DATA PROCESSING AGREEMENT

1.1. The terms “Controller,” “Processor,” “Personal Data,” and “Processing” shall have the meanings assigned to them under applicable data protection laws, including the GDPR where applicable.

1.2. The Controller is the user of the Service.

1.3. The Processor is the Service Provider.

2.1. The Controller instructs the Processor, and the Processor undertakes, to process Personal Data solely for the purpose of providing and ensuring the operation of the Service, in accordance with this DPA, the Terms of Service, and the documented instructions of the Controller.

2.2. Processing may be carried out by automated and/or non-automated means.

3.1. The categories of Personal Data and data subjects are determined by:

3.2. The Processor does not determine the content of the data uploaded or transmitted by the Controller through the Service.

4.1. The Controller provides instructions for the processing of Personal Data through:

4.2. The Processor is not obliged to comply with instructions that:

5.1. The Processor ensures that persons authorised to process Personal Data:

6.1. The Processor shall process Personal Data exclusively in accordance with:

6.2. The Processor ensures the confidentiality of Personal Data and limits access to authorised persons only.

6.3. The Processor implements appropriate technical and organisational security measures, taking into account the nature of the processing and the level of risk to the rights and freedoms of data subjects.

6.4. The Processor shall not use Personal Data for its own purposes, except where it acts as an independent controller under the Terms of Service or applicable law.

6.5. The Processor is not obliged to comply with instructions that:

7.1. The Processor implements appropriate technical and organisational measures to protect Personal Data, taking into account:

7.2. General security approaches are described in the Privacy Policy.

8.1. The Controller grants a general authorisation to the Processor to engage sub-processors, including providers of:

8.2. The Processor ensures that such sub-processors assume data protection obligations no less protective than those set out in this DPA.

8.3. The Processor may update the list of sub-processors without individual prior approval of the Controller, provided an equivalent level of personal data protection is ensured.

9.1. Personal Data processed within the Service is stored on servers located within the European Union.

9.2. Regardless of the Processor’s place of registration, the place of processing for the purposes of this DPA shall be deemed to be the location of the relevant infrastructure or sub-processor actually performing the processing.

9.3. Where processing or access qualifies as a cross-border transfer under Articles 44–46 GDPR, such transfer shall take place only where appropriate safeguards are in place.

9.4. For the purposes of ensuring such safeguards, the Parties agree that the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914, Module 2 (Controller → Processor), shall automatically apply to the relevant cross-border transfer and shall be deemed incorporated into this DPA by reference. The application of the SCCs does not mean that all processing within the Service constitutes a cross-border transfer.

9.5. The SCCs apply solely for the scope and duration of the relevant cross-border transfer and do not amend other provisions of this DPA except where expressly provided therein.

9.6. In case of conflict between this DPA and the SCCs, the SCCs shall prevail exclusively with respect to cross-border transfers of Personal Data.

10.1. If the Processor receives a request from a data subject, it shall:

10.2. Taking into account the nature of the processing and the technical capabilities of the Service, the Processor shall provide reasonable assistance to the Controller in fulfilling its obligations regarding data subject rights, where necessary and justified.

11.1. In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay.

11.2. Incident response details shall be determined based on the nature of the incident and applicable law.

12.1. Personal Data shall be processed for the duration of the contractual relationship.

12.2. Upon termination, Personal Data shall, at the Controller’s choice, be deleted or anonymised unless:

13.1. Each Party shall be liable within the limits provided by:

13.2. The Processor is not responsible for:

14.1. This DPA forms an integral part of the Terms of Service and enters into force upon acceptance thereof by the user, including through registration, payment, or actual use of the Service.

14.2. In case of conflict between this DPA and other contractual documents, this DPA shall prevail with respect to personal data processing, except for cross-border transfers where the SCCs prevail if applicable.

14.3. In accordance with Article 28(3)(h) GDPR, the Processor shall, upon written request, provide the Controller with reasonably necessary information to demonstrate compliance, subject to confidentiality and security limitations.

14.4. The Parties expressly agree that the SCCs (EU) 2021/914, where applicable under Section 9, form an integral part of the contractual documentation and are deemed accepted simultaneously with the Terms of Service.

14.5. Annex I (Description of the Processing and Transfer) and Annex II (Technical and Organisational Measures) form an integral part of this DPA.

14.6. These Annexes apply both for the purposes of this DPA and, where applicable, for the purposes of the SCCs (EU) 2021/914, Module 2.

The Service user who determines the purposes and means of processing and acts as controller under applicable law.

The Service Provider e-chat.tech, processing Personal Data on behalf of and under the instructions of the Controller.

Processing of special categories of Personal Data is not intended and occurs only if such data is transferred by the Controller at its own discretion and responsibility.

Provision, maintenance, administration, and operation of the Service.

Automated and/or non-automated processing within the Service functionality, in accordance with documented instructions of the Controller.

For the duration of the contractual relationship and thereafter as provided by this DPA and applicable law.

As permitted under the DPA, including hosting, cloud, payment, integration, and communication service providers.