Start for free

Data Processing Addendum

VERSION: 2.0

LAST UPDATED: 27/02/2026

 

This Data Processing Addendum (“DPA”) forms part of:
(a) the applicable Terms of Service governing the Services; or
(b) any written master services agreement, SaaS agreement, or other agreement governing the Services between the Parties (each, the “Agreement”).

This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Services.

1. Definitions

For the purposes of this DPA:

  • “UK GDPR” means the UK General Data Protection Regulation as incorporated into UK law.

  • “Data Protection Legislation” means UK GDPR, the Data Protection Act 2018, and any applicable data protection laws.

  • “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” shall have the meanings given under UK GDPR.

2. Roles of the Parties

2.1 The Client acts as Controller.

2.2 The Company acts as Processor and shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement (including any applicable schedules) and any written instructions provided by the Controller from time to time shall constitute the documented instructions.

3. Subject Matter and Duration

3.1 Subject matter is the provision of SaaS Services described in the Agreement.

3.2 the Processing shall continue for the duration of the Agreement and, where applicable, until deletion or return of Personal Data in accordance with Section 7.

3.3 Nature and purpose of processing:

  • Hosting of chat and engagement services

  • Transmission, storage, moderation, and display of user communications

  • Analytics and engagement tracking

  • Technical support and system administration

3.4 Categories of Data Subjects:

  • Client’s end users

  • Client’s administrators and employees

3.5 Categories of Personal Data may include:

  • Username / pseudonym

  • User ID

  • IP address

  • Device information

  • Chat content and metadata

  • Interaction data (polls, reactions, engagement metrics)

  • Moderation data (reports, bans, flags)

The Controller confirms it does not intentionally provide Special Category Data unless agreed in writing. The Processor shall have no obligation to identify or monitor the presence of Special Category Data within Personal Data provided by the Controller.

4. Processor Obligations

The Processor shall:

4.1 Process Personal Data only on documented instructions from the Controller.

4.2 Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

4.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

  • Pseudonymisation and encryption of Personal Data;

  • Measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems;

  • The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures;

  • Access control mechanisms;

  • Encryption in transit;

  • Secure hosting environment;

  • Regular backups;

  • Logical separation of customer data.

4.4 Notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement and provide, to the extent available, information regarding:

  • The nature of the breach;

  • The categories and approximate number of Data Subjects concerned;

  • The likely consequences of the breach;

  • The measures taken or proposed to address and mitigate the breach.

4.5 Assist the Controller, considering the nature of processing, in responding to Data Subject requests.

4.6 Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR, considering the nature of processing and information available to the Processor.

4.7 Immediately inform the Controller if, in the Processor’s opinion, any documented instruction infringes applicable Data Protection Legislation.

4.8 If the Processor receives a request directly from a Data Subject relating to Personal Data processed under this DPA, it shall promptly forward such request to the Controller and shall not respond except on documented instructions from the Controller, unless legally required to do so.

5. Sub-Processors

5.1 The Controller provides general authorisation for the Processor to engage sub-processors necessary for the provision of the Services (e.g., cloud hosting providers).

5.2 The Processor shall ensure that any sub-processor is bound by written contractual obligations providing at least the same level of data protection as set out in this DPA.

5.3 The Processor remains fully liable to the Controller for the performance of its sub-processors’ obligations.

5.4 The Processor shall inform the Controller of any intended addition or replacement of sub-processors, thereby giving the Controller the opportunity to object on reasonable data protection grounds.

6. International Transfers

6.1 The Processor shall not transfer Personal Data outside the United Kingdom (and, where applicable, the EEA) unless:

  • The transfer is to a country recognised as providing an adequate level of protection under applicable law; or

  • Appropriate safeguards are implemented in accordance with UK GDPR, including the UK International Data Transfer Addendum or UK-approved Standard Contractual Clauses where required.

Where required, the Parties agree that the UK International Data Transfer Addendum or applicable UK-approved Standard Contractual Clauses shall be deemed incorporated by reference into this DPA.

7. Deletion and Return of Data

7.1 Upon termination or expiration of the Agreement, the Processor shall, at the choice of the Controller:

  • Delete Personal Data; or

  • Return Personal Data to the Controller,

unless applicable law requires continued storage.

Upon written request, the Processor shall provide confirmation of deletion.

7.2 The Processor may retain backup copies for a limited period in accordance with its standard backup policies, after which such data shall be securely deleted.

8. Audit

8.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

8.2 Any audit shall be:

  • Conducted upon reasonable notice.

  • During normal business hours.

  • No more than once during the term of the Agreement.

  • At the Controller’s expense.

The foregoing limitation shall not apply where an audit is required by a competent supervisory authority.

9. Liability

The liability of each Party under this DPA shall be subject to the limitation of liability set out in the Agreement.

10. Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA shall prevail in relation to data protection matters.

11. Survival

The provisions of this DPA shall survive termination or expiration of the Agreement to the extent necessary to give effect to rights and obligations relating to Processing of Personal Data.

By entering into the Agreement, the Parties agree to be bound by this DPA without further signature.

Cookie settings

We use cookies for essential website functionality and, with your consent, analytics. You can accept all cookies, reject non-essential cookies, or manage your preferences. Declining non-essential cookies will not affect your access to the website.

Learn more in ourCookie Policy.