Data Processing Addendum
Last updated: July 2026
This Data Processing Addendum ("DPA") forms part of the Chat4U Agreement between Pirsum-Mi Ltd, operating as Chat4U ("Chat4U"), and the customer entity accepting the Agreement or otherwise using the Service through an accepted Workspace ("Customer").
This DPA applies only to the extent Chat4U processes Customer Personal Data as processor or sub-processor on behalf of Customer.
1. Definitions
For purposes of this DPA:
"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership or control of more than fifty percent (50%) of voting interests or equivalent authority.
"Agreement" means the Chat4U Terms of Service and any incorporated documents and applicable Orders.
"Authorized Subprocessor" means a third party authorized under this DPA to process Customer Personal Data on Chat4U's behalf in connection with the Service.
"Company Account Data" means information Chat4U processes as controller about the customer relationship, including Workspace registration details, administrator identities, billing contacts, plan and purchase records, payment status, support communications, and legal acceptance evidence.
"Company Usage Data" means information Chat4U processes as controller for service operation, security, analytics, abuse prevention, product improvement, and business operations, including logs, telemetry, diagnostics, feature usage statistics, event metadata, support metrics, and aggregated or de-identified operational data.
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processed", and "Supervisory Authority" have the meanings given by applicable Data Protection Laws.
"Customer Data" means Customer Personal Data processed by Chat4U as processor or sub-processor on Customer's behalf under the Agreement and this DPA.
"Customer Personal Data" means Personal Data contained in User Submissions or otherwise processed by Chat4U for Customer's business purposes through the Service, such as visitor chats, uploaded files, scraped content, knowledge-base content, account-linked project content, or related metadata, but excluding Company Account Data and Company Usage Data.
"Data Protection Laws" means privacy, security, and data protection laws applicable to the Processing of Customer Personal Data under the Agreement, which may include, where applicable, GDPR, UK GDPR, the Israeli Privacy Protection Law, Swiss privacy law, U.S. state privacy laws, and similar laws.
"DPA Effective Date" means the date Customer first uses the Service after the Agreement for the relevant Workspace is accepted, or another date expressly stated in a signed Order.
"EEA" means the European Economic Area.
"GDPR" means Regulation (EU) 2016/679.
"Order" means an order form, subscription purchase, plan purchase, add-on purchase, invoice-backed subscription, purchase order accepted by Chat4U, or other commercial ordering document or checkout flow that identifies the Service, pricing, or commercial terms applicable to Customer.
"Restricted Transfer" means a transfer of Customer Personal Data for which Data Protection Laws require specific transfer safeguards.
"Service" means the Chat4U platform and related services described in the Agreement.
"Standard Contractual Clauses" or "SCCs" means the European Commission standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914.
"UK Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.
"Workspace" means the Customer's Clerk organization workspace used to administer access to Chat4U.
2. Scope and Order of Precedence
This DPA governs Chat4U's Processing of Customer Personal Data as processor or sub-processor for Customer.
If there is a conflict between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA controls to the extent of that conflict.
If Customer and Chat4U separately execute SCCs, a UK Addendum, or another transfer mechanism for a specific Restricted Transfer, that transfer mechanism controls over this DPA to the extent required for that transfer.
3. Roles of the Parties
3.1 Processor Relationship
As between the parties, Customer is generally the Controller of Customer Personal Data, and Chat4U is generally the Processor.
If Customer acts as a Processor for another Controller, Chat4U will act as Customer's sub-processor.
3.2 Chat4U Controller Data
Chat4U acts as Controller, not Processor, for:
- Company Account Data;
- Company Usage Data;
- billing and payment records;
- support communications maintained for Chat4U's own business operations;
- legal acceptance records;
- security logs and abuse-prevention records; and
- similar records Chat4U maintains for its own legal, operational, security, or business purposes.
