How to Use This Template

Replace all [BRACKETED TEXT] with your agency's specific information. This DPA template is designed to comply with GDPR and other data protection regulations. Have it reviewed by a legal professional before use.

DATA PROCESSING AGREEMENT

GDPR-Compliant Template for Agency-Client Relationships

This Data Processing Agreement ("DPA") is entered into as of [DATE] and forms part of the AI Chatbot Services Agreement (the "Principal Agreement") between:

[AGENCY NAME] ("Processor"), a company organized under the laws of [STATE/JURISDICTION], with its principal place of business at [AGENCY ADDRESS],

and

[CLIENT NAME] ("Controller"), with its principal place of business at [CLIENT ADDRESS].

1. Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.

1.2 "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR (EU 2016/679), CCPA, and other relevant regulations.

1.3 "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

1.4 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

1.5 "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Roles and Responsibilities

2.1 Controller Responsibilities. Controller determines the purposes and means of processing Personal Data. Controller shall:

Ensure a lawful basis exists for processing Personal Data
Provide clear instructions to Processor regarding data processing
Ensure Data Subjects are informed of processing activities
Respond to Data Subject requests with Processor's assistance

2.2 Processor Responsibilities. Processor processes Personal Data only on documented instructions from Controller. Processor shall:

Process Personal Data only as instructed by Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist Controller in responding to Data Subject requests
Delete or return Personal Data upon termination

3. Data Processing Details

3.1 Subject Matter. Processor will process Personal Data to provide AI chatbot services as described in the Principal Agreement.

3.2 Duration. Processing will continue for the duration of the Principal Agreement plus any retention period specified herein.

3.3 Nature and Purpose. The processing includes:

Collection of chat messages and user interactions
Analysis of conversations to improve AI responses
Storage of conversation history for support purposes
Generation of anonymized analytics and reports

3.4 Types of Personal Data. Categories of data processed may include:

Contact information (name, email, phone number)
Chat content and conversation history
Device and browser information
IP addresses and location data (if collected)
Any other data voluntarily provided by Data Subjects

3.5 Categories of Data Subjects.

End users of Controller's website(s)
Controller's customers and prospective customers
Visitors interacting with the AI chatbot

4. Sub-processors

4.1 Authorized Sub-processors. Controller authorizes Processor to engage the Sub-processors listed in Annex A. Processor shall:

Maintain an up-to-date list of Sub-processors
Impose equivalent data protection obligations on Sub-processors
Remain liable for Sub-processor compliance

4.2 Changes to Sub-processors. Processor shall notify Controller at least [14/30] days before engaging new Sub-processors. Controller may object within [14/30] days on reasonable grounds.

5. Security Measures

5.1 Technical Measures. Processor implements and maintains:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication mechanisms
Regular security assessments and penetration testing
Secure development practices
Network security and monitoring

5.2 Organizational Measures. Processor maintains:

Information security policies and procedures
Employee training on data protection
Incident response procedures
Business continuity and disaster recovery plans

6. Data Subject Rights

6.1 Assistance. Processor shall assist Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of:

Access to Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability
Objection to processing

6.2 Response Time. Processor shall respond to Controller's requests for assistance within [5/10] business days.

7. Data Breach Notification

7.1 Notification. Processor shall notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach.

7.2 Breach Information. Notification shall include:

Nature of the breach and categories of data affected
Approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

7.3 Cooperation. Processor shall cooperate with Controller in investigating and mitigating the breach and in any required notifications to supervisory authorities or Data Subjects.

8. Data Retention and Deletion

8.1 Retention Period. Processor shall retain Personal Data only for the duration necessary to fulfill the purposes of processing, or as specified: [30/60/90] days after conversation completion.

8.2 Deletion. Upon termination of the Principal Agreement or upon Controller's request, Processor shall:

Delete all Personal Data within [30/60] days
Provide written certification of deletion upon request
Ensure Sub-processors also delete Personal Data

8.3 Exceptions. Processor may retain Personal Data to the extent required by applicable law, provided such data remains protected.

9. International Transfers

9.1 Transfer Mechanisms. Any transfer of Personal Data outside the European Economic Area (EEA) shall be subject to appropriate safeguards, such as:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules
Adequacy decisions

9.2 Current Transfer Locations. Personal Data may be processed in: [LIST COUNTRIES/REGIONS]

10. Audits and Compliance

10.1 Audit Rights. Controller may audit Processor's compliance with this DPA upon [30] days' written notice, during normal business hours, and no more than once per year unless required by a supervisory authority.

10.2 Certifications. Processor shall provide Controller with relevant certifications and audit reports upon request, including SOC 2 reports where available.

11. Liability and Indemnification

11.1 Liability. Each party's liability under this DPA is subject to the limitations of liability in the Principal Agreement.

11.2 Indemnification. Each party shall indemnify the other for any fines, penalties, or damages arising from its breach of this DPA or applicable Data Protection Laws.

12. Term and Termination

12.1 Term. This DPA shall remain in effect for the duration of the Principal Agreement.

12.2 Survival. Provisions regarding data deletion, confidentiality, and liability shall survive termination.

13. General Provisions

13.1 Precedence. In case of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.

13.2 Amendments. This DPA may only be amended in writing signed by both parties.

13.3 Governing Law. This DPA shall be governed by the laws of [STATE/JURISDICTION].

ANNEX A: AUTHORIZED SUB-PROCESSORS

Sub-processor	Purpose	Location
Cloudflare, Inc.	Cloud infrastructure, CDN, edge computing	Global (US-based)
[AI PROVIDER NAME]	AI/ML processing for chatbot responses	[LOCATION]
[ADDITIONAL SUB-PROCESSOR]	[PURPOSE]	[LOCATION]

PROCESSOR (Agency):

[AGENCY NAME]

Signature

Print Name

Title

Date

CONTROLLER (Client):

[CLIENT NAME]