DATA PROCESSING AGREEMENT
Effective Date: January 19, 2026
Last Updated: January 19, 2026
At IntelBuddy, we strive to provide high-quality AI chatbot solutions. By purchasing our services, you agree to the following refund policy.
PREAMBLE
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions (the "Agreement") between [Your Company Name] ("Processor" or "We") and the Customer ("Controller" or "You") to reflect the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws.
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
In this DPA, the following terms shall have the meanings set out below:
"Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party, where "Control" means ownership of fifty percent (50%) or more of the voting interests.
"Applicable Data Protection Laws" means all worldwide data protection and privacy laws applicable to the Personal Data in question, including EU/EEA Data Protection Laws, UK Data Protection Laws, and other applicable national implementing laws, regulations, and secondary legislation.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
"Controller" means the entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
"Customer Data" means any Personal Data that Processor Processes on behalf of Controller in the course of providing the Services, including Training Data and Conversation Data.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"EEA" means the European Economic Area.
"EU/EEA Data Protection Laws" means Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR") and any applicable national implementing laws, regulations, and secondary legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller pursuant to this DPA.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that Processes Personal Data on behalf of the Controller. For the purposes of this DPA, [Your Company Name] is the Processor.
"Services" means the multi-tenant chatbot platform services provided by Processor to Controller pursuant to the Agreement.
"Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission for transfers of Personal Data to countries outside the EEA, as set out in Commission Implementing Decision (EU) 2021/914.
"Sub-processor" means any third party (including Affiliates) engaged by Processor to Process Personal Data on behalf of Controller.
"Supervisory Authority" means an independent public authority established pursuant to Applicable Data Protection Laws.
"UK Data Protection Laws" means the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
"UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.
1.2 Interpretation
Capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement.
The terms "data controller", "data processor", "personal data", "processing", and "data subject" shall have the meanings given in Applicable Data Protection Laws.
References to the GDPR include any successor or replacement legislation.
2. SCOPE AND APPLICABILITY
2.1 Scope of DPA
This DPA applies to the Processing of Customer Data by Processor on behalf of Controller in connection with the provision of the Services. This DPA applies where and only to the extent that:
Processor Processes Personal Data on behalf of Controller; and
Such Processing is subject to Applicable Data Protection Laws.
2.2 Relationship with Agreement
This DPA forms part of and is incorporated into the Agreement.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict with respect to matters relating to data protection.
This DPA replaces any previous data processing agreement between the parties relating to the Services.
2.3 Duration
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to the survival of obligations relating to return or deletion of Personal Data.
3. ROLES AND RESPONSIBILITIES
3.1 Roles of the Parties
The parties acknowledge and agree that:
Controller is the Controller of Customer Data;
Processor is the Processor of Customer Data, Processing such data on behalf of Controller;
Each party shall comply with its respective obligations under Applicable Data Protection Laws.
3.2 Controller Obligations
Controller shall:
Comply with all Applicable Data Protection Laws in respect of its Processing of Personal Data and its instructions to Processor;
Ensure it has all necessary rights, consents, and lawful bases to transfer Personal Data to Processor and to authorize Processor to Process such data;
Provide Processor with accurate and complete Processing instructions;
Be responsible for the accuracy, quality, and legality of Personal Data provided to Processor;
Provide appropriate notices to Data Subjects regarding the Processing of their Personal Data.
3.3 Processor Obligations
Processor shall:
Process Customer Data only in accordance with Controller's documented instructions, unless required to do otherwise by applicable law;
Inform Controller if, in Processor's opinion, an instruction infringes Applicable Data Protection Laws;
Ensure that persons authorized to Process Customer Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
Assist Controller in responding to Data Subject requests and regulatory inquiries.
4. DETAILS OF PROCESSING
The details of the Processing activities are set out in Annex A (Description of Processing) to this DPA. A summary is provided below:
Element
Description
Subject Matter
Processing of Customer Data in connection with the provision of multi-tenant chatbot platform services
Duration
Duration of the Agreement plus data retention period as specified in Privacy Policy
Purpose
Provision of chatbot services including: bot training, conversation processing, analytics, integrations, and related platform functionalityNature of Processing
Nature of Processing
Collection, storage, retrieval, use, organization, structuring, adaptation, AI/ML processing, transmission, and erasure
Categories of Data Subjects
Controller's employees and authorized users; End Users interacting with Controller's chatbots; Individuals whose data is included in Training Data
Categories of Personal Data
Contact information, account credentials, conversation content, IP addresses, device information, usage data, and any other data provided in Training Data or conversations
Special Category Data
Not intended to be processed, unless Controller uploads such data in Training Data or End Users provide in conversations (Controller bears responsibility)
5. PROCESSING INSTRUCTIONS
5.1 Controller's Instructions
The parties agree that this DPA and the Agreement (including any configuration of the Services by Controller) constitute Controller's complete and final instructions to Processor regarding the Processing of Customer Data. Additional instructions may be agreed upon separately in writing.
