Data Processing Addendum

Version: 2026-05-robots-policy Last Updated: April 2026

This Data Processing Addendum ("DPA") forms part of and supplements the Chat4U Terms of Service or other written agreement between Chat4U and Customer (the "Agreement"). This DPA applies when Chat4U processes Customer Personal Data as processor or sub-processor on behalf of Customer.

---

1. Definitions

"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Authorized Sub-processor" means a third party engaged by Chat4U to process Customer Personal Data to provide, secure, support, or maintain the Services.

"Customer Personal Data" means Personal Data processed by Chat4U on behalf of Customer under the Agreement. It may include visitor chat data, scraped or uploaded content, project knowledge-base content, Pro Agent page data, and related metadata.

"Data Protection Laws" means all privacy, data protection, and electronic communications laws applicable to the processing, including where applicable GDPR, UK GDPR, Swiss FADP, Israel privacy laws, LGPD, PIPEDA, CCPA/CPRA, US state privacy laws, and similar laws.

"GDPR" means Regulation (EU) 2016/679 and, where applicable, UK GDPR.

"Personal Data", "process", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in applicable Data Protection Laws.

"Services" means the Chat4U platform, dashboard, APIs, embedded widget, hosted demos, scraping/indexing pipeline, RAG retrieval, Pro Agent features, support, and related services.

"Standard Contractual Clauses" or "SCCs" means the European Commission standard contractual clauses adopted under Commission Implementing Decision (EU) 2021/914, as supplemented by the UK Addendum where applicable.

---

2. Roles of the Parties

Customer is controller for Customer Personal Data unless Customer acts as processor for another controller. Chat4U is processor for Customer Personal Data. If Customer is processor, Chat4U is sub-processor.

Chat4U is controller for Company Account Data, Company Usage Data, billing records, legal acceptance records, scrape audit logs, privacy request logs, security logs, abuse records, support records, and other data processed for Chat4U's own legal, operational, security, or business purposes.

Customer is responsible for determining whether the Services are appropriate for Customer's use case and for ensuring Customer's instructions comply with Data Protection Laws. Customer is responsible for the legality, accuracy, quality, and authorization of Customer Personal Data and for all required notices, consents, lawful bases, and data subject communications.

---

3. Processing Instructions

Customer instructs Chat4U to process Customer Personal Data:

• to provide, operate, secure, maintain, support, and troubleshoot the Services;
• as initiated by Customer's configuration, dashboard actions, APIs, prompts, agents, data sources, demos, and Pro Agent tools;
• to process URL scraping, file upload, text ingestion, transformation, taxonomy classification, embedding, indexing, retrieval, response generation, analytics, and related operations;
• to comply with the Agreement, this DPA, Customer's documented instructions, and applicable law.

Chat4U will not process Customer Personal Data for purposes materially inconsistent with this DPA unless required by law. If legally required to process Customer Personal Data contrary to Customer's instructions, Chat4U will inform Customer before processing unless legally prohibited.

---

4. Details of Processing

4.1 Subject Matter

The subject matter is Chat4U's provision of AI chat, RAG, scraping/indexing, dashboard, widget, demo, Pro Agent, support, and related services.

4.2 Duration

Processing continues for the term of the Agreement and for any additional period required for deletion, backup retention, legal obligations, security, audit, or dispute resolution.

4.3 Nature and Purpose

Processing includes collection, receipt, hosting, storage, extraction, crawling, copying, parsing, transforming, classifying, chunking, embedding, indexing, retrieval, generation, transmission, display, deletion, logging, support, and security monitoring.

4.4 Categories of Data Subjects

Categories may include Customer users, workspace members, administrators, website visitors, demo visitors, end users, support contacts, prospects, and individuals whose information appears in Customer-submitted or Customer-authorized content.

4.5 Categories of Personal Data

Categories may include names, emails, IP addresses, browser/device data, messages, conversation history, page URLs, referrers, website content, uploaded files, form-like page content, prompts, tool parameters, tool results, identifiers, account metadata, and operational metadata.

4.6 Sensitive Data

Customer must not submit special category data, PHI, children's data, payment card data, financial account data, government identifiers, legal advice data, employment/housing/credit/education decision data, or similarly sensitive data unless Customer has all required legal basis, disclosures, consents, contracts, security controls, and professional review. Chat4U does not provide HIPAA BAA, PCI certification, COPPA tooling, or regulated-advice compliance by default.

---

5. Customer Obligations

Customer will:

• comply with Data Protection Laws;
• provide lawful, documented instructions;
• ensure it has all required rights, permissions, notices, consents, and lawful bases;
• ensure Customer Personal Data is appropriate for the Services;
• respond to data subject and consumer requests where Customer is controller;
• configure retention, deletion, exports, widget disclosures, agent behavior, Pro Agent tools, allowed domains, and data sources appropriately;
• not instruct Chat4U to process unauthorized scraped content or content that violates third-party rights or site terms.

Customer acknowledges that launch DSAR support is manual but audited and may require Customer cooperation.

---

6. Chat4U Obligations

Chat4U will:

• process Customer Personal Data only according to Customer's instructions and this DPA;
• ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
• maintain appropriate technical and organizational measures;
• assist Customer with data subject requests, DPIAs, security incidents, and regulatory inquiries as reasonably required and taking into account the nature of processing;
• notify Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay;
• maintain sub-processor obligations consistent with this DPA;
• make available information reasonably necessary to demonstrate compliance with this DPA.

