Data Processing Agreement

This Data Processing Agreement ("DPA") reflects the legal agreement between Platico SAS ("Platico AI", "we", "us") and you ("Customer") with respect to the processing of personal data by us on your behalf in connection with our AI chatbot services.

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: The entity that processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data, including collection, storage, use, or deletion
  • Data Subject: The individual to whom personal data relates
  • GDPR: The General Data Protection Regulation (EU) 2016/679
  • Sub-processor: Any third party engaged by us to assist in processing personal data

2. Roles and Responsibilities

Customer as Data Controller

You act as the Data Controller and are responsible for:

  • Ensuring lawful basis for processing personal data
  • Obtaining necessary consents from data subjects
  • Providing clear privacy notices to data subjects
  • Ensuring accuracy and quality of personal data provided to us
  • Responding to data subject requests and complaints

Platico AI as Data Processor

We act as a Data Processor and will:

  • Process personal data only on your documented instructions
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests
  • Notify you of any personal data breaches without undue delay
  • Delete or return personal data upon termination of services

3. Purpose and Nature of Processing

We process personal data for the following purposes:

  • Providing AI chatbot training and deployment services
  • Processing website content and knowledge base documents
  • Facilitating chat interactions between your AI chatbot and end users
  • Providing customer support and technical assistance
  • Improving and maintaining our service quality

Categories of Personal Data

The types of personal data we may process include:

  • Contact information (names, email addresses)
  • Chat conversation content
  • Website content and uploaded documents
  • Technical data (IP addresses, browser information)
  • Usage data and analytics

Categories of Data Subjects

Data subjects may include:

  • Your customers and website visitors
  • Your employees and authorized users
  • Individuals mentioned in training content

4. Security Measures

We implement appropriate technical and organizational measures to ensure data security:

Technical Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security monitoring and logging
  • Secure infrastructure and hosting environments
  • Regular security assessments and penetration testing

Organizational Measures

  • Staff training on data protection requirements
  • Confidentiality agreements for all personnel
  • Incident response procedures
  • Regular review and update of security policies
  • Vendor management and due diligence processes

5. Sub-processors

We may engage the following categories of sub-processors to assist in providing our services:

  • AI Processing: OpenAI for AI model processing and response generation
  • Cloud Infrastructure: Google Cloud Platform and Vercel for hosting and storage
  • Payment Processing: Stripe for subscription billing and payment processing
  • Analytics: Analytics providers for service improvement and monitoring
  • Support Services: Customer support and communication tools

We will notify you of any changes to our sub-processors and provide you with the opportunity to object to such changes.

6. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area, including the United States. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally recognized transfer mechanisms

7. Data Subject Rights

We will assist you in fulfilling data subject requests, including:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure of personal data
  • Restriction of processing
  • Data portability
  • Objection to processing

We will respond to your requests for assistance within a reasonable timeframe, not exceeding 30 days.

8. Personal Data Breaches

In the event of a personal data breach, we will:

  • Notify you without undue delay, and in any case within 72 hours of becoming aware
  • Provide all relevant information about the breach
  • Take immediate measures to contain and remediate the breach
  • Assist you in assessing whether notification to supervisory authorities is required
  • Cooperate in any investigation or remediation efforts

9. Data Retention and Deletion

We will retain personal data only for as long as necessary to provide our services. Upon termination of our agreement or upon your request, we will:

  • Delete all personal data in our possession within 30 days
  • Provide confirmation of deletion upon request
  • Ensure any backup copies are also deleted within 90 days

Exceptions may apply where we are required to retain data for legal, regulatory, or legitimate business purposes.

10. Audits and Compliance

We will:

  • Maintain records of our processing activities
  • Cooperate with supervisory authority investigations
  • Allow for audits by you or your appointed representatives upon reasonable notice
  • Provide evidence of compliance with this DPA upon request

11. Liability and Indemnification

Each party shall be liable for any damage caused by its processing that infringes applicable data protection laws. We will indemnify you against claims arising from our non-compliance with this DPA, subject to the limitations set out in our main service agreement.

12. Contact Information

For any questions or concerns regarding this DPA, please contact us:

  • Email: dpa@platico.ai
  • Address: Platico SAS, France

Last updated: September 2025