Legal

Data Processing Agreement (DPA)

Standalone DPA between Customer and Syntranova AL LTD for GDPR-compliant processing.

Effective: 2026-06-06

Overview

This Data Processing Agreement ("DPA") forms part of your subscription to GlobalChatbot and applies whenever Syntranova AL LTD ("Processor") processes personal data on behalf of the Customer ("Controller").

For a signed PDF version applicable to Pro and Business plans, email support@globalchatbot.ai.

1. Definitions

Capitalised terms have the meanings given in GDPR (Regulation EU 2016/679) and in our Terms of Service.

2. Scope of processing

€1 Hosting, processing, and transmitting personal data submitted via the GlobalChatbot service.

€1 Deliver the Service to Customer.

€1 Term of the subscription plus 90 days for data export.

€1 Customer's end-users (e.g., website visitors who chat with the bot).

€1 Names, emails, phone numbers, chat content, IP addresses, and any data Customer chooses to collect via the bot.

3. Sub-processors

Processor uses the sub-processors listed at /privacy. Processor will provide Controller 30 days' prior written notice before adding or replacing a sub-processor.

Controller may object on reasonable grounds. If objection cannot be resolved, Controller may terminate the affected portion of the Service.

4. International transfers

Where personal data is transferred outside the EEA, transfers are governed by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and supplementary measures as required by Schrems II.

5. Security

Processor implements technical and organizational measures appropriate to the risk, including:

  • Encryption (AES-256-GCM at rest, TLS 1.2+ in transit)
  • Per-tenant data isolation
  • Role-based access control
  • Audit logging
  • Regular security assessments

A full description is at /security.

6. Data subject rights

Processor will assist Controller in responding to data subject requests by providing tools to access, export, and delete personal data via the dashboard.

7. Personal data breach

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller's data.

8. Return or deletion

On termination, Processor will retain Controller's data for 90 days to allow export, then permanently delete it (including from backups within 30 additional days), unless legal obligations require longer retention.

9. Audit

Processor will provide Controller with information necessary to demonstrate compliance with this DPA. Pro and Business plan customers may request an annual audit subject to confidentiality terms.

10. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

11. Governing law

This DPA is governed by the laws of Cyprus. Where mandatory provisions of GDPR or applicable consumer law apply, those provisions prevail.

Signature

Acceptance of this DPA is acceptance of the GlobalChatbot Terms of Service. For a signed PDF version, contact support@globalchatbot.ai.

Last updated: 2026-06-06.