Data Processing Agreement (DPA)
This English translation is provided for convenience. In case of any discrepancy, the Spanish version prevails.
Last updated: 2026-06-21.
This document is the Data Processing Agreement governing the relationship between ChatMe OÜ (processor) and the Customer (controller) when the Customer uses the ChatME platform. It is incorporated by reference into the Terms of Service.
This agreement meets the requirements of Article 28 of the GDPR and incorporates the Standard Contractual Clauses (SCCs) Module 2 (Controller → Processor) pursuant to Commission Implementing Decision (EU) 2021/914.
Parties
Data processor ("Processor"):
- ChatMe OÜ
- Commercial register no. 17391989, VAT no. EE102933761
- Järvevana tee 9, Tallinn, 11314, Estonia
- Email for privacy matters: privacy@chatme.es
Data controller ("Customer"):
- The natural or legal person that has accepted the ChatME Terms of Service and maintains an active subscription.
- Identification details as recorded in their ChatME account.
By the mere acceptance of the Terms of Service and commencement of use of the Service, both parties are bound by this DPA.
1. Subject matter and duration
ChatME processes Personal Data on behalf of the Customer for the sole purpose of providing the Service (operating an AI-powered conversational chatbot on the Customer's website, collecting forms, storing conversations, generating analytics).
Duration: this DPA remains in force for as long as the main agreement between the Customer and ChatME remains in force. The confidentiality and return/deletion obligations survive termination.
2. Nature and purpose of the processing
| Aspect | Description |
|---|---|
| Nature | Storage, organisation, consultation, generation of responses using AI, sending of email notifications |
| Purpose | To allow visitors to interact with a chatbot of the Customer (on their website, their direct link page or connected messaging channels), submit forms and receive automated assistance |
| Categories of data subjects | Visitors who interact with the Customer's chatbot, whether on their website, on their direct link page or through connected messaging channels (Instagram, WhatsApp) |
| Categories of personal data | Name, email, phone number, free-text message content, technical session ID, device data (type, referrer), IP address in operational logs |
| Special categories (Art. 9) | Not processed by design. If a visitor discloses sensitive data in free text, the Customer is responsible for managing the situation |
3. Obligations of the Customer (Controller)
The Customer warrants that it will:
- Have a valid legal basis (Art. 6) for ChatME to process the data on its behalf.
- Inform visitors by means of its own privacy policy that discloses the existence of a chatbot, the purpose of the processing, the identity of ChatME as processor and a link to this policy.
- Have the appropriate consent or legal basis for any sensitive data voluntarily shared in the chat.
- Configure the retention periods and other options that the Service exposes in the dashboard.
4. Obligations of ChatME (Processor)
ChatME undertakes to:
4.1 Documented instructions
Process Personal Data only on the documented instructions of the Customer, as set out in this DPA, in the Terms of Service and in the settings the Customer configures in its dashboard.
4.2 Confidentiality
Ensure that persons authorised to process the data are subject to a statutory or contractual duty of confidentiality.
4.3 Security measures (Art. 32)
Implement and maintain the technical and organisational measures described in Annex I.
4.4 Sub-processors
- A public, up-to-date list is available at /legal/en/subprocessors.
- ChatME will notify the Customer at least 30 days in advance before adding or replacing a sub-processor, by email to the address registered on the account and by publication at the URL above.
- The Customer may object to the change on reasonable grounds. If ChatME cannot offer an alternative, the Customer may terminate the agreement with a pro-rated refund.
- All sub-processors are bound by data protection obligations equivalent to those in this DPA.
4.5 Assistance to the Customer
Assist the Customer, to the extent reasonable, in:
- Responding to data subject rights requests (Chapter III GDPR).
- Complying with security obligations (Art. 32), personal data breach notification (Art. 33–34) and data protection impact assessments (Art. 35–36).
