Data Processing Addendum
Version: 1.0 · Last updated: May 8, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Chatim LLC (“Chatim”, “we”, “us”) and the customer (“Customer”, “you”) that subscribes to or otherwise uses the Chatim Service (the “Agreement”). It governs the processing of personal data by Chatim acting as a processor on behalf of Customer in connection with the Chatim live-chat and chatbot service (the “Service”).
By using the Service, Customer accepts this DPA on behalf of itself and any of its affiliates that use the Service. If Customer is processing personal data of individuals in the European Economic Area (EEA), United Kingdom, Switzerland, California, or any other jurisdiction with comparable data protection laws, this DPA applies.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Terms and Conditions or the Privacy Policy. The following terms have the meanings set out below:
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection (revFADP), the California Consumer Privacy Act of 2018 as amended by the CPRA (“CCPA”), and any successor or comparable laws.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, and “Sub-processor” have the meanings given in Applicable Data Protection Law. Under the CCPA, the corresponding terms are “Business”, “Service Provider”, “ Consumer”, and “Personal Information”.
- “Customer Personal Data” means Personal Data that Chatim Processes on behalf of Customer in providing the Service, including data about Customer’s end users (such as website visitors who interact with the Chatim widget) and data about Customer’s authorized users of the Service.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as updated from time to time, and the corresponding UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office.
- “EU-US DPF” means the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework, in each case as administered by the U.S. Department of Commerce.
2. Scope and roles of the parties
The parties acknowledge that, with respect to the Processing of Customer Personal Data under the Agreement:
- Customer is the Controller (or, where Customer itself acts as a Processor for a third party, the Customer is the relevant Processor) of Customer Personal Data.
- Chatim is the Processor of Customer Personal Data.
- Under the CCPA, Chatim is a Service Provider to Customer with respect to Customer Personal Data and does not Sell or Share such Personal Data, as those terms are defined under the CCPA.
With respect to data that Chatim processes for its own purposes — for example, account administration, billing, security monitoring, and aggregated service analytics — Chatim acts as an independent Controller and the Chatim Privacy Policy applies.
3. Subject matter, duration, nature, and purpose of Processing
Subject matter. The Processing of Customer Personal Data by Chatim in connection with the Service.
Duration. For the term of the Agreement, plus the retention periods described in the Chatim Privacy Policy or as required to comply with Chatim’s legal obligations.
Nature and purpose. Provision of the Chatim live-chat and chatbot service to Customer, including (a) hosting and delivering the embedded chat widget on Customer’s website; (b) routing visitor messages between visitors and Customer’s authorized users; (c) executing chatbot flows configured by Customer; (d) generating AI-driven chatbot responses where Customer enables the AI feature; (e) forwarding conversations to Customer-configured integrations (Slack, Pipedrive, Telegram, WhatsApp, Messenger, Instagram, Webhooks); and (f) sending transactional emails and push notifications to Customer’s authorized users.
A more detailed description of Processing activities is set out in Annex A.
4. Categories of Personal Data and Data Subjects
Categories of Data Subjects.
- Visitors to Customer’s website who interact with the Chatim widget;
- Customer’s authorized users of the Chatim admin dashboard (Customer’s employees, contractors, or agents);
- Individuals whose personal data Customer chooses to submit through chatbot flows or live-chat conversations.
Categories of Personal Data. The categories of Personal Data Processed depend on Customer’s configuration of the Service and may include:
- Visitor identifiers and device data: IP address, approximate geolocation (country, region, city, postal code, latitude/longitude), browser and operating-system information, device type, language, timezone, page URL, referrer URL;
- Chat content: visitor-typed messages, file uploads, form submissions, button selections, AI-generated responses;
- Contact information voluntarily provided by visitors: name, email address, phone number, and any other fields configured in chatbot forms;
- Custom variables passed by Customer via the Chatim JavaScript SDK (e.g., user ID, plan type, account context);
- Authorized-user data: name, email address, hashed password, role, account activity, IP address, and device information used to access the admin dashboard.
Customer agrees not to submit special-category Personal Data (Article 9 GDPR) or sensitive Personal Information (CCPA) through the Service except as expressly permitted by Chatim in writing. Customer is solely responsible for obtaining all necessary consents from Data Subjects for the Processing carried out via the Service.
