Data Processing Addendum

Roles. For personal data that Customer provides or makes available to BotBly for the Services: Customer is the Controller (or “Business” under CCPA), and BotBly is the Processor(or “Service Provider” under CCPA).

Scope. BotBly will process personal data solely to provide and improve the Services and as otherwise documented in this DPA, the Agreement, and Customer’s written instructions (including in-product configurations).

Instructions. Customer instructs BotBly to process personal data (including web content Customer authorizes us to scrape) to build, host, and operate Customer’s chatbots, including generating analytics/reports and routing to enabled integrations. BotBly will promptly inform Customer if an instruction violates applicable law.

• Provide personal data only where you have a lawful basis and all necessary rights/permissions.
• Configure the Services and provide notices/consents to end users as required by law.
• Not submit special category/sensitive data unless permitted by law and supported by appropriate safeguards.

• Processing on documented instructions and for no other purpose.
• Confidentiality: ensure personnel are bound by confidentiality obligations and trained appropriately.
• Security: implement technical and organizational measures described in Annex II.
• Assistance: assist Customer with data subject requests, DPIAs, and consultations as required by law.
• Deletion/return: upon termination or per Customer request, delete or return personal data, unless retention is required by law.
• Records: maintain records of processing as required by applicable law.
• Government requests: notify Customer (if lawful) before disclosing personal data to public authorities and minimize any disclosure.

Customer authorizes BotBly to engage subprocessors to support the Services (e.g., LLM/AI providers, hosting, analytics, email, payments). BotBly will enter into written agreements with subprocessors imposing data protection obligations no less protective than this DPA.

BotBly will maintain a current list of subprocessors (available upon request or via a public page, if provided) and will notify Customer of material changes. Customer may object on reasonable grounds within 10 days of notice. If the parties cannot resolve an objection in good faith, Customer may terminate the affected Services (without penalty) as its sole remedy.

Where personal data is transferred from the EEA/UK/Switzerland to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (2021/914) are incorporated by reference as follows:
Module 2 (Controller→Processor) applies to Customer↔BotBly; Module 3 (Processor→Subprocessor) applies to BotBly↔subprocessors.

For UK transfers, the UK Addendum to the EU SCCs applies; for Switzerland, the SCCs are adapted to the FADP. Conflicts between this DPA and the SCCs/UK Addendum are resolved in favor of the SCCs/UK Addendum for the relevant transfers.

BotBly will notify Customer without undue delay and no later than 72 hours after confirmation of a Personal Data Breach impacting Customer personal data. Notifications will include information reasonably available to BotBly at the time and will be supplemented as more details are confirmed. BotBly will take appropriate steps to mitigate and remediate the breach.

If BotBly receives a request from an individual regarding personal data that BotBly processes for Customer, BotBly will, to the extent permitted by law, promptly notify Customer and will not respond directly (unless authorized). BotBly will provide reasonable assistance for Customer to meet its obligations regarding access, deletion, correction, portability, and objection/restriction requests.

By default, chatbot conversation logs are retained for 30 days and then deleted from active systems or anonymized, unless a longer period is necessary for legitimate business or legal purposes or as configured by Customer (where features allow). Upon termination or at Customer’s written request, BotBly will delete or return personal data, unless retention is required by law (in which case data will be protected and isolated).

Upon written request, BotBly will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., summaries of policies, third-party assessments, or certifications, where available). Where additional audit activity is required by law, Customer may conduct (or appoint an independent auditor to conduct) an audit up to once in any 12-month period, with reasonable advance notice, during normal business hours, in a manner that minimizes disruption, subject to confidentiality and reimbursement of BotBly’s reasonable costs.

For California data, BotBly acts as a Service Provider. BotBly will not sell or share personal information, use it for cross-context behavioral advertising, or retain/use/disclose it for any purpose other than providing and improving the Services (including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing analytics, and developing/improving features), or as permitted by the CCPA/CPRA.

If there is any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of personal data. If there is a conflict between this DPA and the SCCs/UK Addendum (where applicable), the SCCs/UK Addendum control for the relevant transfers.

Subject Matter: Operation of BotBly’s chatbot platform for Customer, including ingestion of Customer-authorized sources and end-user interactions.

Duration: For the term of the Agreement and any post-termination period where retention is required by law or expressly requested by Customer.

Nature and Purpose: Hosting, processing, transforming, generating responses, analytics/reporting, and routing to integrations selected by Customer.

Types of Personal Data: End-user queries and conversation content; identifiers (e.g., IP address, device/browser metadata); account/contact details for Customer users; configuration data; support tickets.

Categories of Data Subjects: End users interacting with Customer’s chatbot; Customer personnel (admins, agents).

Sensitive Data: Not intended. Customer will not submit special categories or sensitive information unless permitted by law and supported by appropriate safeguards.

• Access control: role-based access, least privilege, MFA for privileged accounts, session management.
• Encryption: TLS for data in transit; encryption at rest for stored data where supported by the platform.
• Data isolation: logical separation of customer data; environment and network segmentation.
• Logging & monitoring: security logging, alerting, audit trails for administrative actions.
• Vulnerability & patching: regular scanning and remediation; dependency management; secure SDLC practices.
• Backups & availability: backup/restore procedures and disaster recovery testing appropriate to the Services.
• Personnel security: confidentiality obligations, security training, background checks where legally permissible.
• Incident response: documented runbooks, breach assessment, notification workflow.
• Subprocessor due diligence: contractual DPAs/SCCs as applicable; ongoing vendor reviews.

BotBly engages subprocessors to deliver the Services (e.g., LLM/AI providers, hosting, analytics, email, payments). A current list is available upon request. Customer may subscribe to updates or receive notice of material changes where required.

Questions about this DPA: