Data Processing Agreement
1. Parties and Roles
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Bestchatbot LLC, trading as BestChatBot, with registered address at 1209 N. Orange Street, Wilmington, Delaware 19801, United States ("BestChatBot", the processor), and the customer who accepts the Terms of Service ("you", "the merchant", the controller). It governs the personal data that BestChatBot processes on your behalf when you deploy a chatbot that interacts with your customers. If this DPA conflicts with the Terms of Service on data-protection matters, this DPA prevails.
2. Subject Matter and Purpose
We process personal data only to provide the BestChatBot service: operating the AI assistant you deploy, answering your customers' questions, identifying your logged-in customers, and, where you enable them, performing the integration actions you configure (such as looking up an order or booking a meeting). We process personal data for the duration of your subscription and for the limited retention periods described in section 9, and we act only on your documented instructions, which you give through your use of the product and its settings.
3. Categories of Data and Data Subjects
On your behalf, we may process the following categories of personal data about your customers and website visitors (the data subjects):
- Identity data: name and email address, used to identify a logged-in customer and to issue a session token.
- Order data: order status, order number, and shipping address, used to answer order-tracking questions.
- Conversation content: the messages your customers type and the results of any tools the assistant uses on their behalf.
- Technical data: a coarse country derived from the IP address (we do not store the raw IP), a hashed user-agent, and timestamps.
- Product-catalogue data is public storefront information and is not personal data.
4. Sub-processors
You authorize us to engage the sub-processors listed in our Privacy Policy to process personal data on your behalf. They include AI inference providers, an embeddings provider, a managed integration platform, and the e-commerce and business tools you choose to connect. We impose data-protection obligations on each sub-processor and remain responsible for their performance, and we will give you a reasonable means to learn of changes to this list and an opportunity to object.
5. Security Measures
We maintain technical and organizational measures appropriate to the risk, including:
- Encryption of all network traffic in transit (HTTPS/TLS).
- Encryption at rest of configuration secrets and third-party integration credentials.
- Strict isolation of each merchant's data.
- Access to production systems limited to authorized personnel over encrypted channels.
- Logging and monitoring of the platform to detect and investigate incidents.
6. Data-Subject Requests
Taking into account the nature of the processing, we will assist you in responding to requests from your customers to exercise their rights (access, rectification, erasure, restriction, portability, and objection). If a data subject contacts us directly, we will refer them to you unless you instruct otherwise. We provide deletion and erasure capabilities, including support for Shopify's mandatory data-request and data-erasure webhooks. These capabilities cover the personal data we hold in our own systems; they do not extend to data exported to third-party surfaces you control. In particular, when you enable the optional Slack live handoff, conversation content mirrored to your Slack workspace — including messages your agents type in Slack — cannot be erased by us and remains governed by Slack's own controls.
7. Personal Data Breaches
If we become aware of a personal data breach affecting personal data we process on your behalf, we will notify you without undue delay and provide the information you reasonably need to meet your own notification obligations. Our incident-response process covers detection, containment, assessment, notification, and remediation.
8. International Transfers
Personal data is stored in the United Kingdom and the European Union. Some sub-processors, in particular AI inference providers, may process personal data outside the EU/UK, including in the United States. Where personal data is transferred to a country without an adequacy decision, the transfer relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
9. Retention, Return and Deletion
We retain personal data only as long as needed to provide the service. Conversations and the personal data they contain are deleted automatically after 12 months of inactivity. When you delete a workspace, or on termination of your subscription, we permanently delete the associated personal data. On your request we will delete or return personal data, except where retention is required by law.
10. Term, Liability and Governing Law
This DPA remains in force while we process personal data on your behalf. Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of the State of Delaware, United States, and the state and federal courts located in Delaware, United States have exclusive jurisdiction, without prejudice to any mandatory data-protection rights of data subjects.
Contact
Questions about this Data Processing Agreement? Contact us at contact@bestchatbot.io