1. Scope & Purpose
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SellyChat ("Processor") and the subscribing business entity ("Controller"). It governs the processing of personal data by SellyChat on behalf of the Controller in connection with the SellyChat platform services.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the SellyChat platform by the Controller.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and erasure.
- "Sub-Processor" means a third-party entity engaged by SellyChat to process Personal Data on behalf of the Controller.
3. Data Processing Details
| Subject Matter |
Provision of AI-powered chat and voice assistant platform services |
| Duration |
Duration of the service agreement plus any data retention periods |
| Nature & Purpose |
Processing conversations, generating AI responses, executing workflows, storing knowledge base content |
| Types of Personal Data |
Names, phone numbers, email addresses, chat messages, voice transcripts, workflow submission data |
| Categories of Data Subjects |
End-users interacting with Controller's AI assistants |
4. Controller Obligations
- Ensure lawful basis for processing personal data through the platform
- Configure appropriate privacy notices and consent requirements for chat/voice channels
- Respond to data subject requests using the platform's built-in tools
- Configure appropriate data retention periods in Settings → Privacy
- Notify SellyChat of any data protection impact assessments when required
5. Processor Obligations
SellyChat shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process data are committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage a Sub-Processor without prior notice to the Controller
- Assist the Controller in responding to data subject requests via built-in export and erasure tools
- Delete or return all Personal Data upon termination of services (after the 30-day grace period)
- Make available information necessary to demonstrate compliance with GDPR obligations
6. Security Measures
- Credentials and secrets encrypted at rest using AES-256-CBC
- Session data encrypted in transit and at rest
- Multi-tenant data isolation via tenant-scoped database queries
- UUID-based identifiers to prevent enumeration
- SHA-256 hashed privacy subject indices
- Automated data retention and purging mechanisms
- Continuous access logging and audit trails
7. Sub-Processors
The current list of sub-processors is available at our Sub-Processor List. SellyChat will notify Controllers of intended changes to sub-processors, giving Controllers the opportunity to object.
8. Data Breach Notification
In the event of a personal data breach, SellyChat will notify the Controller without undue delay (within 72 hours of becoming aware) and provide:
- Nature of the breach, including categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. International Transfers
When Personal Data is transferred outside the European Economic Area (EEA), SellyChat ensures appropriate safeguards through Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
10. Termination
Upon termination of the service agreement, SellyChat will delete all Personal Data processed on behalf of the Controller after the 30-day account deletion grace period, unless retention is required by applicable law.
11. Contact
For DPA-related inquiries, please contact: support@sellychat.com