4.6 Personal data breach notification
Notify the Customer by email to the registered address without undue delay and, unless there is justified cause, within a maximum of 48 hours of ChatME becoming aware, providing the information under Art. 33(3) to the extent available.
4.7 Return or deletion upon termination
Upon termination of the agreement, at the Customer's choice:
- Return all Personal Data in a standard machine-readable format (JSON or CSV), or
- Delete them together with existing copies, except where EU or Member State law requires retention.
Effective deletion is completed within 30 days of the request (grace period for accidental recovery).
5. International transfers
Some sub-processors (Anthropic, OpenAI, Resend, parts of Vercel) process data in the United States. These transfers are safeguarded by the Standard Contractual Clauses (SCCs) Module 3 (Processor → Processor), included in the respective DPAs with each sub-processor.
ChatME maintains the transfer impact assessment (TIA) documentation and makes it available to the Customer upon reasonable request.
6. Audits
Upon the Customer's reasonable request and no more than once per calendar year, ChatME will provide:
- An updated version of this list of technical and organisational measures.
- Summaries of applicable third-party audits (where available).
- Reasonable responses to a standard questionnaire (e.g., CAIQ, SIG Lite).
On-site inspections will require prior agreement on date, scope and confidentiality restrictions. The Customer will bear the reasonable costs.
7. Limitation of liability
Without prejudice to broader clauses in the main agreement, ChatME's aggregate liability under this DPA is limited as set out in the main agreement between the parties. Nothing in this limitation affects liability that applicable law does not allow to be limited.
8. Final provisions
- Governing law: the laws of Estonia, without prejudice to compliance with the GDPR as directly applicable EU law.
- Jurisdiction: the courts of Tallinn, Estonia, without prejudice to the Customer's right to lodge a complaint with its national supervisory authority.
- Conflict between documents: in the event of a conflict between this DPA and the main agreement, this DPA prevails with regard to the processing of personal data.
Annex I — Technical and organisational measures
(In accordance with Art. 32 GDPR and the requirements of the SCCs)
A. Confidentiality
- Encryption in transit: TLS 1.2+ mandatory on all endpoints. Vercel and Supabase enforce TLS 1.3.
- Encryption at rest: AES-256 in Supabase Storage and the database.
- Per-customer isolation: Row-Level Security at the database level, verified by a pgTAP test suite on every change.
- Staff access: principle of least privilege. Support access to Customer data is recorded in an immutable audit log.
- Credential management: secrets stored in Vercel/Supabase (encrypted); rotation upon suspected exposure.
B. Integrity
- Backups: Supabase Pro performs automatic daily backups retained for 7 days.
- Point-in-time recovery: 7-day window.
- Checksums / hashing: passwords hashed with bcrypt via Supabase Auth. HMAC signatures on Stripe and Supabase Auth webhooks.
C. Availability
- Redundancy: Supabase + Vercel with a 99.9% SLA.
- Monitoring: deployment errors notified by email; logs accessible via the Vercel/Supabase dashboards.
- Incident response plan: documented in the internal
docs/incident-response.md; summary available upon request.
D. Resilience and testing
- RLS isolation test suite: runnable on demand; results documented in
docs/rls-audit.md. - Periodic reviews: quarterly review of the status of sub-processors, keys and RLS policies.
E. Secure deletion
- Soft-delete + hard-delete: conversations are marked as deleted immediately and physically erased 30 days later (Phase A3, implementation in progress).
- Storage: files uploaded by the Customer are physically deleted from Supabase Storage when the source is deleted or the account is closed.
F. Location
- Primary servers: Supabase EU-West-1 (Dublin, Ireland), Vercel Frankfurt (Germany) for function execution.
- Operational logs and LLM services: United States under SCCs (see sub-processor list).
Agreement
The Customer's acceptance of the Terms of Service and activation of the subscription constitute acceptance of this DPA.
For a signed version in PDF format, write to privacy@chatme.es stating your entity's legal name. We will return a digitally executed copy within 5 business days.