---

7. Sub-processors

Customer authorizes Chat4U to engage Authorized Sub-processors to provide the Services. Chat4U will maintain a public Sub-processor List identifying current providers and their processing purposes. Chat4U will impose written data protection obligations on Authorized Sub-processors that are substantially protective of Customer Personal Data.

Chat4U may add or replace sub-processors. Where required by Data Protection Laws or an applicable enterprise agreement, Customer may object on reasonable data protection grounds. If Chat4U cannot provide a commercially reasonable alternative, Customer may stop using the affected Service.

---

8. International Transfers

Where Customer Personal Data is transferred internationally and Data Protection Laws require transfer safeguards, the parties will rely on appropriate mechanisms, including adequacy decisions, SCCs, the UK Addendum, and supplementary measures as appropriate.

For transfers from the EEA, Switzerland, or UK to Chat4U in a country without an adequacy decision, the SCCs are incorporated as follows:

• Module Two applies where Customer is controller and Chat4U is processor;
• Module Three applies where Customer is processor and Chat4U is sub-processor;
• Clause 7 docking clause applies;
• optional Clause 11 redress language does not apply unless separately agreed;
• audits under Clause 8.9 are satisfied by the audit provisions of this DPA unless Data Protection Laws require otherwise;
• governing law and forum are selected according to the SCCs and applicable transfer regime.

For UK transfers, the UK Addendum is incorporated and modifies the SCCs as required by UK law.

---

9. Security Measures

Chat4U will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures are described in the Security Measures page and may include:

• access control and authentication;
• least-privilege administrative access;
• encrypted transport;
• secure cloud hosting controls;
• backup and recovery practices;
• logging, monitoring, and alerting;
• change management;
• vulnerability and dependency management;
• incident response;
• vendor and sub-processor management;
• tenant isolation through application and authorization controls;
• selected browser-side safeguards for Pro Agent data.

Security measures may evolve over time, provided they do not materially reduce the overall level of protection.

---

10. Personal Data Breach

Chat4U will notify Customer without undue delay after confirming a Personal Data Breach affecting Customer Personal Data. Notice will include available information reasonably required for Customer to meet legal obligations, such as the nature of the breach, categories of data affected, likely consequences, mitigation measures, and contact point.

Customer is responsible for determining whether notification to regulators or data subjects is required, unless Chat4U is independently required to notify.

---

11. Data Subject Requests

If Chat4U receives a request from a data subject concerning Customer Personal Data, Chat4U will, where appropriate, direct the requester to Customer or notify Customer unless legally prohibited. Chat4U will provide reasonable assistance to Customer for access, deletion, correction, export, restriction, objection, and similar requests.

At launch, Chat4U tracks privacy requests manually through audited internal records. Customer acknowledges that fulfillment may require identity verification, Customer authorization, operational exports, deletion runbooks, backup-delay disclosures, and legal exception review.

---

12. Deletion and Return

Upon termination or Customer's written request, Chat4U will delete or return Customer Personal Data in accordance with the Agreement, product functionality, reasonable operational procedures, backup retention, legal obligations, and security requirements.

Legal acceptance records, scrape audit logs, privacy request records, billing records, security records, abuse records, and other compliance evidence may be retained as controller records where reasonably necessary.

---

13. Audits and Information

Chat4U will make available information reasonably necessary to demonstrate compliance with this DPA, which may include documentation, policies, summaries of security measures, sub-processor information, and written responses. Customer may request an audit no more than once annually unless required by a regulator or following a confirmed breach affecting Customer Personal Data. Audits must be reasonable in scope, protect other customers and system security, and be subject to confidentiality.

---

14. CCPA/CPRA and US State Privacy Terms

To the extent CCPA/CPRA or similar US state laws apply to Customer Personal Data, Chat4U acts as a service provider or processor. Chat4U will not sell Customer Personal Data or share it for cross-context behavioral advertising. Chat4U will not retain, use, or disclose Customer Personal Data except to provide, maintain, and troubleshoot the Services; comply with law; detect security incidents; prevent fraud or abuse; use aggregated, de-identified, or operational data to improve the Service where permitted; or as otherwise permitted for service providers/processors under applicable law.

Customer is responsible for consumer notices and for determining whether Customer's use of the Service constitutes a sale, sharing, targeted advertising, profiling, or other regulated processing.

---

15. Regulated Data and High-Risk Processing

Customer must not use the Services for regulated or sensitive data unless Customer has completed required self-declarations, accepted applicable addenda, and implemented all legally required controls. Chat4U may refuse, suspend, or restrict regulated processing where it creates unacceptable risk or requires agreements not in place.

---

16. Order of Precedence

If there is a conflict, the following order applies for Customer Personal Data: SCCs or UK Addendum where applicable; this DPA; the Agreement; product documentation. Nothing in this DPA limits data subject rights under applicable SCCs.

---

Exhibit A — Processing Description

---

Exhibit B — Sub-processors and Transfers

The current Sub-processor List is published at /subprocessors and incorporated by reference. Customer should review the list for provider names, purposes, data categories, and transfer notes.

---

Exhibit C — Technical and Organizational Measures

Chat4U maintains a security program designed for a cloud-based SaaS AI platform. Measures include identity and access controls, role-based authorization, encrypted transport, environment separation, backup and recovery practices, logging and monitoring, change management, incident response, vendor review, confidentiality obligations, and operational privacy processes. The public Security Measures page provides a customer-facing summary without exposing sensitive infrastructure details.

---

Exhibit D — UK Addendum

Where UK GDPR applies to restricted transfers, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office is incorporated by reference and applies to the SCCs as described in Section 8.