Last updated: 2025-12-30

This Data Processing Agreement (“Agreement”) forms part of the agreement between ChatterKB (“Processor”) and the customer entity identified in the applicable order, subscription, or terms of service (“Controller”).

This Agreement is entered into to ensure compliance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

Terms used but not otherwise defined in this Agreement have the meanings given to them in the GDPR.

2. Scope and Roles

2.1 Controller and Processor
The Controller determines the purposes and means of processing personal data. ChatterKB acts as a data processor and processes personal data solely on documented instructions from the Controller.

2.2 Subject Matter and Duration
The subject matter of processing is the provision of the ChatterKB service, including AI-powered knowledge bases, chat, search, and workflows. Processing continues for the duration of the Controller’s use of the service.

3. Nature and Purpose of Processing

ChatterKB processes personal data for the purpose of:

  • Ingesting and storing customer-provided content
  • Generating AI-assisted responses and workflows
  • Providing search, retrieval, and analytics within the customer account
  • Operating, securing, and supporting the service

4. Categories of Data and Data Subjects

4.1 Categories of Personal Data

  • Account information (such as email address)
  • User-generated content (documents, messages, workflows)
  • Chat history and AI-generated outputs
  • Metadata necessary to operate the service
  • Encrypted authentication and integration tokens

4.2 Categories of Data Subjects

  • Controller’s employees and contractors
  • Controller’s customers or end users
  • Other individuals whose personal data is included in uploaded content

5. Controller Obligations

The Controller warrants that:

  • It has a lawful basis for processing personal data
  • It has provided all required notices to data subjects
  • Its instructions comply with applicable data protection laws

6. Processor Obligations

ChatterKB shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures pursuant to Article 32 GDPR
  • Not use personal data for model training, fine-tuning, or product improvement outside the Controller’s account

7. Subprocessing

7.1 The Controller authorizes ChatterKB to engage subprocessors for the provision of the service.

7.2 A current list of subprocessors is available at:

7.3 ChatterKB shall ensure that subprocessors are bound by data protection obligations no less protective than those in this Agreement.

8. International Data Transfers

8.1 Personal data may be processed outside the European Economic Area, including in the United States.

8.2 Such transfers are governed by the Standard Contractual Clauses (“SCCs”) approved by the European Commission, which are incorporated into this Agreement by reference.

9. Security Measures

ChatterKB implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for databases and object storage
  • Logical tenant isolation
  • Access controls and least-privilege permissions
  • Secure handling of credentials and secrets

10. Assistance with Data Subject Rights

ChatterKB shall assist the Controller, insofar as possible, in fulfilling requests relating to:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability

11. Personal Data Breaches

ChatterKB shall notify the Controller without undue delay after becoming aware of a personal data breach, and shall provide information reasonably required to comply with GDPR obligations.

12. Deletion or Return of Data

Upon termination of the service or upon written request, ChatterKB shall delete or return personal data, unless retention is required by law.

13. Audits

ChatterKB shall make available information reasonably necessary to demonstrate compliance with this Agreement. Audits shall be limited to reasonable scope and frequency.

14. Liability

Liability arising from this Agreement shall be subject to the limitations set forth in the primary service agreement between the parties.

15. Governing Law

This Agreement shall be governed by the laws specified in the primary agreement between the parties.

Annex 1: Details of Processing

Subject matter:
Provision of AI-powered knowledge base, chat, and workflow services.

Nature of processing:
Collection, storage, retrieval, analysis, and generation of responses based on customer-provided content.

Duration:
For the duration of the Controller’s use of the service.

Categories of data subjects:
As described in Section 4.2.

Categories of personal data:
As described in Section 4.1.

Annex 2: Technical and Organizational Measures

  • HTTPS/TLS encryption in transit
  • Encryption at rest
  • Access controls and authentication
  • Monitoring and incident response
  • Secure key and secret management

Annex 3: Standard Contractual Clauses

The Standard Contractual Clauses (Module Two – Controller to Processor) adopted by the European Commission are incorporated by reference and apply to any transfer of personal data outside the EEA.