Data Processing Agreement (DPA)
Last updated: June 8, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Chat with CRM Ltd. ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") who utilizes the ChatWithCRM application and website (the "Service").
This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).
1. Definitions
- "Data Protection Laws" means all applicable legislation protecting the fundamental rights and freedoms of individuals in respect of their right to privacy with respect to the processing of Personal Data, including the UK GDPR, the Data Protection Act 2018, and the EU GDPR.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller pursuant to this DPA.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- The terms "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Processing" shall have the same meaning as in the UK GDPR.
2. Details of the Processing
The Processor will process Personal Data strictly to provide the Service as outlined in the Terms of Service. This includes:
- Nature and Purpose: Providing AI-native CRM capabilities, analyzing customer data, generating AI-assisted communications, and facilitating automated marketing/tracking infrastructure across the Controller's digital assets.
- Categories of Data Subjects: The Controller's customers, prospects, employees, website visitors, and newsletter subscribers.
- Types of Personal Data: Names, contact details (emails, phone numbers), business affiliations, communication histories, CRM notes, IP addresses, and digital tracking data (via cookies or pixels).
- Duration: Personal Data will be processed for the duration of the Controller's subscription to the Service, plus any period necessary for secure deletion.
3. Controller Obligations
As the Data Controller, you represent and warrant that:
- You have established a lawful basis (such as consent or legitimate interest) to collect and process the Personal Data.
- You have provided all necessary privacy notices and obtained all required explicit consents from Data Subjects, particularly prior to utilizing our Service to deploy tracking pixels, cookies, or web beacons on your websites, apps, or emails.
- Your instructions to the Processor will at all times comply with Data Protection Laws.
4. Processor Obligations
As the Data Processor, we agree to:
- Documented Instructions: Process Personal Data only on your documented instructions (which include the functionalities of the Service and the Terms of Service), unless required to do otherwise by applicable law.
- Confidentiality: Ensure that all personnel authorized to process Personal Data are subject to a strict duty of confidentiality.
- Data Localization & Self-Hosted AI: Our core application logic and database are hosted strictly within the UK and the European Union. Furthermore, our primary Artificial Intelligence models are open-source and run on physically secured, self-hosted servers located in the United Kingdom.
- No Model Training: We explicitly will not use your Personal Data, prompts, or chat logs to train our own foundational AI models, nor will we allow third parties to do so.
5. Security of Processing
We shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption in transit and at rest, secure zero-trust network tunneling, and strict access controls.
6. Sub-processing
You grant us general authorization to engage Sub-processors to assist in providing the Service (e.g., cloud hosting providers, edge-security networks, database managers, and optional third-party AI models). We will:
- Maintain an up-to-date list of our current Sub-processors at chatwithcrm.com/legal/sub-processors.
- Notify you (via email or in-app notification) at least 15 days prior to engaging any new Sub-processor, providing you with the opportunity to object to such changes. If you object on reasonable data protection grounds and we cannot accommodate your objection, you may terminate your subscription.
- Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
- Remain fully liable to you for the performance of the Sub-processor's obligations.
7. Data Subject Rights & Assistance
We will assist you, taking into account the nature of the processing, through appropriate technical and organizational measures, insofar as possible, to fulfill your obligations to respond to requests from Data Subjects exercising their rights (such as the right to access, rectify, or delete data). If we receive a request directly from a Data Subject relating to your data, we will promptly forward that request to you.
8. Personal Data Breaches
In the event of a confirmed Personal Data Breach affecting your data, we will notify you without undue delay (and in any event within 48 hours) after becoming aware of the breach. We will provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or Data Subjects.
9. International Data Transfers
Our primary infrastructure ensures that your core data is processed and stored within the UK and the EEA. If the processing of Personal Data involves a transfer outside of the United Kingdom or the EEA (such as utilizing global edge-routing networks or optional US-based third-party AI vendors), we will ensure that lawful safeguards are in place. These safeguards include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or reliance on the UK Extension to the EU-US Data Privacy Framework.
10. Deletion or Return of Data
Upon termination of your subscription or upon your written request, we will securely delete or return all Personal Data in our possession or control, except to the extent that we are required by applicable law to retain some or all of the Personal Data. Standard backup archives are purged on an automated, rolling basis.
11. Audits and Compliance
We will make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws. Any audits or inspections must be conducted subject to strict confidentiality obligations and standard security protocols.