5. Customer obligations
Customer represents, warrants, and agrees that:
- Customer has a valid lawful basis under Applicable Data Protection Law for all Processing of Customer Personal Data carried out via the Service, including for the use of any integrations Customer enables;
- Customer is responsible for providing all required notices and obtaining all required consents from Data Subjects, including cookie/tracker consent where required, before the Service collects any Personal Data on Customer’s website;
- Customer’s instructions to Chatim regarding the Processing of Customer Personal Data comply with Applicable Data Protection Law;
- Customer will not configure the Service in a manner that violates Applicable Data Protection Law, the Agreement, or the rights of any Data Subject;
- Customer is responsible for the security and confidentiality of authorized-user credentials and for promptly revoking access for users who no longer require it.
6. Chatim obligations as Processor
6.1 Documented instructions
Chatim will Process Customer Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required to do otherwise by applicable law. Customer’s use of the Service in accordance with the Agreement constitutes Customer’s documented instructions to Chatim. Chatim will inform Customer if, in Chatim’s opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by applicable law from doing so.
6.2 Confidentiality
Chatim ensures that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to those who require it to perform their duties.
6.3 Security (Article 32 GDPR)
Chatim implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects. The measures in effect as of the date of this DPA are described in Annex C.
6.4 Sub-processors
Customer grants Chatim general written authorization to engage Sub-processors to Process Customer Personal Data, subject to the requirements of this Section 6.4. Chatim’s current Sub-processors are listed in Annex B.
Chatim will (a) enter into a written agreement with each Sub-processor containing data-protection obligations no less protective than those in this DPA; (b) remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as for its own; and (c) provide at least thirty (30) days’ prior notice of any addition or replacement of a Sub-processor that Processes Customer Personal Data, by updating https://chatim.app/en/dpa/ or via email to the address Customer has designated for notices.
Customer may object on reasonable, documented grounds related to data protection within thirty (30) days of notification by emailing [email protected]. If the parties cannot resolve the objection in good faith, Customer’s sole remedy is to terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid fees for the unused portion of the subscription term.
6.5 Assistance with Data Subject rights
Taking into account the nature of the Processing, Chatim will assist Customer through appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). If Chatim receives such a request directly from a Data Subject, Chatim will, where it can identify the relevant Customer, refer the Data Subject to Customer or pass the request to Customer.
6.6 Personal Data Breach notification
Chatim will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, measures taken or proposed to address the breach, and a contact point for further information. Chatim will provide reasonable cooperation and information to enable Customer to comply with its own breach-notification obligations under Applicable Data Protection Law. Notice of a Personal Data Breach is not an admission of fault or liability.
6.7 DPIA and prior consultation assistance
Taking into account the nature of Processing and the information available to Chatim, Chatim will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities), at Customer’s documented request and at Customer’s expense for assistance beyond Chatim’s standard self-service tooling and documentation.
6.8 Deletion or return at end of Service
Upon termination or expiry of the Agreement, Chatim will, at Customer’s choice and request, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by applicable law or for the establishment, exercise, or defense of legal claims. Customer may export Customer Personal Data through the self-service export tools available in the admin dashboard during the term of the Agreement and for thirty (30) days after termination, after which Chatim will delete Customer Personal Data on the schedule published in the Chatim Privacy Policy.
6.9 Audits
Chatim will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Customer may request, no more than once per twelve (12)-month period (except where required by a supervisory authority or following a Personal Data Breach), an audit of Chatim’s compliance with this DPA, on at least sixty (60) days’ written notice. Audits will be conducted during normal business hours, will not unreasonably interfere with Chatim’s operations, and will be subject to reasonable confidentiality protections. Where available, Chatim will satisfy audit requests by providing relevant third-party certifications, attestations, or audit reports (such as ISO 27001 or SOC 2 reports of its Sub-processors) in lieu of an on-site audit. Customer bears its own audit costs and reimburses Chatim for reasonable time and expense incurred in assisting beyond standard self-service documentation.