5.2 Compliance with Instructions
Processor shall Process Customer Data only in accordance with documented instructions from Controller, unless Processing is required by applicable law, in which case Processor shall inform Controller of that legal requirement before Processing (unless prohibited by law).
5.3 Notification of Unlawful Instructions
If Processor believes that any instruction from Controller infringes Applicable Data Protection Laws, Processor shall promptly inform Controller. Processor may suspend performance of the potentially infringing instruction until Controller confirms or modifies the instruction.
6. SUB-PROCESSING
6.1 Authorization
Controller provides general authorization for Processor to engage Sub-processors to Process Customer Data, subject to the requirements of this Section 6. A list of current Sub-processors is provided in Annex C and on Processor's website.
6.2 Sub-processor Obligations
Processor shall:
Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA;
Conduct appropriate due diligence on Sub-processors' data protection practices;
Remain fully liable to Controller for the performance of Sub-processors' obligations.
6.3 Changes to Sub-processors
Processor shall:
Notify Controller at least fourteen (14) days in advance of any intended changes to Sub-processors (via email or platform notification);
Provide Controller with an opportunity to object to such changes on reasonable grounds relating to data protection;
If Controller objects and the parties cannot resolve the objection within thirty (30) days, Controller may terminate the affected Services without penalty.
7. SECURITY MEASURES
7.1 Technical and Organizational Measures
Processor shall implement and maintain appropriate technical and organizational security measures to protect Customer Data against Personal Data Breaches, as described in Annex B (Security Measures). These measures include:
Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
Access Controls: Role-based access, multi-factor authentication, principle of least privilege
Multi-Tenant Isolation: Logical data separation, tenant-specific encryption keys, isolated processing environments
Network Security: Firewalls, intrusion detection/prevention, DDoS protection
Monitoring: Continuous security monitoring, logging, and alerting
Testing: Regular vulnerability assessments and penetration testing
7.2 Confidentiality
Processor shall ensure that all personnel authorized to Process Customer Data are bound by confidentiality obligations and have received appropriate training on data protection requirements.
7.3 Updates to Security Measures
Processor may update security measures from time to time, provided such updates do not materially decrease the overall level of protection. Controller acknowledges that security measures are subject to technical progress and development.
8. PERSONAL DATA BREACH
8.1 Notification
A description of the nature of the breach, including categories and approximate numbers of Data Subjects and records affected;
Contact details of Processor's data protection officer or other relevant contact;
A description of the likely consequences of the breach;
A description of measures taken or proposed to address the breach and mitigate its effects.
Processor shall notify Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting Customer Data.
8.2 Information to be Provided
The notification shall include, to the extent known:
A description of the nature of the breach, including categories and approximate numbers of Data Subjects and records affected;
Contact details of Processor's data protection officer or other relevant contact;
A description of the likely consequences of the breach;
A description of measures taken or proposed to address the breach and mitigate its effects.
8.3 Cooperation
Processor shall cooperate with Controller and provide reasonable assistance to investigate the breach, fulfill Controller's notification obligations, and mitigate the breach's effects.
9. DATA SUBJECT RIGHTS
9.1 Assistance with Requests
Processor shall provide reasonable assistance to Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
9.2 Direct Requests
If Processor receives a request directly from a Data Subject, Processor shall promptly inform Controller and shall not respond to the request directly unless authorized by Controller or required by law.
9.3 Platform Tools
The Services provide Controller with tools to access, export, rectify, and delete Customer Data. Controller should use these self-service capabilities where possible before requesting Processor assistance.
10. INTERNATIONAL DATA TRANSFERS
10.1 Transfer Mechanisms
Where Customer Data is transferred to a country outside the EEA, UK, or Switzerland that has not received an adequacy decision, such transfers shall be subject to appropriate safeguards as follows:
EU Standard Contractual Clauses: For transfers from the EEA, the SCCs (Module Two: Controller to Processor) are incorporated by reference and shall apply;
UK International Data Transfer Agreement: For transfers from the UK, the UK IDTA or UK Addendum to the EU SCCs shall apply;
Swiss Data Protection: For transfers from Switzerland, the SCCs shall apply with necessary modifications.
10.2 Transfer Impact Assessments
Processor shall conduct and document transfer impact assessments where required and implement supplementary measures as necessary to ensure an adequate level of data protection.
10.3 Data Locations
Details of data storage locations and Sub-processor locations are provided in Annex C. Controller may request data residency restrictions subject to availability and additional fees.
11. AUDIT AND COMPLIANCE
11.1 Audit Rights
Controller may audit Processor's compliance with this DPA through:
Review of Processor's security certifications, audit reports, and compliance documentation (e.g., SOC 2 Type II reports);
Written requests for information regarding Processor's data protection practices;
On-site or remote audits, subject to Section 11.2.
11.2 Audit Procedures
For on-site audits:
Controller shall provide at least thirty (30) days' written notice;
Audits shall be conducted during normal business hours and shall not unreasonably interfere with Processor's operations;
Controller shall bear its own costs unless the audit reveals material non-compliance;
Controller and any auditors shall be bound by confidentiality obligations;
Audits shall be limited to once per year unless a Personal Data Breach occurs or a Supervisory Authority requires additional audits.
