Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") forms part of your subscription agreement or other written contract with DataChi S.à r.l., with registered office at 68 rue de L'Etang, L-3465 Dudelange, Luxembourg ("DataChi", "we", "our") and you, the customer ("Customer", "you", "your") (collectively, the "Parties").

This DPA governs how DataChi handles Personal Data when acting as a processor — that is, when we process data on your behalf and under your instructions as part of the Services. Where DataChi determines the purposes and means of processing independently (for example when you visit our marketing website), DataChi acts as controller and the Privacy Policy applies instead.

In case of any inconsistency between this DPA and the main subscription agreement, this DPA takes precedence on matters relating to the processing of Personal Data.

1. Key definitions

• "Personal Data" — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR
• "Processing" — Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
• "Controller" — The party that determines the purposes and means of Processing
• "Processor" — The party that Processes Personal Data on behalf of the Controller
• "Subprocessor" — Any third party we engage to process Personal Data under this DPA
• "GDPR" — Regulation (EU) 2016/679

2. Scope of processing

2.1 Instructions from the Controller

DataChi will only Process Personal Data in accordance with documented instructions from the Customer. The scope of permitted Processing is defined in the subscription agreement, this DPA, and any written amendments agreed between the Parties. We will not use Personal Data for any purpose beyond what is set out in those instructions.

2.2 What we Process

Subject matter of Processing: provision of the DataChi autonomous AI Sales Team Services to the Customer, including automation of sales workflow tasks (prospect research, meeting preparation, follow-up drafting, call summarisation, and pipeline updates).

Categories of data subjects. (i) the Customer's personnel using the Services (e.g., sales representatives, managers, administrators); and (ii) the Customer's prospects, leads, customers, and other business contacts whose information the Customer submits to or generates through the Services.

Categories of Personal Data. Depending on the Customer's configuration and use of the Services, this may include:

• Identification and contact data of sales representatives and end-users (name, business email, role)
• CRM contact data (names, business contact details, company affiliation, deal/pipeline information, notes)
• Calendar and meeting metadata (attendees, times, subjects)
• Email and other written communication content where the Customer connects such sources
• Sales-call audio and the resulting transcripts and summaries (where the Customer enables call processing)
• Publicly available business profile information (e.g., LinkedIn data the Customer authorises us to retrieve)
• Authentication and Service-usage logs

The Customer is responsible for ensuring it has a lawful basis for submitting these categories to the Services and should not submit special categories of personal data (Art. 9 GDPR) unless expressly agreed in writing.

Nature and purpose of Processing: storage, retrieval, retrieval-augmented generation (RAG), text generation, summarisation, classification, and onward transmission to authorised third-party tools at the Customer's instruction.

2.3 No training of AI models on Customer Data

DataChi does not use Customer Personal Data to train, fine-tune, or otherwise improve any general-purpose AI model — whether DataChi's own models or those of our model subprocessors. We contractually require our model subprocessors (OpenAI, Anthropic, OpenRouter) to disable training on data submitted via our API integrations.

2.4 Duration

We will Process Personal Data for as long as the subscription agreement is in effect. Upon its termination or expiration, the Customer may request that we return all Personal Data in a common machine-readable format, or that we delete all copies in our possession or under our control, unless applicable law obliges us to retain a copy (in which case we will retain it only for the minimum legally required period and protect it under the security measures of this DPA).

3. DataChi's commitments as Processor

3.1 Lawful Processing

We will Process Personal Data only in compliance with Applicable Data Protection Law and the instructions set out in this DPA.

3.2 Staff obligations

Any member of our staff who handles Personal Data is subject to binding confidentiality obligations. Access to Personal Data is restricted to those who need it to perform their duties.

3.3 Security safeguards

We implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 GDPR. These measures are designed to ensure a level of security appropriate to the risk and include:

• End-to-end encryption of data in transit and at rest
• Use of pseudonymization and anonymization where suitable
• Ongoing monitoring of processing systems to detect and respond to security incidents
• Regular testing and assessment of the effectiveness of security controls
• Role-based access controls and principle of least privilege

3.4 Engaging Subprocessors

We use a limited number of trusted third-party service providers to deliver aspects of the Services (for example, cloud infrastructure providers). We refer to these as Subprocessors. We only share Personal Data with Subprocessors to the extent strictly necessary for them to deliver their services to us.

Before engaging any new Subprocessor that will have access to Personal Data, we will notify the Customer and provide information about the identity of the Subprocessor and the nature of their work. The Customer may object in writing within 14 days. If the Customer objects and we cannot reach an alternative arrangement, the Customer may terminate the affected part of the subscription.

We remain responsible for the performance of our Subprocessors as if we performed the work ourselves.

3.5 Supporting data subject rights

We will take reasonable steps to help the Customer fulfil its obligations when data subjects exercise their rights. Given the nature of our Services, the primary mechanism for this is through the tools and features we make available to the Customer within the Product. We will also:

• Promptly forward any data subject request received directly by us to the Customer
• Assist with responding to requests that require action within the Product environment

3.6 Notifying and assisting with incidents

Should we become aware of a Personal Data breach, we will notify the Customer without undue delay, in accordance with the timeframes required by Article 33 GDPR. We will also provide reasonable assistance to the Customer in meeting its own breach notification and documentation obligations.

3.7 Compliance support

Upon request, we will provide the Customer with reasonable assistance in meeting obligations arising under Articles 32 through 36 of GDPR — including obligations around security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

3.8 Verification and audits

We make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and we permit and cooperate with reasonable audits or inspections by the Customer or an independent qualified auditor appointed on the Customer's behalf.

Instead of a dedicated audit, we may provide: a current SOC 2 Type II report or equivalent certification; or a completed third-party data security questionnaire. We will discuss and agree on the most appropriate form of evidence with the Customer on a case-by-case basis.

4. Hosting locations and international transfers

DataChi hosts Customer Personal Data in data centres located within the European Union (Scaleway, Gcore EU regions) and the United States (Cloudflare, OpenAI, Anthropic, OpenRouter, Stripe). Where Personal Data is transferred outside the European Economic Area (EEA), DataChi relies on a valid Chapter V GDPR transfer mechanism, including:

• The European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by appropriate technical measures (encryption in transit and at rest) and contractual measures (no-training commitments, confidentiality, audit rights)
• An adequacy decision by the European Commission, including the EU-US Data Privacy Framework where the recipient is certified
• A transfer impact assessment ("TIA") performed by DataChi where required, available to the Customer on request

Annex 1 — Approved Subprocessors

The Customer authorises DataChi to engage the following Subprocessors. The Customer will be notified of any addition or replacement of a Subprocessor in accordance with §3.4.

5. Customer's responsibilities as Controller

As the Controller, the Customer is responsible for:

• Ensuring that Personal Data is collected and transferred to DataChi lawfully, and that a valid legal basis exists for the Processing under GDPR
• Providing adequate notice to data subjects, including through a clear and accessible privacy notice
• Promptly notifying DataChi of any Personal Data breach or security incident affecting data processed under this DPA

6. Liability

Each Party's liability to the other under this DPA is governed by the liability provisions in the main subscription agreement. Nothing in this DPA limits either Party's liability for: death or personal injury caused by negligence; fraud; or any liability that cannot be limited under applicable law.

7. Governing law

This DPA is governed by the laws of Luxembourg. Any dispute relating to this DPA shall be subject to the exclusive jurisdiction of the Luxembourg courts.

8. Questions

For any questions about this DPA, please contact: