Data Processing Agreement

1. Parties

This Data Processing Agreement (the "DPA") is entered into between:

1. The customer identified by the account email on their ChatIFA account (the "Controller"); and
2. ChatIFA, a sole-trader business based in Cardiff, Wales (the "Processor"). The Processor's full legal name and registered trading address are provided on the countersigned PDF that forms the executed agreement. Prospective customers can request these details in advance by emailing hello@chatifa.co.uk.

This DPA supplements the ChatIFA Terms of Service (the "Principal Agreement"). Where this DPA conflicts with the Principal Agreement on data-processing matters, this DPA prevails.

2. Definitions

Capitalised terms have the meaning given in UK GDPR and the Data Protection Act 2018 unless defined in the Principal Agreement or in this DPA. In particular:

• "UK GDPR" means the UK General Data Protection Regulation.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Principal Agreement.
• "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" have the meanings given in UK GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Annex" refers to the Annexes to this DPA (see Section 11).

3. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller to provide the ChatIFA service as described in the Principal Agreement. The subject matter, nature, purpose, and categories of data are set out in Annex 1.

This DPA takes effect on the date the Controller accepts it by countersignature and continues for the term of the Principal Agreement plus any post-termination retention period specified in Section 8.

4. Processor obligations

The Processor shall:

1. Process Personal Data only on the Controller's documented instructions (including those set out in the Principal Agreement, this DPA, and any reasonable written instructions the Controller subsequently provides), unless required to do otherwise by law.
2. Ensure that personnel authorised to process Personal Data are under a duty of confidentiality.
3. Implement appropriate technical and organisational measures ensuring a level of security appropriate to the risk, as described in Annex 2.
4. Not engage any new Sub-processor without prior notice to the Controller as set out in Section 5.
5. Assist the Controller, insofar as possible and taking into account the nature of the processing, with fulfilling the Controller's obligations to respond to Data Subject rights requests.
6. Assist the Controller in ensuring compliance with UK GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to the Processor.
7. At the Controller's choice, delete or return all Personal Data after the end of the Principal Agreement, subject to Section 8.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
9. Immediately inform the Controller if, in its opinion, an instruction from the Controller infringes UK GDPR or other applicable data protection law.

5. Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors listed at chatifa.co.uk/subprocessors (the "Sub-processor List"). The Sub-processor List as of the date of signature is reproduced in Annex 3.

The Processor shall give the Controller at least 14 days' prior written notice of any intended additions or replacements. If the Controller reasonably objects to a new Sub-processor within that period on documented data-protection grounds, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the affected service as its sole remedy.

The Processor shall impose data-protection obligations on each Sub-processor equivalent to those in this DPA by written contract.

6. International transfers

Personal Data is primarily stored and processed within the European Economic Area (Hetzner infrastructure in Germany), with UK→EEA transfers covered by UK adequacy regulations. Where transfers to third countries occur (notably to Anthropic and OpenAI in the United States for AI inference and embeddings), such transfers are covered by:

• The UK International Data Transfer Agreement (IDTA); or
• The UK Addendum to the EU Standard Contractual Clauses; or
• An adequacy decision under section 17A of the Data Protection Act 2018.

The Processor keeps a current list of transfer mechanisms at chatifa.co.uk/subprocessors.

7. Personal Data Breach notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Controller's Personal Data. The notification shall include, to the extent known:

• The nature of the breach, categories and approximate numbers of Data Subjects and records affected;
• The name and contact details of the Processor's contact point;
• The likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its adverse effects.

The Processor shall provide updates as further information becomes available and shall cooperate with the Controller's response and notification to the ICO and Data Subjects as required.

8. Return and deletion

On termination of the Principal Agreement, the Controller may request that the Processor either delete or return all Personal Data within 30 days of the request. Following deletion, the Processor shall also require Sub-processors to delete the Personal Data, except where storage is required by law.

During the term, Personal Data associated with visitor conversations is automatically deleted after the retention window configured by the Controller (default 365 days; configurable from 30 to 730 days, or indefinitely on request).

9. Audit

The Processor shall make available to the Controller documentation necessary to demonstrate compliance with this DPA on request. On reasonable prior written notice (not less than 30 days, except in the case of a suspected breach), the Controller or an independent auditor mandated by it may audit the Processor's compliance with this DPA during normal business hours, at the Controller's expense and subject to reasonable confidentiality obligations.

Audits shall not exceed once per year unless a Personal Data Breach or the Processor's material non-compliance justifies otherwise.

10. Liability and governing law

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

11. Annexes

Annex 1 — Details of processing

Subject matter

Provision of the ChatIFA AI chat widget and related dashboard services.

Duration

For the term of the Principal Agreement plus retention window (see Section 8).

Nature and purpose

Operating a chat widget on the Controller's website, generating AI responses based on the Controller's website content, capturing leads, sending notification emails, and storing conversation logs for the Controller's review.

Types of Personal Data

Website visitor chat messages, visitor-provided contact details (name, email, phone), session identifiers, page URLs visited, Controller's account details (email, billing information).

Categories of Data Subjects

Website visitors (prospective clients of the Controller) and the Controller's own account holders/staff.

Special categories

None intentionally processed. Visitors may voluntarily disclose financial details during conversation; the Controller is responsible for its lawful basis for any such processing.

Annex 2 — Technical and organisational measures

• Data in transit encrypted using TLS 1.2+ (HTTPS).
• Data at rest stored on access-controlled EU-based VPS infrastructure (Hetzner Online GmbH, Germany). UK→EU transfer covered by UK adequacy regulations.
• Authentication: JWT tokens or email-based magic links with expiry; passwords stored as bcrypt hashes.
• Role-based access control: customer accounts cannot access data belonging to other customers; admin access is restricted and logged.
• Rate limiting on authentication, chat, and admin endpoints to prevent abuse.
• Automated deletion of conversation data after each Controller's configured retention window.
• Regular backups stored within the UK; access controlled.
• Sub-processors covered by written data-processing agreements.
• Personnel with access to Personal Data operate under a duty of confidentiality.
• AI inference providers (Anthropic, OpenAI) are used under their standard published API terms, which prohibit use of API inputs and outputs for model training. See the sub-processor list for links to each provider's current data-processing terms.

Annex 3 — Sub-processors

Current Sub-processor List is maintained at chatifa.co.uk/subprocessors. At the time of this DPA template's version date, the Sub-processor List includes Anthropic, OpenAI, Stripe, Brevo, Chroma (self-hosted), the UK VPS hosting provider, and the self-hosted analytics service. Consult the linked page for authoritative and current information.