12. DATA DELETION AND RETURN
12.1 Upon Termination
Upon termination or expiration of the Agreement, and upon Controller's written request, Processor shall:
Return Customer Data to Controller in a commonly used, machine-readable format; and/or
Delete all Customer Data (including copies) from Processor's systems within ninety (90) days, except where retention is required by applicable law.
12.2 Export Period
Controller shall have thirty (30) days following termination to export Customer Data using the Platform's self-service tools. After this period, Processor may delete Customer Data.
12.3 Certification
Upon Controller's written request, Processor shall certify in writing that it has deleted Customer Data in accordance with this Section.
13. CCPA-SPECIFIC PROVISIONS
To the extent Processor Processes Personal Data subject to the CCPA:
13.1 Service Provider Designation
Processor is designated as a "Service Provider" as defined under the CCPA and shall Process Personal Data only for the business purposes specified in this DPA and the Agreement.
13.2 Prohibitions
Processor shall not:
Sell or share Personal Data;
Retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement;
Retain, use, or disclose Personal Data outside of the direct business relationship with Controller;
Combine Personal Data with data received from other sources, except as permitted by the CCPA.
13.3 Certification
Processor certifies that it understands the restrictions in this Section and will comply with them.
14. LIABILITY
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Each party's aggregate liability under this DPA shall be included within (and not additional to) such party's total liability cap under the Agreement.
Any regulatory penalties, fines, or claims arising from Controller's failure to comply with its obligations under this DPA or Applicable Data Protection Laws shall be Controller's sole responsibility and shall reduce Processor's maximum liability accordingly.
15. GENERAL PROVISIONS
15.1 Governing Law
This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except where Applicable Data Protection Laws require otherwise.
15.2 Amendments
Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Processing activities. Material changes will be notified to Controller at least thirty (30) days in advance.
15.3 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
15.4 Entire Agreement
This DPA (including its Annexes) constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements.
15.5 Contact
For questions or requests regarding this DPA, please contact:
Codebuddy Inc
Attn: Legal Department
16192 Coastal Highway
Lewes, Delaware [DE], 19958-3608
USA
Support: support@intelbuddy.ai
ANNEX A
DESCRIPTION OF PROCESSING
A.1 Categories of Data Subjects
Controller's employees, contractors, and authorized users of the Platform
End Users who interact with Controller's chatbots
Individuals whose Personal Data is included in Training Data uploaded by Controller
A.2 Categories of Personal Data
Element
Description
Subject Matter
Processing of Customer Data in connection with the provision of multi-tenant chatbot platform services
Duration
Duration of the Agreement plus data retention period as specified in Privacy Policy
Purpose
Provision of chatbot services including: bot training, conversation processing, analytics, integrations, and related platform functionalityNature of Processing
Nature of Processing
Collection, storage, retrieval, use, organization, structuring, adaptation, AI/ML processing, transmission, and erasure
Categories of Data Subjects
Controller's employees and authorized users; End Users interacting with Controller's chatbots; Individuals whose data is included in Training Data
Categories of Personal Data
Contact information, account credentials, conversation content, IP addresses, device information, usage data, and any other data provided in Training Data or conversations
Special Category Data
Not intended to be processed, unless Controller uploads such data in Training Data or End Users provide in conversations (Controller bears responsibility)
A.3 Processing Operations
Collection and storage of account registration data
Processing of Training Data for AI model training
Real-time processing of chatbot conversations
Website crawling for content extraction
Analytics processing and reporting
Translation and multilingual processing
Social media integration and message routing
ANNEX B
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
B.1 Data Encryption
All data in transit encrypted using TLS 1.2 or higher
All data at rest encrypted using AES-256
Encryption keys managed using secure key management systems
B.2 Access Controls
Role-based access control (RBAC) implemented across all systems
Multi-factor authentication required for administrative access
Principle of least privilege enforced
Regular access reviews and recertification
B.3 Multi-Tenant Isolation
Logical data separation using tenant identifiers
Database-level access controls preventing cross-tenant access
Isolated processing environments for sensitive operations
Tenant-specific encryption keys where applicable
B.4 Network Security
Firewall protection and network segmentation
Intrusion detection and prevention systems (IDS/IPS)
DDoS protection and mitigation
Regular vulnerability scanning and penetration testing
B.5 Physical Security
Data centers with 24/7 security personnel
Biometric and multi-factor physical access controls
Video surveillance and environmental monitoring
Redundant power and climate control systems
B.6 Incident Response
Documented incident response procedures
24/7 security monitoring and alerting
Regular incident response drills and testing
Post-incident analysis and remediation
B.7 Business Continuity
Regular automated backups
Geographically distributed backup storage
Documented disaster recovery procedures
Regular recovery testing
Ready to transform your supports and insights? Join growing companies using Intelbuddy to automate support and make faster decisions.
Start for free. No credit card required. Cancel anytime.
© 2026 Intelbuddy. All rights reserved.
