA di Andreas Zanin · P.IVA 01199720077 · REA AL-266378 · Italy