Data Processing Addendum

Effective Date: February 1, 2025 · Last Updated: February 24, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between ChatFlow, operated by ChatFlow Limited ("Processor", "we", "us") and the customer ("Controller", "you", "your") who has agreed to the Agreement for the use of ChatFlow services.

Applicability: This DPA applies when ChatFlow processes Personal Data on your behalf as a data processor. By using ChatFlow services, you agree to this DPA. If you have a separately executed DPA with ChatFlow, that agreement takes precedence.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given in the Agreement.

"Applicable Data Protection Law" means all applicable laws relating to the processing of Personal Data, including GDPR (EU) 2016/679, UK GDPR, the California Consumer Privacy Act (CCPA), the Jamaica Data Protection Act 2020, and any other applicable data protection legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by ChatFlow on behalf of the Controller in connection with the Agreement.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-Processor" means any third party engaged by ChatFlow to process Personal Data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries (Commission Implementing Decision (EU) 2021/914).

2. Scope and Roles

2.1 Roles of the Parties

For the purposes of this DPA, you are the Controller (or equivalent designation under Applicable Data Protection Law) and ChatFlow is the Processor (or equivalent designation) with respect to the Personal Data processed through our services.

2.2 Scope of Processing

ChatFlow processes Personal Data solely to provide the services described in the Agreement. The details of processing are as follows:

Element	Details
Subject Matter	Provision of AI-powered customer support, chatbot, and communication services
Duration	For the term of the Agreement, plus any retention period required by law
Nature & Purpose	Receiving, storing, and processing customer conversations; AI-based response generation; analytics and reporting; multi-channel message routing
Categories of Data Subjects	End users, website visitors, customers, and support contacts of the Controller
Types of Personal Data	Names, email addresses, phone numbers, IP addresses, browser metadata, conversation content, and any Personal Data submitted through chatbot interactions

3. Obligations of the Processor

3.1 Processing Instructions

ChatFlow shall process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Data Protection Law. The Agreement and this DPA constitute the Controller's complete instructions. If ChatFlow believes an instruction infringes Applicable Data Protection Law, we will promptly notify you.

3.2 Confidentiality

ChatFlow ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

3.3 Security Measures

ChatFlow implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Role-based access control (RBAC) with principle of least privilege; multi-factor authentication (MFA) for administrative access
Infrastructure: Hosting on SOC 2 Type II certified cloud infrastructure with geographic redundancy
Monitoring: Continuous security monitoring, intrusion detection, and automated alerting
Network Security: Web application firewall (WAF), DDoS protection, and network segmentation
Backup & Recovery: Regular automated backups with tested disaster recovery procedures
Vulnerability Management: Regular security assessments, dependency scanning, and timely patching

3.4 Assistance to the Controller

ChatFlow shall assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller's obligations to respond to Data Subject requests exercising their rights under Applicable Data Protection Law.

4. Sub-Processors

4.1 Authorized Sub-Processors

The Controller grants ChatFlow general authorization to engage Sub-Processors for the processing of Personal Data. ChatFlow maintains the following Sub-Processors:

Sub-Processor	Purpose	Location
Supabase Inc.	Database hosting, authentication, real-time services	United States
Vercel Inc.	Application hosting, edge functions, CDN	United States
OpenAI, L.L.C.	AI language model inference for chatbot responses	United States
Upstash Inc.	Message queuing and rate limiting	United States
Meta Platforms, Inc.	WhatsApp, Instagram, and Messenger channel integration	United States
Vapi Inc.	Voice AI call handling and telephony	United States
Stripe, Inc.	Payment processing	United States
Polar Software Inc.	Voice credit billing	United States
Google LLC	Analytics (Google Analytics)	United States

4.2 New Sub-Processors

ChatFlow shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds relating to data protection, ChatFlow shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected services.

4.3 Sub-Processor Obligations

ChatFlow imposes data protection obligations on each Sub-Processor by way of contract, providing at least the same level of protection for Personal Data as set out in this DPA. ChatFlow remains liable for the acts and omissions of its Sub-Processors.