3.3 Customer Responsibility
Customer is responsible for:
- determining whether the Service is appropriate for Customer's use case;
- complying with Data Protection Laws applicable to Customer's use of the Service;
- ensuring Customer has lawful instructions and lawful bases for Processing;
- providing required notices and obtaining required consents where needed; and
- deciding what Customer Personal Data to submit or cause to be Processed.
4. Customer Instructions
Chat4U will Process Customer Personal Data only:
- to provide, maintain, secure, support, and troubleshoot the Service;
- as necessary to perform the Agreement and applicable Orders;
- in accordance with Customer's documented instructions as reflected in Customer's use and configuration of the Service;
- as necessary to prevent fraud, abuse, or security incidents affecting the Service;
- as required by applicable law; and
- as otherwise permitted by this DPA.
Customer instructs Chat4U to Process Customer Personal Data for the following categories of activities, as applicable to the features Customer chooses to use:
- hosting, storage, and transmission;
- user and Workspace administration;
- URL scraping initiated by Customer;
- ingestion of uploaded files and text;
- transformation, chunking, classification, and indexing;
- retrieval, generation, and related AI processing;
- analytics and usage reporting for Customer-facing features;
- support and troubleshooting; and
- security monitoring and incident response.
If Chat4U is required by law to Process Customer Personal Data in a way that is inconsistent with Customer's instructions, Chat4U will inform Customer before Processing, unless legally prohibited from doing so.
Customer must not instruct Chat4U to Process Customer Personal Data in a way that violates law or third-party rights.
5. Customer Obligations
Customer will:
- comply with Data Protection Laws applicable to its use of the Service;
- provide only lawful, documented instructions;
- ensure that Customer has all rights and permissions necessary for Chat4U to Process Customer Personal Data under the Agreement;
- ensure that Customer's use of scraping, uploads, retrieval, chat, and Pro Agent features is lawful and authorized;
- provide all required notices and obtain all required permissions or consents;
- respond to Data Subject requests where Customer is Controller;
- avoid submitting Customer Personal Data that is not appropriate for the Service; and
- contact support for Customer deletion or export requests that are not available through then-current product functionality.
Customer acknowledges that some deletion, export, and privacy request support may be manual and support-assisted rather than self-service.
Customer must not assume the Service includes self-service controls for retention, deletion, or export beyond what Chat4U expressly makes available at the relevant time.
6. Details of Processing
6.1 Subject Matter
The subject matter of Processing is the provision of the Service.
6.2 Duration
Chat4U will Process Customer Personal Data for the duration of the Agreement and for any additional period reasonably necessary for deletion workflows, backups, legal obligations, security requirements, dispute resolution, or other permitted retention under the Agreement and this DPA.
6.3 Nature of Processing
Processing may include:
- collection;
- receipt;
- recording;
- organization;
- storage;
- hosting;
- structuring;
- adaptation;
- retrieval;
- consultation;
- scraping when directed by Customer;
- analysis;
- classification;
- indexing;
- generation;
- disclosure by transmission;
- alignment;
- restriction;
- deletion; and
- destruction.
6.4 Purpose of Processing
The purposes of Processing are to provide, operate, secure, maintain, support, and improve the Service in accordance with the Agreement and Customer's documented instructions.
6.5 Categories of Data Subjects
Depending on Customer's use of the Service, Data Subjects may include:
- Workspace users;
- Customer personnel;
- Customer administrators;
- Customer support or sales contacts;
- website visitors;
- demo visitors;
- end users interacting with Customer's agents;
- individuals whose information appears in Customer-authorized content; and
- persons referenced in Customer's uploaded or scraped materials.
6.6 Categories of Personal Data
Depending on Customer's use of the Service, Customer Personal Data may include:
- names;
- contact details;
- account-linked identifiers;
- chat messages and conversation content;
- website content and page text;
- uploaded file contents;
- scraped content;
- prompts and instructions;
- page URLs and metadata;
- browser and device metadata associated with end-user interactions;
- tool inputs and results for permitted features;
- project or datasource identifiers linked to people; and
- other Personal Data Customer chooses to submit.
