← All policies
Data Processing Agreement
How Chatonics processes personal data on behalf of its customers.
Last updated: June 29, 2026Version 0.1 (Draft)
Draft - not yet in force. This is version 0.1, pending review by qualified legal counsel. Some details shown in brackets are placeholders to be finalised before launch. It is provided for planning and is not legal advice.
1. Roles
- The Customer is the controller of personal data processed through the Service.
- Chatonics ([Legal Entity]) is the processor, acting on the Customer's documented instructions.
- This Agreement supplements the Terms of Service.
2. Scope and purpose
| Item | Detail |
|---|---|
| Subject matter | Processing of personal data to provide the Service |
| Duration | For the term of the Customer's use of the Service |
| Nature and purpose | Hosting, messaging, AI assistance, ticketing, analytics |
| Data subjects | Customer's staff and the Customer's end customers / contacts |
| Data categories | Contact details, message content, usage data (see Annex A) |
3. Processor obligations
- Process personal data only on the Customer's documented instructions.
- Ensure persons authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Customer with data-subject requests and compliance obligations.
- Make available information needed to demonstrate compliance.
4. Security measures
- Encryption of sensitive credentials, access controls, and tenant isolation.
- Logging, monitoring, and least-privilege access.
- Further detail is provided in the Security Whitepaper (Annex B reference).
5. Subprocessors
- The Customer authorizes the use of subprocessors listed in Annex C (for example hosting, email, AI processing).
- Subprocessors are bound by data-protection obligations no less protective than this Agreement.
- We will inform the Customer of intended changes and provide an opportunity to object.
6. Data subject rights and breaches
- We will assist the Customer in responding to data-subject requests.
- We will notify the Customer without undue delay after becoming aware of a personal-data breach.
7. International transfers
Where personal data is transferred across borders, appropriate safeguards (for example standard contractual clauses) will be used as required by applicable law. [Confirm mechanism with counsel.]
8. Return and deletion
On termination, we will delete or return personal data at the Customer's choice, except where retention is required by law. See the Data Retention Policy.
9. Audits
We will make available information reasonably necessary to demonstrate compliance and allow for audits subject to reasonable notice and confidentiality. [Define scope with counsel.]
10. Annexes
- Annex A - Data details: categories of data and data subjects. [To complete.]
- Annex B - Security measures: reference the Security Whitepaper. [To finalize.]
- Annex C - Subprocessors: current list maintained at [subprocessor list URL]. [To complete.]