Data Processing Agreement

Last Updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Agreement between SellAIBots, LLC ("Processor", "we") and you ("Controller", "Customer") for the provision of services.

1. Definitions

  • Controller: The entity that determines the purposes and means of processing Personal Data (you, the Customer)
  • Processor: The entity that processes Personal Data on behalf of the Controller (SellAIBots)
  • Data Subject: An identifiable natural person whose Personal Data is processed
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, deletion)
  • Sub-processor: A third party engaged by the Processor to process Personal Data

2. Roles and Responsibilities

Customer (Controller):

  • Determines the purposes and means of processing
  • Ensures lawful basis for data collection (consent, legitimate interest, etc.)
  • Provides required notices to Data Subjects
  • Responds to Data Subject requests (with our assistance)
  • Ensures compliance with applicable data protection laws

SellAIBots (Processor):

  • Processes Personal Data only on documented instructions from Controller
  • Ensures personnel are bound by confidentiality obligations
  • Implements appropriate technical and organizational security measures
  • Assists Controller with Data Subject requests
  • Notifies Controller of any data breaches
  • Deletes or returns Personal Data upon termination

3. Sub-processors

We engage the following sub-processors to deliver our services:

Sub-processorPurposeLocation
Cloudflare, Inc.Infrastructure, CDN, edge computing, database hostingGlobal (US-based)
Stripe, Inc.Payment processing, billingUSA
PostHog, Inc.Product analytics (anonymized)USA/EU

We will notify you of any changes to sub-processors with at least 30 days notice.

4. International Data Transfers

For transfers of Personal Data outside the European Economic Area (EEA), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Additional safeguards as required by applicable law

5. Security Measures

We implement the following technical and organizational measures:

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 encryption for stored data
  • Access Controls: Role-based access, MFA for administrative access
  • Network Security: Cloudflare WAF, DDoS protection
  • Monitoring: 24/7 infrastructure monitoring, anomaly detection
  • Incident Response: Documented procedures, trained personnel
  • Physical Security: Enterprise-grade data centers (Cloudflare)

6. GDPR Data Subject Rights

We assist you in responding to Data Subject requests for:

  • Right of Access: Provide copies of Personal Data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete Personal Data ("right to be forgotten")
  • Right to Portability: Export data in machine-readable format
  • Right to Object: Stop processing for specific purposes
  • Right to Restriction: Limit processing in certain circumstances

Response time: We will assist within 72 hours of receiving your request.

7. CCPA Compliance

For California residents, we comply with the California Consumer Privacy Act (CCPA):

  • We act as a Service Provider under CCPA
  • We do NOT sell Personal Information
  • We process data only for the business purposes specified in this Agreement
  • We assist with consumer rights requests (know, delete, opt-out)

8. Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you within 72 hours of becoming aware of the breach
  • Provide details of the nature and scope of the breach
  • Describe the likely consequences
  • Outline measures taken or proposed to address the breach
  • Assist you in notifying supervisory authorities and Data Subjects as required

9. Data Retention

  • Account Data: Retained while your account is active
  • Conversation Data: Retained for 90 days, then automatically deleted
  • Analytics Data: Aggregated/anonymized, retained indefinitely
  • Upon Termination: All Personal Data deleted within 30 days
  • Data Export: Available upon request before account deletion

10. Audit Rights

Upon reasonable notice (minimum 30 days), you may request:

  • Documentation of our security measures and compliance
  • Copies of relevant third-party audit reports (SOC 2, etc.)
  • Responses to security questionnaires
  • On-site audits (at your expense, subject to reasonable limitations)

11. Contact

For data protection inquiries:
Data Protection Contact: privacy@sellaibots.ai
Address: SellAIBots, LLC, Delaware, USA