5. Data Protection Impact Assessments & Compliance

5.1 DPIA Assistance

ChatFlow shall provide reasonable assistance to the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Applicable Data Protection Law, taking into account the nature of processing and the information available to ChatFlow.

5.2 Supervisory Authority Consultation

Where Applicable Data Protection Law requires prior consultation with a supervisory authority before processing, ChatFlow shall cooperate and provide information necessary for such consultation upon the Controller's request.

5.3 Records of Processing

ChatFlow maintains records of processing activities carried out on behalf of the Controller, as required by Article 30(2) of the GDPR and equivalent provisions under Applicable Data Protection Law. These records include:

Name and contact details of the Processor
Categories of processing carried out on behalf of the Controller
International transfers and applicable safeguards
A general description of technical and organizational security measures

5.4 Data Subject Request Assistance

ChatFlow shall promptly notify the Controller if it receives a request from a Data Subject exercising their rights (access, rectification, erasure, restriction, portability, or objection). ChatFlow shall not respond to such requests directly unless authorized by the Controller or required by law.

6. Security Incident Notification

6.1 Notification Obligation

ChatFlow shall notify the Controller of any Security Incident without undue delay and in any event within 48 hours of becoming aware of the incident. The notification shall include:

A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
The name and contact details of ChatFlow's point of contact for further information
A description of the likely consequences of the Security Incident
A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its effects

6.2 Cooperation

ChatFlow shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident. ChatFlow shall preserve and provide evidence and logs relevant to the incident.

7. International Data Transfers

7.1 Transfer Mechanisms

Where Personal Data originating in the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to a country not deemed to provide an adequate level of data protection, ChatFlow ensures appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): As approved by the European Commission (Module 2: Controller-to-Processor), incorporated by reference into this DPA
UK International Data Transfer Addendum: Where applicable, the UK Addendum to the EU SCCs as issued by the UK Information Commissioner's Office
Supplementary Measures: Including encryption in transit and at rest, access controls, and contractual commitments from Sub-Processors

7.2 Transfer Impact Assessments

ChatFlow conducts transfer impact assessments for international data transfers and implements supplementary measures where necessary to ensure the level of protection required by Applicable Data Protection Law.

8. Audit Rights

8.1 Information & Audit

ChatFlow shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

The Controller provides at least 30 days' prior written notice of any audit
Audits are conducted during normal business hours and do not unreasonably disrupt ChatFlow's operations
The Controller (or its auditor) enters into appropriate confidentiality obligations
Audits are limited to once per 12-month period, unless required by a supervisory authority or following a Security Incident

8.2 Certifications & Reports

Where available, ChatFlow may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II), or summaries thereof. The Controller agrees that such documentation may fulfill audit obligations where reasonable.

9. Data Retention & Deletion

9.1 Return or Deletion

Upon termination or expiration of the Agreement, ChatFlow shall, at the Controller's election, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data.

9.2 Retention Period

Where the Controller does not provide instructions, ChatFlow shall delete Personal Data within 90 days of termination of the Agreement, except where retention is required by law. ChatFlow shall certify deletion upon the Controller's written request.

9.3 Data Deletion Requests

Data subjects and controllers may request data deletion at any time through our Data Deletion Request page or by contacting us at [email protected].

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law to the extent such limitation is prohibited by law.

11. General Provisions

11.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.

11.2 Amendments

ChatFlow may update this DPA from time to time to reflect changes in our processing practices, Applicable Data Protection Law, or Sub-Processor arrangements. Material changes will be notified to the Controller via email or through the ChatFlow dashboard. Your continued use of the services after notification constitutes acceptance of the updated DPA.

11.3 Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, except where Applicable Data Protection Law requires otherwise.

12. Contact Information

For questions about this DPA or to exercise any rights related to data processing:

ChatFlow — Data Protection

Operated by ChatFlow Limited
Email: [email protected]
Website: https://chat-flow.app

For additional information about our privacy practices, please review our Privacy Policy and Terms of Service.