Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: the legal entity that has accepted Chativ's Terms of Service and is registered as a Customer ("Customer" or "Controller"); and
• Data Processor: Traqqie B.V., trading as Chativ, a private limited company incorporated in the Netherlands (KvK: 96664606), registered office at Bankastraat 42, 1094 EG Amsterdam ("Chativ" or "Processor").

This DPA applies to Chativ's processing of personal data on behalf of the Customer in connection with the provision of the Chativ Service, as defined in the Terms of Service.

1. Definitions

Unless otherwise defined, capitalised terms have the meaning given in the Terms of Service. In this DPA:

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given to them in the GDPR.
• "Customer Data" means any Personal Data that the Customer submits to, or that is generated through the Customer's use of, the Chativ Service, including chat messages and contact information collected via the widget.
• "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries as adopted by the European Commission in Decision 2021/914/EU.
• "Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.

2. Subject Matter, Nature, and Purpose of Processing

Chativ processes Customer Data solely to provide the Service as described in the Terms of Service and as further instructed by the Customer through their use of the platform. The nature and purpose of processing includes:

• Storing chat session data and message content in Chativ's database
• Transmitting message content to AI model providers to generate responses
• Displaying chat history in the Customer's dashboard
• Sending escalation notification emails to addresses the Customer has configured
• Capturing contact details (name and email) from end users who consent to be contacted

Categories of Data Subjects

End users of websites on which the Customer has deployed the Chativ widget.

Categories of Personal Data

• Chat message content
• Name and email address (where voluntarily provided by the end user)
• Session identifier and timestamps
• IP address (processed transiently during request handling; not stored separately)

Duration

Chativ will process Customer Data for the duration of the Customer's subscription and for a further period of up to 30 days after account closure, during which data will be deleted or anonymised (subject to legal retention obligations).

3. Processor Obligations

Chativ agrees to:

3.1 Instructions

Process Customer Data only on the documented instructions of the Customer as set out in this DPA and the Terms of Service, unless required by EU or EU Member State law. Chativ will inform the Customer promptly if it believes an instruction infringes the GDPR or other applicable data protection law.

3.2 Confidentiality

Ensure that persons authorised to process Customer Data are subject to appropriate confidentiality obligations.

3.3 Security

Implement and maintain appropriate technical and organisational security measures as required by GDPR Article 32, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, including as a minimum:

• Encryption of data in transit (TLS) and at rest
• Access controls limiting Personal Data access to authorised personnel
• Regular security testing and vulnerability management
• Procedures for testing and evaluating the effectiveness of security measures

3.4 Sub-processing

Chativ is authorised to use the sub-processors listed in the Privacy Policy (Section 6) to perform specific processing activities on its behalf. Chativ will:

• Impose data protection obligations on each sub-processor that are no less protective than those in this DPA
• Notify the Customer of any intended addition or replacement of a sub-processor by updating the Privacy Policy at least 14 days before the change takes effect, giving the Customer an opportunity to object
• Remain fully liable to the Customer for any sub-processor's failure to fulfil its data protection obligations

3.5 Data Subject Rights

Assist the Customer, by appropriate technical and organisational measures, to fulfil its obligations to respond to data subject requests to exercise rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Chativ will forward any data subject requests it receives relating to Customer Data to the Customer without undue delay.

3.6 Security Incidents

Notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a Security Incident affecting Customer Data. The notification will include, to the extent known at the time:

• A description of the nature of the incident
• The categories and approximate number of data subjects concerned
• The categories and approximate number of personal data records concerned
• The likely consequences of the incident
• Measures taken or proposed to address the incident

3.7 Data Protection Impact Assessments

Provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) and, where necessary, prior consultations with supervisory authorities, in each case solely in relation to processing of Customer Data and taking into account the information available to Chativ.

3.8 Deletion or Return of Data

At the Customer's choice, delete or return all Customer Data to the Customer after the end of the provision of services, and delete existing copies unless EU or EU Member State law requires further storage. Deletion is completed within 30 days of a written request or account closure.

3.9 Audit Rights

Make available to the Customer all information necessary to demonstrate compliance with the obligations of this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Chativ may require the auditor to sign a non-disclosure agreement. Where the Customer exercises its audit right, Chativ may charge reasonable costs for the assistance provided.

4. Controller Obligations

The Customer represents, warrants, and agrees that:

• It has a valid legal basis under GDPR for collecting and processing the personal data of its website visitors, and for engaging Chativ to process that data on its behalf.
• It has provided all notices and obtained all consents required by applicable data protection law from its end users, including disclosure that an AI chatbot is in use.
• Its instructions to Chativ comply with applicable data protection law.
• It will not instruct Chativ to process special categories of personal data without a valid legal basis under GDPR Article 9.
• It will update its own privacy policy to disclose the use of Chativ and the data flows described in this DPA.

5. International Data Transfers

To the extent that Chativ transfers Customer Data to sub-processors outside the EEA (as detailed in the Privacy Policy, Section 8), such transfers are governed by:

• The EU Standard Contractual Clauses (Module 3: Processor-to-Processor) as adopted by the European Commission Decision 2021/914/EU, which are hereby incorporated by reference; or
• Another valid transfer mechanism under GDPR Chapter V.

By accepting this DPA, the Customer also acts as exporter under the SCCs (Module 2: Controller-to-Processor) to the extent Chativ transfers Customer Data outside the EEA as a Processor on the Customer's behalf, and Chativ acts as importer. The relevant Annexes to those SCCs are as set out in the Privacy Policy (Sections 3, 6, and 8) and this DPA (Section 2 above).

6. AI Processing — Specific Terms

The Customer acknowledges that the core function of the Service involves transmitting chat messages to third-party AI model providers (sub-processors) for real-time processing. In particular:

• No training on Customer Data: Chativ contractually prohibits its AI sub-processors from using Customer Data to train, fine-tune, or improve their AI models. This applies to all AI model providers through which Chativ routes requests.
• Ephemeral processing: AI model providers process message content only to generate a response. Customer Data is not persistently stored by AI providers beyond any retention period required by their own API terms (which Chativ will disclose on request).
• Model changes: Chativ may change the underlying AI model or provider subject to the sub-processor change notification procedure in Section 3.4. If the Customer objects to a new AI sub-processor and the parties cannot agree an alternative, the Customer may terminate the Service with 30 days' notice without penalty.
• AI Act compliance: Chativ is the provider of an AI system under Regulation (EU) 2024/1689 (EU AI Act). The Customer, as the entity deploying the widget on its website, is the deployer. Each party is responsible for its own obligations under the EU AI Act in respect of its role.

7. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits a party's liability to data subjects or supervisory authorities as set out in the GDPR.

If a party has paid compensation to a data subject following a joint-liability determination under GDPR Article 82, the other party shall reimburse that portion of the compensation corresponding to its share of responsibility for the damage, to the extent determinable.

8. Term and Termination

This DPA is effective from the date the Customer accepts the Terms of Service and remains in force until the Terms of Service are terminated. Upon termination, Chativ's obligations regarding deletion of Customer Data (Section 3.8) survive.

9. Governing Law

This DPA is governed by the laws of the Netherlands. Any disputes arising from or in connection with this DPA that cannot be resolved amicably shall be subject to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands, without prejudice to the right of either party to apply to a competent court for interim relief, and without prejudice to the rights of data subjects and supervisory authorities under the GDPR.

10. Contact and Custom DPA Requests

Customers who require a negotiated or countersigned DPA, or who have questions about Chativ's data processing practices, should contact:

Traqqie B.V. (Chativ)
Email: support@usechativ.com
Subject: "DPA Request"