chatsuno
Start free

Legal

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement ("DPA") forms part of the Chatsuno Terms of Service between Chatsuno (the "Processor") and the Customer (the "Controller") for the processing of personal data subject to the EU General Data Protection Regulation ("GDPR").

1. Roles & scope

The Customer is the data controller of personal data submitted to the Service (including chatbot conversations and lead-form submissions collected on the Customer's behalf). Chatsuno acts as a data processor and processes personal data only on documented instructions from the Customer, namely the configurations the Customer applies in the dashboard and the agreements between the parties.

2. Subject matter, duration & nature

  • Subject matter: provision of the Chatsuno Service.
  • Duration: the term of the Customer's subscription, plus a 30-day deletion window.
  • Nature & purpose: hosting, indexing, and serving chatbots that respond to end-user messages.
  • Categories of data: identifiers, contact details, message content, technical metadata.
  • Categories of data subjects: Customer staff and end-users of Customer websites.

3. Customer obligations

The Customer warrants that it has a lawful basis to share the data with Chatsuno, that it has provided appropriate notices to data subjects, and that it will configure retention and deletion controls as required by applicable law.

4. Chatsuno obligations

  • Process personal data only on the Customer's instructions.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Annex II).
  • Assist the Customer in responding to data-subject requests.
  • Notify the Customer without undue delay of any personal-data breach.
  • Delete or return all personal data at the end of the agreement, unless retention is required by law.

5. Sub-processors

The Customer authorises Chatsuno to engage the sub-processors listed in Annex III. We will notify the Customer of any addition or replacement of a sub-processor with at least 30 days' notice and give the Customer the right to object on reasonable grounds.

6. International transfers

Personal data is hosted in the European Union. Where a sub-processor is located outside the EU/EEA, transfers are protected by the European Commission's Standard Contractual Clauses (2021/914) and any additional safeguards required by the EDPB.

7. Audits

Chatsuno makes available to the Customer all information necessary to demonstrate compliance with this DPA and contributes to audits by the Customer or an independent auditor mandated by the Customer, no more than once per year and on reasonable notice.

8. Liability & precedence

Liability under this DPA is subject to the limitations in the Terms of Service. In the event of conflict, this DPA prevails over the Terms of Service in respect of personal-data processing.

Annex I — processing details

Categories of data subjects, types of personal data, and processing activities as set out in section 2 above.

Annex II — security measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege defaults.
  • Centralised logging and monitoring of production access.
  • Background checks and confidentiality agreements for personnel.
  • Regular vulnerability scanning and patch management.
  • Documented incident-response and breach-notification procedures.
  • Daily encrypted backups with EU-only retention.

Annex III — sub-processors

The current list of sub-processors (vendor name, role, and country) is available on request and is updated with at least 30 days' notice before any change. Email privacy@chatsuno.com for the latest list.

Signing the DPA

Paid customers can countersign this DPA from the billing page in the dashboard. A countersigned PDF is delivered by email immediately.

Data Processing Agreement — Chatsuno