6.7 Sensitive Data
Unless a separately signed Enterprise agreement expressly covers the exact use, Customer must not submit Customer Personal Data that requires special contractual, regulatory, or operational controls not in place, including PHI, payment-card data, authentication secrets, or similar highly sensitive data.
PHI is prohibited unless Chat4U actually offers and signs a separate written BAA covering the exact use. This DPA does not state that Chat4U currently offers a BAA.
7. Authorized Personnel and Confidentiality
Chat4U will ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations.
Access to Customer Personal Data will be limited to personnel who need that access to provide, secure, support, or maintain the Service.
8. International Transfers
8.1 General Position
Customer acknowledges that Chat4U is an Israeli company and that Customer Personal Data may be Processed in Israel or in other jurisdictions where Chat4U or its Authorized Subprocessors operate.
Customer is responsible for determining whether Customer's use of the Service involves a Restricted Transfer and whether an applicable transfer mechanism is required.
8.2 No Automatic Completion of SCCs or UK Addendum
This DPA does not itself complete or execute all legally required details for SCCs or the UK Addendum.
In particular, this DPA does not claim that the parties have already completed, activated, or incorporated all mandatory party-specific details that may be required for an applicable Restricted Transfer, including where relevant:
- party details and signatures;
- exporter and importer roles for the specific transfer;
- governing law and forum selections required for the relevant module;
- competent supervisory authority details where required;
- Annex I details;
- Annex II details;
- Annex III details;
- UK Addendum Part 1 tables; or
- other legally required transfer-specific information.
8.3 Separate Transfer Mechanism if Required
If Customer determines that a Restricted Transfer requires SCCs, the UK Addendum, or another specific transfer mechanism, the parties may separately execute or activate that mechanism with the legally required details for the relevant transfer.
Any such mechanism should be reviewed with appropriate counsel and completed using accurate company, role, and processing details for the specific transfer context.
8.4 Controller and Processor Allocation Preserved
Nothing in this Section changes the role allocation otherwise stated in this DPA:
- where Customer is Controller and Chat4U is Processor, the relevant controller-to-processor mechanism would need to match that role allocation; and
- where Customer is Processor and Chat4U is sub-processor, the relevant processor-to-processor or processor-to-subprocessor mechanism would need to match that role allocation.
8.5 No Representation of Adequacy or Coverage
Except where Chat4U expressly confirms a specific legally operative mechanism in writing for the relevant transfer, Chat4U does not represent in this DPA that:
- a specific transfer mechanism has already been fully executed for Customer;
- a specific Annex or UK table has already been completed for Customer; or
- Customer may lawfully make a Restricted Transfer without completing any required additional steps.
9. Security Measures
Chat4U will implement and maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Processing, the state of the art, implementation costs, and the risks presented.
These measures may include, as appropriate:
- access controls and role-based access management;
- authentication controls;
- encrypted transmission;
- secure cloud infrastructure practices;
- logging and monitoring;
- backup and recovery procedures;
- change management practices;
- incident response procedures;
- vendor and subprocessor review practices; and
- environment and operational controls appropriate to a SaaS AI platform.
Security measures may evolve over time, provided that Chat4U does not materially reduce the overall level of protection for Customer Personal Data.
10. Scraping, Retrieval, and Product-Specific Processing Notes
Customer acknowledges and agrees that:
- Chat4U performs URL scraping based on Customer's authority attestation;
- at launch, Chat4U does not technically enforce
robots.txt; - at launch, domain verification is not technically required by default;
- retrieval and generation features may transform and re-present Customer-submitted content; and
- Chat4U may maintain reasonable audit records regarding datasource and scraping actions.
These product characteristics do not reduce Customer's responsibility to ensure that Customer has a lawful basis and proper authorization for the relevant Processing.
11. Subprocessors
11.1 General Authorization
Customer authorizes Chat4U to engage Authorized Subprocessors in connection with the Service.
