Data Processing Agreement

Effective Date: January 13, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between ChatAds (“ChatAds,” “Processor,” “we,” “us,” or “our”) and the entity agreeing to these terms (“Customer,” “Controller,” “you,” or “your”) for the provision of the ChatAds Services (the “Agreement”).

This DPA applies where and only to the extent that ChatAds processes Personal Data on behalf of Customer in the course of providing the Services, and such Personal Data is subject to Data Protection Laws. This DPA is incorporated into and subject to the terms of the Agreement.

1. Definitions

“Data Protection Laws” means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation, the California Consumer Privacy Act (“CCPA”), and any other applicable data protection legislation.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

“Personal Data” means any information relating to a Data Subject that is processed by ChatAds on behalf of Customer in connection with the Services.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

“Sub-processor” means any third party engaged by ChatAds to process Personal Data on behalf of Customer.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914.

2. Scope and Roles

2.1 Roles of the Parties

For the purposes of this DPA:

  • Customer is the Controller of Personal Data
  • ChatAds is the Processor of Personal Data

2.2 Customer’s Processing Instructions

ChatAds will process Personal Data only in accordance with Customer’s documented instructions, which include:

  • Providing the Services as described in the Agreement
  • Processing initiated by Customer’s use of the Services
  • Processing to comply with other reasonable instructions provided by Customer that are consistent with this DPA

2.3 Compliance with Laws

Each party will comply with its respective obligations under applicable Data Protection Laws. Customer is responsible for ensuring that its instructions comply with applicable laws and that it has obtained all necessary consents and authorizations for the processing of Personal Data.

3. Details of Processing

The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 to this DPA.

4. ChatAds Obligations

4.1 Confidentiality

ChatAds will ensure that personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security Measures

ChatAds will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in Annex 2 to this DPA.

4.3 Sub-processing

ChatAds may engage Sub-processors to process Personal Data on behalf of Customer, subject to the following conditions:

  • ChatAds maintains an up-to-date list of Sub-processors in Annex 3
  • ChatAds will impose data protection obligations on Sub-processors that are substantially similar to those in this DPA
  • ChatAds remains fully liable for the acts and omissions of its Sub-processors
  • ChatAds will notify Customer of any intended changes to Sub-processors by updating the list on its website at least thirty (30) days before the change takes effect
  • Customer may object to a new Sub-processor by notifying ChatAds in writing within fourteen (14) days of receiving notice. If Customer has a reasonable objection, the parties will work in good faith to resolve the concern. If resolution is not possible, Customer may terminate the affected Services without penalty.

4.4 Data Subject Rights

ChatAds will assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. ChatAds will promptly notify Customer of any request received directly from a Data Subject unless prohibited by law.

4.5 Data Protection Impact Assessments

Upon Customer’s request, ChatAds will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and relating to the processing of Personal Data.

4.6 Personal Data Breach Notification

ChatAds will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

ChatAds will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

4.7 Deletion and Return of Personal Data

Upon termination of the Agreement or upon Customer’s written request, ChatAds will:

  • Return all Personal Data to Customer in a commonly used format, or
  • Delete all Personal Data and certify such deletion in writing

Personal Data will be retained for thirty (30) days following termination to allow for data export, after which it will be permanently deleted. ChatAds may retain Personal Data to the extent required by applicable law, in which case ChatAds will isolate and protect such data and limit further processing to that required by law.

4.8 Audits

ChatAds will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon Customer’s written request (no more than once per year), ChatAds will:

  • Allow for and contribute to audits conducted by Customer or an independent auditor appointed by Customer, subject to reasonable advance notice and confidentiality obligations
  • Provide copies of relevant audit reports, certifications, or third-party assessments

Customer will bear its own costs for any audit. Audits will be conducted during normal business hours and will not unreasonably interfere with ChatAds’s operations.