7. International data transfers
Chatim is established in the United States and stores and processes Customer Personal Data primarily in the United States. Where Chatim transfers Customer Personal Data from the EEA, United Kingdom, or Switzerland to a country that has not been recognized by the relevant authority as providing an adequate level of data protection, the parties rely on the following transfer mechanisms:
- EU-US DPF. Where the recipient Sub-processor is certified under the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework, the parties rely on the relevant certification.
- Standard Contractual Clauses. For Sub-processors not certified under the DPF, the parties incorporate by reference the European Commission Standard Contractual Clauses, Module Three (Processor-to-Processor) (and, for UK transfers, the UK International Data Transfer Addendum), with Chatim as data importer and Customer (or Customer’s controller) as data exporter, with the docking clause enabled, governing law of Ireland (or, for UK transfers, England and Wales), and competent supervisory authority being the supervisory authority of Customer’s establishment.
- Other lawful mechanisms. Where neither of the foregoing applies, Chatim will rely on a transfer mechanism approved under Applicable Data Protection Law (such as binding corporate rules or approved derogations) and will notify Customer of the mechanism on request.
Where required, the SCCs incorporated by reference shall be deemed completed using the information in this DPA (parties’ identities and roles, categories of Data Subjects and Personal Data, nature and purpose of Processing, Sub-processors, technical and organizational measures, and competent supervisory authority).
8. CCPA / CPRA service-provider provisions
To the extent Chatim Processes Personal Information (as defined under the CCPA) on behalf of Customer:
- Chatim is a Service Provider to Customer and Processes such Personal Information solely for the limited and specified purposes set out in this DPA and the Agreement (the “Business Purposes”);
- Chatim will not Sell or Share the Personal Information; will not retain, use, or disclose it for any purpose other than the Business Purposes (including for any “commercial purpose” outside the Business Purposes); will not retain, use, or disclose it outside the direct business relationship between the parties; and will not combine it with Personal Information received from any other source, except as permitted under the CCPA;
- Chatim will comply with applicable obligations under the CCPA and provide the same level of privacy protection as required of Customer;
- Chatim grants Customer the right to take reasonable and appropriate steps to ensure that Chatim uses the Personal Information consistent with Customer’s obligations under the CCPA, and the right to stop and remediate any unauthorized use upon notice;
- Chatim will notify Customer if it determines it can no longer meet its obligations under the CCPA;
- Chatim will assist Customer in responding to verifiable consumer requests under the CCPA to the extent reasonably available through Chatim’s standard tooling.
Customer certifies that it understands the foregoing restrictions and will comply with them.
9. Liability
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Law.
10. Term and termination
This DPA takes effect on the date Customer first uses the Service or accepts the Agreement, whichever is earlier, and remains in effect for the term of the Agreement. Sections that by their nature should survive termination — including obligations regarding confidentiality, security, deletion or return, audit, liability, and governing law — survive termination.
11. Order of precedence
In the event of a conflict between this DPA and the Agreement, this DPA governs solely with respect to the Processing of Customer Personal Data. Where Standard Contractual Clauses are incorporated into this DPA, the SCCs prevail in case of conflict with this DPA on matters within their scope.
12. Governing law and notices
This DPA is governed by the law specified in the Agreement, except that the Standard Contractual Clauses (where they apply) are governed by the law of Ireland (or, for UK transfers, England and Wales). Notices under this DPA must be sent to [email protected] for Chatim and to the email address Customer has designated for notices in the admin dashboard.
Annex A — Description of Processing
Categories of Data Subjects. See Section 4.
Categories of Personal Data. See Section 4.
Special categories of Personal Data. Not Processed unless Customer submits such data through chatbot flows or live-chat messages. Customer is responsible for any such Processing.
Frequency of transfer. Continuous, on a per-interaction basis, for the duration of the Agreement.
Nature of Processing. Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to Customer-configured integrations or authorized users, restriction, erasure, and destruction.
Purpose of Processing. Provision of the Chatim live-chat and chatbot service to Customer, as further described in Section 3.
Retention period. As published in the Chatim Privacy Policy under “Data Retention Policy”, including:
- Chat records and conversation history: 24 months after last activity;
- Visitor browsing data (page views, device info): 12 months;
- Abandoned chats with no visitor interaction: 90 days;
- Inactive user accounts: 24 months of inactivity, with 60-day warning;
- Billing and payment records: 7 years (legal obligation);
- Push notification subscriptions: until revoked or account deletion;
- Error and diagnostic logs: 90 days.