11.2 Subprocessor Obligations
Chat4U will impose contractual obligations on Authorized Subprocessors that are no less protective of Customer Personal Data than the obligations applicable to Chat4U under this DPA, to the extent applicable to the services performed by that Authorized Subprocessor.
11.3 Current List and Changes
Chat4U may maintain a current subprocessor list through its published subprocessor page or other customer-facing disclosure.
Chat4U may add, remove, or replace subprocessors over time.
Where Customer has a specific legal requirement to raise a reasonable objection to a new subprocessor and the parties have agreed to an objection process in writing, the parties will discuss the objection in good faith. If Chat4U cannot reasonably address the objection, Customer's remedy is to stop using the affected feature or terminate the affected portion of the Service, subject to the applicable Order.
12. Assistance
Taking into account the nature of the Processing and the information available to Chat4U, Chat4U will provide reasonable assistance to Customer, upon request, with:
- Data Subject requests;
- data protection impact assessments;
- consultation with regulators where applicable;
- Personal Data Breach response information; and
- reasonable compliance information about Chat4U's Processing.
Customer acknowledges that such assistance may be provided through documentation, support processes, standardized responses, or manual operational procedures.
13. Data Subject Requests
If Chat4U receives a request from a Data Subject relating to Customer Personal Data and Chat4U can reasonably determine that the request relates to Customer acting as Controller, Chat4U may:
- direct the requester to Customer;
- notify Customer; or
- take another reasonable step consistent with law and operational practicality.
Customer remains responsible for responding to Data Subject requests where Customer is Controller.
Where Customer needs deletion or export assistance, Customer should contact support if self-service functionality is not available.
14. Personal Data Breach
If Chat4U confirms a Personal Data Breach affecting Customer Personal Data, Chat4U will notify Customer without undue delay.
Such notice may include, to the extent reasonably available:
- the nature of the incident;
- the categories of data affected;
- the likely consequences;
- remediation or mitigation steps taken or proposed; and
- information reasonably necessary for Customer to meet its own legal obligations.
Customer is responsible for determining whether notice to regulators, individuals, or others is legally required for Customer.
15. Deletion and Return
Upon termination or expiration of the Service, or upon Customer's written request where applicable, Chat4U will delete or return Customer Personal Data in accordance with the Agreement, this DPA, applicable law, then-current product functionality, and reasonable operational procedures.
Customer acknowledges that:
- some deletion or export support may be manual;
- backups and logs may be retained for limited periods consistent with security and operational practices;
- certain records may be retained where Chat4U acts as Controller; and
- immediate deletion from all systems may not always be technically possible.
Records Chat4U maintains as Controller, including Company Account Data, Company Usage Data, legal acceptance records, security logs, support records, billing records, and abuse-prevention records, are not subject to deletion under this Section as Customer Data.
16. Audits and Information Requests
Chat4U will make available information reasonably necessary to demonstrate compliance with this DPA, which may include summaries, documentation, written responses, or policy materials.
If Customer reasonably requires additional information for compliance purposes, Customer may submit a written request. The parties will work in good faith to scope a reasonable response that:
- protects other customers;
- protects system security;
- avoids unnecessary operational burden; and
- respects confidentiality and legal restrictions.
Unless otherwise required by law or a signed Order, any audit or inspection right must be exercised in a reasonable, non-disruptive manner and may be satisfied through documentation, questionnaires, certifications actually maintained by Chat4U if any, or other appropriate alternatives.
Nothing in this DPA obligates Chat4U to disclose information that would create a security risk, violate another party's rights, or breach confidentiality obligations.
17. U.S. State Privacy Terms
To the extent applicable U.S. state privacy law applies to Customer Personal Data and treats Chat4U as a processor or service provider, Chat4U will Process Customer Personal Data only for the limited and specified purposes described in the Agreement and this DPA, except as otherwise permitted by applicable law.
Chat4U will not:
- sell Customer Personal Data; or
- share Customer Personal Data for cross-context behavioral advertising,
in each case where those terms apply under applicable law, except as expressly instructed by Customer or otherwise permitted by law.
