Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

This DPA forms part of and is subject to the Terms of Service (the “Agreement”). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the Chatcast platform. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

By using the Chatcast platform and connecting a store, the Controller accepts this DPA. A separate signature is not required.

1. Definitions

Terms not defined in this DPA have the meaning given to them in the Agreement or in the GDPR (Regulation (EU) 2016/679). In addition:

• “Controller Personal Data” means personal data of end-customers that the Processor processes on behalf of the Controller through the Chatcast widgets and associated services.
• “Data Protection Laws” means the GDPR, the BDSG (Bundesdatenschutzgesetz), the TTDSG, and any other applicable data protection legislation.
• “Sub-processor” means any third party engaged by the Processor to process Controller Personal Data.

2. Subject matter and duration

2.1. Subject matter. The Processor provides embeddable FAQ widgets, AI shopping assistant widgets, and public MCP endpoints that are deployed on the Controller's Shopify storefront or made accessible to AI agents. In the course of providing these services, the Processor processes Controller Personal Data on the Controller's behalf and according to the Controller's instructions.

2.2. Duration. This DPA takes effect when the Controller first connects a store to the Chatcast platform and remains in force for the duration of the Agreement. It automatically terminates when the Agreement terminates, subject to Section 12 (data deletion obligations).

3. Nature and purpose of processing

The Processor processes Controller Personal Data for the following purposes:

• Operating FAQ and AI shopping assistant widgets on the Controller's storefront
• Maintaining conversation history to provide continuity in widget interactions
• Localizing widget content based on end-customer browser language settings
• Processing FAQ feedback submitted by end-customers
• Tracking commission attribution when agentic commerce is enabled
• Providing analytics and reporting to the Controller through the brand console

The nature of processing includes collection, storage, retrieval, consultation, use, and erasure of Controller Personal Data via automated means.

4. Categories of personal data and data subjects

4.1. Categories of data subjects

• End-customers visiting the Controller's Shopify storefront
• End-customers interacting with Chatcast widgets on the Controller's storefront

4.2. Categories of personal data

4.3. No special categories of personal data (Art. 9 GDPR) or criminal conviction data (Art. 10 GDPR) are intentionally processed. If the Controller becomes aware that such data has been submitted through the widgets, the Controller shall notify the Processor immediately.

5. Controller obligations

The Controller shall:

• Ensure that a lawful basis exists for the processing of Controller Personal Data, including providing appropriate privacy notices to end-customers on its storefront
• Issue instructions to the Processor in accordance with Data Protection Laws
• Promptly notify the Processor of any data subject requests that require the Processor's assistance
• Ensure that any personal data provided to the Processor has been collected lawfully and that the Controller is entitled to transfer it for processing

6. Processor obligations

6.1. The Processor shall:

• Process Controller Personal Data only on documented instructions from the Controller (which are deemed given through the Controller's configuration of the Chatcast platform), unless required to do so by EU or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law)
• Ensure that persons authorized to process Controller Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Not process Controller Personal Data for its own purposes, including marketing, profiling, or selling of data
• Not make independent decisions about the purposes and means of processing Controller Personal Data that would make it a joint controller under Art. 26 GDPR

6.2. Instructions. The Controller's instructions to the Processor are documented in this DPA, the Agreement, and through the Controller's configuration of the Chatcast platform (e.g., enabling or disabling widgets, configuring MCP settings, setting commission parameters). The Processor shall inform the Controller without delay if, in the Processor's opinion, an instruction infringes Data Protection Laws.

7. Technical and organizational measures

The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include:

7.1. Encryption

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS)
• Database storage is encrypted at rest
• API authentication tokens are securely generated and stored

7.2. Access controls

• Role-based access control for Processor personnel
• Multi-tenant architecture with logical data separation per Controller store
• API authentication via bearer tokens and OAuth for Shopify integration
• Principle of least privilege applied to all system access

7.3. Availability and resilience

• Hosted on professionally managed cloud infrastructure (Railway, Vercel)
• Regular automated database backups
• Monitoring and alerting for service availability

7.4. Incident response

• Security incidents are handled via security@chatcast.io
• Incident investigation, containment, and remediation procedures are in place

7.5. The Processor regularly reviews and, where necessary, updates these measures to reflect changes in technology, threat landscape, and regulatory requirements. The Controller acknowledges that the specific measures may evolve over time, provided that the overall level of protection is not materially reduced.