Annex B — Sub-processors
The following Sub-processors are engaged by Chatim to Process Customer Personal Data. Sub-processors marked “triggered” receive Customer Personal Data only when Customer affirmatively enables the corresponding integration in the admin dashboard.
Core infrastructure (always engaged)
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services, Inc. | Application hosting, database, storage | United States | EU-US DPF |
| Cloudflare, Inc. | CDN, DDoS protection, geo-detection, bot management | Global | EU-US DPF |
| Stripe, Inc. | Payment processing, billing | United States | EU-US DPF |
| Twilio Inc. (SendGrid) | Transactional email delivery | United States | EU-US DPF |
| Functional Software, Inc. (Sentry) | Error monitoring and diagnostics | United States | SCCs |
| Google LLC (Cloud / Vertex AI) | AI chatbot responses (when enabled by Customer) | United States | EU-US DPF |
| Anthropic, PBC | AI chatbot responses (when enabled by Customer) | United States | SCCs + Zero Data Retention addendum |
| Iubenda srl | Privacy and cookie consent management | Italy (EEA) | Within EEA |
Customer-enabled integrations (triggered)
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Slack Technologies, LLC (Salesforce) | Team notifications via Slack integration | United States | EU-US DPF |
| Pipedrive OÜ | CRM sync via Pipedrive integration | Estonia (EEA) | Within EEA |
| Telegram FZ-LLC | Notifications via Telegram integration | Global | SCCs |
| Meta Platforms, Inc. (WhatsApp Business) | Messaging via WhatsApp Business integration | United States | EU-US DPF |
| Meta Platforms, Inc. (Messenger / Instagram DM) | Messaging via Messenger / Instagram integration | United States | EU-US DPF |
| Customer-configured Webhook endpoint | Forwarding chat events to Customer’s own endpoint | Determined by Customer | Customer’s responsibility |
Chatim will publish updates to this list at https://chatim.app/en/dpa/ and notify Customer in accordance with Section 6.4.
Annex C — Technical and Organizational Measures
Chatim maintains the following technical and organizational measures to protect Customer Personal Data, in accordance with Article 32 GDPR. These measures are subject to ongoing improvement as technology evolves.
1. Encryption
- Data in transit is encrypted using TLS 1.2 or higher between visitor browsers, the Chatim widget, the Chatim backend, and all Sub-processors.
- Data at rest is encrypted using AES-256 (or equivalent) on managed cloud storage and databases.
- Authorized-user passwords are stored using a one-way salted hash (bcrypt or equivalent).
2. Access control
- Role-based access control to the Chatim admin dashboard, with separate admin and manager roles per project.
- Multi-factor authentication available to authorized users.
- Internal Chatim personnel access to production systems is limited to employees with a documented need, governed by least-privilege principles and revoked promptly upon role change or departure.
- Audit logging of administrative actions on Customer accounts.
3. Network and infrastructure security
- Cloud-native firewalling, DDoS protection, and bot management via Cloudflare.
- Hardened server images, regular security patching, automated dependency vulnerability scanning.
- Production secrets stored in a dedicated secrets manager, not in source code.
4. Application security
- Parameterized database queries to prevent SQL injection.
- Input validation and output encoding to prevent injection attacks.
- Same-origin and CSRF protections on the admin dashboard.
- Rate limiting on widget-side endpoints.
5. Backup and resilience
- Daily automated database backups with point-in-time recovery.
- Backups are encrypted and retained in accordance with the retention schedule.
- Geographically redundant infrastructure where supported by the underlying provider.
6. Personnel
- All personnel with access to Customer Personal Data are bound by written confidentiality obligations.
- Security and privacy training provided on hire and on a recurring basis.
7. Incident response
- Documented incident-response process covering detection, classification, containment, eradication, recovery, and notification.
- 72-hour Personal Data Breach notification commitment to Customers (Section 6.6).
8. Vendor management
- Sub-processor due diligence focused on data-protection certifications (SOC 2, ISO 27001, EU-US DPF) and contractual data-protection terms no less protective than this DPA.
For questions about this DPA, write to [email protected]. The current version of this DPA is always available at https://chatim.app/en/dpa/.