5. International Data Transfers

5.1 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, ChatAds will ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Other valid transfer mechanisms under applicable Data Protection Laws

5.2 Standard Contractual Clauses

To the extent that the processing involves transfers of Personal Data to ChatAds in the United States, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference and form part of this DPA, where:

  • Customer is the “data exporter”
  • ChatAds is the “data importer”
  • The details in Annex 1 serve as Annex I of the SCCs
  • The security measures in Annex 2 serve as Annex II of the SCCs
  • The Sub-processor list in Annex 3 serves as Annex III of the SCCs

5.3 UK and Swiss Transfers

For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum) applies. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

6. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not limit either party’s liability for breaches of confidentiality obligations or indemnification obligations.

7. Term and Termination

This DPA will remain in effect for the duration of the Agreement. The obligations in this DPA will survive termination to the extent necessary for the parties to comply with their obligations regarding the deletion, return, or continued protection of Personal Data.

8. Conflicts

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

9. Contact Information

For questions or requests regarding this DPA, please contact:

ChatAds Email: chris@getchatads.com Website: chatads.com

Annex 1: Details of Processing

Subject Matter

Processing of Personal Data in connection with the provision of ChatAds Services, which enable conversational AI applications to deliver affiliate commerce and advertising experiences.

Duration

For the term of the Agreement, plus any retention period required for data deletion.

Nature and Purpose of Processing

  • Receiving and processing API requests containing conversation data
  • Analyzing message content to identify product mentions and purchase intent
  • Returning affiliate links and commerce recommendations
  • Maintaining usage logs and analytics
  • Providing customer support and account management

Types of Personal Data

  • Conversation content and message text submitted via API
  • IP addresses and device identifiers
  • API authentication credentials
  • Account and billing information
  • Usage data and analytics

Categories of Data Subjects

  • End users of Customer’s conversational AI applications
  • Customer’s employees and representatives
  • Customer’s account administrators

Special Categories of Data

ChatAds does not intentionally process special categories of Personal Data (e.g., health data, biometric data, data revealing racial or ethnic origin). Customer agrees not to submit such data to the Services.

Annex 2: Security Measures

ChatAds implements the following technical and organizational measures to protect Personal Data:

Infrastructure Security

  • Cloud infrastructure hosted on enterprise-grade providers with SOC 2 Type II compliance
  • Data encryption in transit using TLS 1.2 or higher
  • Data encryption at rest using AES-256 encryption
  • Network segmentation and firewalls
  • DDoS protection and rate limiting

Access Controls

  • Role-based access control (RBAC) for all systems
  • Multi-factor authentication required for administrative access
  • Principle of least privilege for employee access
  • Regular access reviews and prompt deprovisioning

Application Security

  • Secure software development lifecycle (SDLC)
  • Regular security testing and vulnerability assessments
  • Dependency scanning and timely patching
  • Input validation and output encoding

Operational Security

  • 24/7 monitoring and alerting for security events
  • Incident response procedures and escalation paths
  • Regular backups with encryption
  • Disaster recovery and business continuity planning

Personnel Security

  • Background checks for employees with access to Personal Data
  • Security awareness training for all personnel
  • Confidentiality agreements for all employees and contractors

Physical Security

  • Data centers with physical access controls
  • Environmental controls (fire suppression, climate control)
  • Redundant power and network connectivity

Annex 3: Sub-processors

ChatAds uses the following Sub-processors to provide the Services:

Sub-processor Purpose Location
Supabase, Inc. Database hosting, authentication, and backend infrastructure United States
Fly.io, Inc. API compute infrastructure and application hosting United States (with global edge locations)
Modal Labs, Inc. Batch processing and scheduled jobs United States
Stripe, Inc. Payment processing and subscription management United States
Sentry (Functional Software, Inc.) Error monitoring and application performance United States

ChatAds will update this list and provide notice to Customers as described in Section 4.3 before engaging any new Sub-processors.

Last updated: January 13, 2026