Data Processing Agreement (DPA)

Last updated: May 31, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Chat with CRM Ltd. ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") who utilizes the ChatWithCRM application and website (the "Service").

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

1. Definitions

"Data Protection Laws" means all applicable legislation protecting the fundamental rights and freedoms of individuals in respect of their right to privacy with respect to the processing of Personal Data, including the UK GDPR, the Data Protection Act 2018, and the EU GDPR.
"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller pursuant to this DPA.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
The terms "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Processing" shall have the same meaning as in the UK GDPR.

2. Details of the Processing

The Processor will process Personal Data strictly to provide the Service as outlined in the Terms of Service. This includes:

Nature and Purpose: Providing AI-native CRM capabilities, analyzing customer data, generating AI-assisted communications, and facilitating automated marketing/tracking infrastructure across the Controller's digital assets.
Categories of Data Subjects: The Controller's customers, prospects, employees, website visitors, and newsletter subscribers.
Types of Personal Data: Names, contact details (emails, phone numbers), business affiliations, communication histories, CRM notes, IP addresses, and digital tracking data (via cookies or pixels).
Duration: Personal Data will be processed for the duration of the Controller's subscription to the Service, plus any period necessary for secure deletion.

3. Controller Obligations

As the Data Controller, you represent and warrant that:

You have established a lawful basis (such as consent or legitimate interest) to collect and process the Personal Data.
You have provided all necessary privacy notices and obtained all required explicit consents from Data Subjects, particularly prior to utilizing our Service to deploy tracking pixels, cookies, or web beacons on your websites, apps, or emails.
Your instructions to the Processor will at all times comply with Data Protection Laws.

4. Processor Obligations

As the Data Processor, we agree to:

Documented Instructions: Process Personal Data only on your documented instructions (which include the functionalities of the Service and the Terms of Service), unless required to do otherwise by applicable law.
Confidentiality: Ensure that all personnel authorized to process Personal Data are subject to a strict duty of confidentiality.
No Model Training: We will not use your Personal Data, prompts, or chat logs to train our own foundational AI models.

5. Security of Processing

We shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption in transit, secure server infrastructure, and strict access controls.

6. Sub-processing

You grant us general authorization to engage Sub-processors to assist in providing the Service (e.g., cloud hosting providers, edge-security networks like Cloudflare, database managers, and optional third-party AI models). We will:

Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
Remain fully liable to you for the performance of the Sub-processor's obligations.

7. Data Subject Rights & Assistance

We will assist you, taking into account the nature of the processing, through appropriate technical and organizational measures, insofar as possible, to fulfill your obligations to respond to requests from Data Subjects exercising their rights (such as the right to access, rectify, or delete data). If we receive a request directly from a Data Subject relating to your data, we will promptly forward that request to you.

8. Personal Data Breaches

In the event of a confirmed Personal Data Breach affecting your data, we will notify you without undue delay (and in any event within 48 hours) after becoming aware of the breach. We will provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or Data Subjects.

9. International Data Transfers

If the processing of Personal Data involves a transfer outside of the United Kingdom or the European Economic Area (EEA) to a country that is not recognized as providing an adequate level of protection, we will ensure that lawful safeguards are in place. These safeguards may include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or reliance on the UK Extension to the EU-US Data Privacy Framework.

10. Deletion or Return of Data

Upon termination of your subscription or upon your written request, we will securely delete or return all Personal Data in our possession or control, except to the extent that we are required by applicable law to retain some or all of the Personal Data. Standard backup archives are purged on an automated, rolling basis.

11. Audits and Compliance

We will make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws. Any audits or inspections must be conducted subject to strict confidentiality obligations and standard security protocols.