Customer remains responsible for determining whether Customer's own use of the Service constitutes targeted advertising, profiling, sale, or similar regulated conduct.
18. High-Risk Use and Sensitive Contexts
For purposes of this DPA, "High-Risk Use" means providing professional medical, legal, or financial advice, or making or materially informing decisions about employment, housing, credit, insurance, education access, benefits eligibility, essential services, biometric identification or verification, safety-critical matters, government functions, defense activities, or similar high-impact outcomes.
High-Risk Use is prohibited unless a separately signed Enterprise agreement expressly authorizes the exact use.
Ordinary FAQ, support, and navigation assistance are permitted only when they do not provide such advice and do not make or materially inform such decisions.
Customer must not assume that privacy compliance measures, customer-side oversight, or a general commercial contract authorize High-Risk Use.
Any possible exception is not self-service, is not guaranteed to be available, and is not created by requesting review. Customer may contact support@chat4u.ai to ask whether an Enterprise exception program is available for a specific proposed use, but the request itself does not authorize use and does not guarantee review or approval.
19. Pro Agent Sensitive Secret Prohibition
Customer must not use Pro Agent to collect, request, store, process, reveal, submit, or exfiltrate:
- passwords;
- passcodes;
- one-time authentication codes;
- multi-factor authentication secrets;
- payment-card numbers;
- card verification values;
- bank credentials; or
- similarly sensitive secrets.
This prohibition is absolute and applies regardless of customer workflow, consent, or configuration.
20. Liability and Claims
The liability limitations, exclusions, and related claim terms in the Agreement apply to this DPA to the maximum extent permitted by law, unless a signed Order expressly states otherwise.
21. Governing Law
Except to the extent a separately executed transfer mechanism requires otherwise for a specific Restricted Transfer, this DPA is governed by the governing law and venue provisions of the Agreement.
22. Exhibit A - Processing Description
A. Subject Matter
Provision of the Service, including chat, retrieval, indexing, scraping directed by Customer, Workspace administration, analytics, support, and related features.
B. Duration
For the duration of the Agreement and any additional period reasonably necessary for deletion workflows, backups, legal obligations, dispute resolution, security, or operational retention.
C. Nature and Purpose
To host, store, organize, transform, index, retrieve, generate, transmit, secure, support, and otherwise Process Customer Personal Data as necessary to provide the Service under Customer's instructions.
D. Categories of Data Subjects
- Workspace users
- Customer personnel
- Customer support or billing contacts
- website visitors
- demo visitors
- end users interacting with Customer's agents
- individuals appearing in Customer-submitted content
E. Categories of Personal Data
- identity and contact data
- message and chat content
- website and datasource content
- uploaded file content
- prompts and instructions
- event metadata
- browser or device metadata
- page and tool interaction data
- account-linked identifiers
- support-related information
F. Sensitive Data
Not intended for submission unless expressly covered by a separately signed Enterprise agreement for the exact use.
23. Exhibit B - Subprocessors and Operational Providers
Chat4U may maintain a current subprocessor disclosure page or equivalent customer-facing disclosure identifying categories of Authorized Subprocessors and, where appropriate, named providers or service purposes.
Customer should review that current disclosure for up-to-date provider information.
24. Exhibit C - Technical and Organizational Measures Summary
Chat4U's security measures may include, as appropriate:
- access management;
- least-privilege principles;
- authentication controls;
- encrypted transport;
- environment separation practices;
- monitoring and logging;
- incident response;
- vendor management;
- backup and recovery procedures; and
- operational review processes appropriate to a cloud-based SaaS AI platform.
This Exhibit is a high-level summary and does not obligate Chat4U to disclose sensitive security details beyond what is reasonable and appropriate.
English is the controlling language of this document. Version: 2026-07-workspace-agreement-v1. Immutable URL: /legal/dpa/2026-07-workspace-agreement-v1. SHA-256: 9816abeb14846abafdee857d19edf58c1ab61e6fb4ec882a7cbcbbe6ab137bdb.