logo

Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement (“DPA”) is entered into by and between ChatActor ("Processor") and the customer utilizing ChatActor's services ("Controller"). This DPA forms part of and is subject to the Terms of Service or other written or electronic agreement between ChatActor and the Controller (collectively, the "Agreement").

These DPA were last updated on November 15, 2024.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing Personal Data.
  • Processor: ChatActor, the entity that processes Personal Data on behalf of the Controller.
  • Data Subject: An identified or identifiable natural person whose Personal Data is being processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, retrieval, and erasure.
  • Sub-Processor: Any third-party Processor engaged by ChatActor to assist in Processing Personal Data on behalf of the Controller.

3. Scope and Purpose of Data Processing

ChatActor processes Personal Data on behalf of the Controller only as necessary to fulfill the Services as specified in the Agreement. ChatActor will process Personal Data exclusively in accordance with the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country or international organization.

4. Obligations of ChatActor as Processor

  • Compliance: ChatActor shall process Personal Data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and any other applicable regulations.
  • Confidentiality: ChatActor shall ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security Measures: ChatActor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be in line with industry standards and include, at a minimum, data encryption, access control, and regular vulnerability assessments.
  • Data Transfers: ChatActor will not transfer Personal Data outside the European Economic Area (EEA) or other jurisdictions without the Controller’s prior written consent, unless such transfer complies with data protection laws and regulations.
  • Sub-Processors: ChatActor may engage Sub-Processors to assist in the processing of Personal Data. ChatActor will ensure that any Sub-Processor is subject to a written agreement requiring compliance with obligations equivalent to those in this DPA. A list of current Sub-Processors is available upon request.

5. Obligations of the Controller

  • Lawful Basis: The Controller is responsible for ensuring that it has a lawful basis for collecting and processing the Personal Data that it provides to ChatActor.
  • Data Subject Rights: The Controller shall be responsible for handling requests from Data Subjects to exercise their rights, including access, rectification, deletion, and objection to processing. ChatActor will assist as needed in accordance with Section 6 below.
  • Accuracy and Minimization: The Controller agrees to provide ChatActor only with the Personal Data that is necessary for the purposes of processing and will ensure the accuracy of such data.

6. Data Subject Rights

ChatActor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise any of their rights under applicable data protection laws (such as access, correction, deletion, or restriction of processing). ChatActor will assist the Controller by providing information or taking appropriate technical and organizational measures to fulfill such requests, insofar as this is possible and within the scope of the Services provided.

7. Security and Incident Management

  • Security Measures: ChatActor will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, disclosure, or misuse, as described in Section 4.
  • Incident Notification: ChatActor shall notify the Controller without undue delay if it becomes aware of a Personal Data breach that may affect the Controller's data. ChatActor will cooperate with the Controller to manage and mitigate the breach and fulfill any reporting obligations under applicable law.

8. Data Deletion or Return

Upon termination of the Agreement or at the Controller's request, ChatActor shall, at the choice of the Controller, delete or return all Personal Data and copies thereof to the Controller, unless applicable law requires the retention of such data. Any retained data will be securely isolated and protected against further processing.

9. Audits

ChatActor will allow the Controller (or a third party appointed by the Controller) to conduct audits, including inspections, of ChatActor's data processing practices and security measures to verify compliance with this DPA and applicable laws. Such audits shall be limited to once per year, with at least 30 days’ advance notice, and will be conducted in a manner that minimizes disruption to ChatActor’s operations. The Controller will bear any costs associated with the audit.

10. Liability

Each party's liability arising from or related to this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits liability for breach of confidentiality, data protection obligations, or other liabilities that cannot be limited by law.

11. Governing Law and Jurisdiction

This DPA shall be governed by the laws of [Jurisdiction, e.g., the State of California, USA], without regard to conflicts of laws principles. Any disputes arising from or related to this DPA shall be subject to the exclusive jurisdiction of the courts located in [Jurisdiction, e.g., California, USA].

12. Miscellaneous

  • Amendments: Any modifications to this DPA must be in writing and agreed upon by both parties.
  • Severability: If any provision of this DPA is found to be invalid or unenforceable, the remainder of this DPA shall remain in full force and effect.

By using ChatActor’s services, the Controller acknowledges and agrees to the terms outlined in this Data Processing Agreement.

Contact Information: For any questions regarding this DPA, please contact ChatActor at [Email Address or Contact Information].