Data Processing Addendum

Roles. For personal data that Customer provides or makes available to BotBly for the Services: Customer is the Controller or Business under CCPA, and BotBly is the Processor or Service Provider under CCPA.

Scope. BotBly will process personal data solely to provide and improve the Services and as otherwise documented in this DPA, the Agreement, and Customer’s written instructions including in product configurations.

Instructions. Customer instructs BotBly to process personal data including web content Customer authorizes us to scrape to build, host, and operate Customer’s chatbots, including generating analytics and reports and routing to enabled integrations. BotBly will promptly inform Customer if an instruction violates applicable law.

• Provide personal data only where you have a lawful basis and all necessary rights and permissions.
• Configure the Services and provide notices and consents to end users as required by law.
• Not submit special category or sensitive data unless permitted by law and supported by appropriate safeguards.

• Processing on documented instructions and for no other purpose.
• Confidentiality: ensure personnel are bound by confidentiality obligations and trained appropriately.
• Security: implement technical and organizational measures described in Annex II.
• Assistance: assist Customer with data subject requests, DPIAs, and consultations as required by law.
• Deletion or return: upon termination or per Customer request, delete or return personal data, unless retention is required by law.
• Records: maintain records of processing as required by applicable law.
• Government requests: notify Customer if lawful before disclosing personal data to public authorities and minimize any disclosure.

Customer authorizes BotBly to engage subprocessors to support the Services such as LLM or AI providers, hosting, analytics, email, and payments. BotBly will enter into written agreements with subprocessors imposing data protection obligations no less protective than this DPA.

BotBly will maintain a current list of subprocessors available upon request or via a public page if provided and will notify Customer of material changes. Customer may object on reasonable grounds within 10 days of notice. If the parties cannot resolve an objection in good faith, Customer may terminate the affected Services without penalty as its sole remedy.

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses 2021/914 are incorporated by reference as follows. Module 2 Controller to Processor applies to Customer and BotBly and Module 3 Processor to Subprocessor applies to BotBly and subprocessors.

For UK transfers, the UK Addendum to the EU SCCs applies and for Switzerland the SCCs are adapted to the FADP. Conflicts between this DPA and the SCCs or UK Addendum are resolved in favor of the SCCs or UK Addendum for the relevant transfers.

BotBly will notify Customer without undue delay and no later than 72 hours after confirmation of a Personal Data Breach impacting Customer personal data. Notifications will include information reasonably available to BotBly at the time and will be supplemented as more details are confirmed. BotBly will take appropriate steps to mitigate and remediate the breach.

If BotBly receives a request from an individual regarding personal data that BotBly processes for Customer, BotBly will to the extent permitted by law promptly notify Customer and will not respond directly unless authorized. BotBly will provide reasonable assistance for Customer to meet its obligations regarding access, deletion, correction, portability, and objection or restriction requests.

By default, chatbot conversation logs are retained for 30 days and then deleted from active systems or anonymized unless a longer period is necessary for legitimate business or legal purposes or as configured by Customer where features allow. Upon termination or at Customer’s written request, BotBly will delete or return personal data unless retention is required by law in which case data will be protected and isolated.

Upon written request, BotBly will make available information reasonably necessary to demonstrate compliance with this DPA such as summaries of policies, third party assessments, or certifications where available. Where additional audit activity is required by law, Customer may conduct or appoint an independent auditor to conduct an audit up to once in any 12 month period with reasonable advance notice during normal business hours in a manner that minimizes disruption subject to confidentiality and reimbursement of BotBly’s reasonable costs.

For California data, BotBly acts as a Service Provider. BotBly will not sell or share personal information, use it for cross context behavioral advertising, or retain, use, or disclose it for any purpose other than providing and improving the Services including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing analytics, and developing or improving features or as permitted by the CCPA or CPRA.

If there is any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of personal data. If there is a conflict between this DPA and the SCCs or UK Addendum where applicable, the SCCs or UK Addendum control for the relevant transfers.

Subject Matter: Operation of BotBly’s chatbot platform for Customer including ingestion of Customer authorized sources and end user interactions.

Duration: For the term of the Agreement and any post termination period where retention is required by law or expressly requested by Customer.

Nature and Purpose: Hosting, processing, transforming, generating responses, analytics and reporting, and routing to integrations selected by Customer.

Types of Personal Data: End user queries and conversation content, identifiers such as IP address and device or browser metadata, account or contact details for Customer users, configuration data, support tickets.

Categories of Data Subjects: End users interacting with Customer’s chatbot and Customer personnel such as admins and agents.

Sensitive Data: Not intended. Customer will not submit special categories or sensitive information unless permitted by law and supported by appropriate safeguards.

• Access control: role based access, least privilege, MFA for privileged accounts, session management.
• Encryption: TLS for data in transit and encryption at rest for stored data where supported by the platform.
• Data isolation: logical separation of customer data and environment and network segmentation.
• Logging and monitoring: security logging, alerting, audit trails for administrative actions.
• Vulnerability and patching: regular scanning and remediation, dependency management, secure SDLC practices.
• Backups and availability: backup and restore procedures and disaster recovery testing appropriate to the Services.
• Personnel security: confidentiality obligations, security training, background checks where legally permissible.
• Incident response: documented runbooks, breach assessment, notification workflow.
• Subprocessor due diligence: contractual DPAs and SCCs as applicable and ongoing vendor reviews.

BotBly engages subprocessors to deliver the Services such as LLM or AI providers, hosting, analytics, email, and payments. A current list is available upon request. Customer may subscribe to updates or receive notice of material changes where required.

Questions about this DPA: