Chatbot Builder
English
Summary for informational purposes — not legal advice.
This Data Processing Addendum (“DPA”) summary describes the terms under which Kitebots processes personal data on behalf of customers who deploy chatbots. It forms part of, and is governed by, our Terms of Service. This is a template summary for informational purposes and is not legal advice; a countersigned DPA is available on request at privacy@kitebots.com.
Where Kitebots processes personal data of your end-users (for example chat messages and lead-form submissions) in the course of providing the Service, you act as the controller (or processor for your own customers) and Kitebots acts as your processor (or sub-processor). This DPA applies to that processing and reflects the requirements of GDPR Article 28.
Kitebots processes personal data only on your documented instructions, including the configuration choices you make in the platform, and as necessary to provide and secure the Service or to comply with applicable law. We will inform you if, in our opinion, an instruction infringes applicable data protection law.
Personnel authorized to process personal data are bound by confidentiality obligations. We implement appropriate technical and organizational measures (GDPR Article 32), including encryption in transit and at rest, access controls, workspace isolation, logging, and backup/recovery, designed to ensure a level of security appropriate to the risk.
You authorize Kitebots to engage sub-processors to provide the Service, including Amazon Web Services, OpenAI and comparable LLM API providers, Upstash, Razorpay, and Meta (for integrations you enable). Kitebots imposes data protection obligations on its sub-processors consistent with this DPA and remains responsible for their performance. A current sub-processor list is available on request, and we will provide a mechanism to notify you of changes.
Taking into account the nature of the processing, Kitebots provides tools (data export, account and conversation deletion, automatic chat-data expiry) and reasonable assistance to help you fulfill requests from data subjects to exercise their rights under GDPR Chapter III.
Kitebots will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably necessary for you to meet your own notification obligations.
Where personal data is transferred outside the EEA/UK, the parties rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum where applicable), incorporated by reference into the countersigned DPA.
Upon termination of the Service, and subject to retention required by law, Kitebots will delete or return personal data processed on your behalf within a commercially reasonable period, and delete existing copies except where storage is required by applicable law.
Kitebots will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, subject to reasonable confidentiality and scheduling safeguards.
To request a countersigned DPA, email privacy@kitebots.com.