8. Sub-processors

8.1. General authorization. The Controller grants the Processor general written authorization to engage Sub-processors for the processing of Controller Personal Data, subject to the conditions in this Section 8.

8.2. Current Sub-processors. The following Sub-processors are authorized as of the effective date of this DPA:

8.3. Notification of changes. The Processor shall inform the Controller of any intended addition or replacement of Sub-processors at least 14 days in advance by email or notice in the brand console, giving the Controller the opportunity to object to such changes.

8.4. Right to object. If the Controller objects to a new Sub-processor on reasonable data protection grounds within 14 days of notification, the parties shall discuss the Controller's concerns in good faith. If the parties cannot resolve the objection, the Controller may terminate the affected service by providing written notice.

8.5. Sub-processor obligations. The Processor shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

9. Assistance with data subject rights

9.1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 GDPR, taking into account the nature of the processing.

9.2. If the Processor receives a request directly from a data subject, the Processor shall promptly redirect the data subject to the Controller and inform the Controller of the request, unless otherwise instructed by the Controller.

9.3. The Processor provides the following technical capabilities to support data subject requests:

• Access and portability: the Controller can export relevant data through the brand console or by contacting support@chatcast.io
• Erasure: Shopify GDPR compliance webhooks (customer data request, customer redaction, shop redaction) trigger automated deletion workflows
• Restriction: the Controller can disable widgets or specific features through the brand console to cease processing

9.4. The Processor may charge a reasonable fee for assistance that goes beyond what is technically feasible through standard platform functionality, reflecting the actual administrative cost.

10. Personal data breach notification

10.1. The Processor shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting Controller Personal Data.

10.2. The notification shall include, to the extent available:

• A description of the nature of the breach
• The categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• The contact point for further information

10.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10.4. The Processor's notification of a breach shall not be construed as an acknowledgment of fault or liability.

11. Audit rights

11.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

11.2. Audits shall be subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of an audit
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations
• The Controller shall bear the costs of the audit unless the audit reveals a material breach of this DPA by the Processor
• Audits shall be limited to once per calendar year unless required by a supervisory authority or triggered by a data breach
• The auditor shall be bound by appropriate confidentiality obligations

11.3. Where the Processor has obtained relevant certifications or audit reports (e.g., SOC 2, ISO 27001) or can provide written answers to an audit questionnaire, the Controller shall accept these as a reasonable alternative to an on-site audit, unless there are specific grounds requiring an on-site inspection.

12. Data deletion and return

12.1. Upon termination of the Agreement, the Processor shall, at the Controller's choice:

• Return all Controller Personal Data in a structured, commonly used, machine-readable format (upon request within 30 days of termination); or
• Delete all Controller Personal Data and confirm deletion in writing.

12.2. Deletion shall be completed within 90 days of termination, unless EU or Member State law requires further storage. Where retention is legally required, the Processor shall inform the Controller of the legal basis and restrict processing to the purpose required by law.

12.3. Anonymized and aggregated data from which no individual can be identified is not Controller Personal Data and is not subject to the deletion obligation. Such data may be retained by the Processor in accordance with the Terms of Service.

13. International data transfers

13.1. The Processor shall not transfer Controller Personal Data to a country outside the EU/EEA unless one of the following safeguards is in place:

• An adequacy decision by the European Commission pursuant to Art. 45 GDPR
• Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR
• The recipient is certified under an approved certification mechanism (e.g., EU-US Data Privacy Framework)
• Another safeguard recognized by Art. 46 or Art. 49 GDPR applies

13.2. The current Sub-processor transfer safeguards are listed in Section 8.2. The Processor conducts transfer impact assessments where required and monitors changes to the legal framework for international data transfers.

14. Data protection impact assessment

The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Processor, in carrying out data protection impact assessments (Art. 35 GDPR) and prior consultations with supervisory authorities (Art. 36 GDPR) where required in relation to the processing of Controller Personal Data.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for violations of Data Protection Laws to the extent such limitation is prohibited by applicable law.

16. General provisions

16.1. Governing law. This DPA is governed by the laws of the Federal Republic of Germany.

16.2. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

16.3. Amendments. The Processor may update this DPA from time to time to reflect changes in Data Protection Laws or processing practices. Material changes will be notified to the Controller at least 30 days in advance.

Contact

For questions regarding this DPA, please contact: