Data Processing Agreement (DPA)

Effective Date: 05/05/2025

Processor: H7O, a nonprofit organization based in Orlando, Florida, USA (“Processor” or “H7O”)

This Data Processing Agreement (“DPA”) is entered into to ensure compliance with data protection laws, including the EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), and other applicable privacy regulations. It governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of H7O’s chatbot services.

1. Roles and Responsibilities

  • The Controller determines the purposes and means of processing personal data.
  • The Processor processes personal data solely on behalf of, and in accordance with, the documented instructions of the Controller.

2. Scope and Purpose of Processing

Purpose:
To provide, maintain, and improve chatbot communication services offered by H7O to the Controller.

Types of Data Processed:

  • Names
  • Contact information (e.g., email, phone number)
  • Chat content and transcripts
  • IP address and device data (if applicable)

Data Subjects:
End users, clients, or customers of the Controller who interact with the chatbot platform.

3. Processor Obligations

The Processor agrees to:

  • Process data only as instructed by the Controller
  • Ensure confidentiality by binding all employees or agents to appropriate obligations
  • Implement appropriate technical and organizational measures to protect personal data
  • Assist the Controller in complying with data subject rights and regulatory obligations
  • Not retain data longer than necessary (or as specified by the Controller)

4. Security Measures

The Processor will implement industry-standard measures, including but not limited to:

  • End-to-end encryption of data in transit
  • Access controls and user authentication
  • Regular backups and secure hosting environments
  • Logging and monitoring of system activity

5. Sub-Processors

The Controller authorizes the Processor to use the following sub-processors:

  • OpenAI (natural language processing)
  • Amazon Web Services (AWS) or other secure cloud providers (hosting and infrastructure)
  • [Insert others if applicable]

The Processor shall enter into data protection agreements with each sub-processor and remain fully liable for their performance.

6. Data Subject Rights

The Processor shall, to the extent possible and without undue delay:

  • Assist the Controller in responding to requests from data subjects (e.g., access, deletion, correction, portability)
  • Forward any such requests directly to the Controller

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay after becoming aware of the breach
  • Provide all relevant details, including nature of breach, affected data, and mitigation steps
  • Cooperate with the Controller in notifying regulatory authorities or affected individuals if required

8. Audit and Compliance

Upon reasonable notice, the Controller may audit the Processor’s data processing practices. The Processor will provide relevant documentation or access as necessary to demonstrate compliance.

9. Return or Deletion of Data

Upon termination of the agreement or at the Controller’s written request, the Processor shall delete or return all personal data, unless retention is required by law.

10. Governing Law and Jurisdiction

This Agreement is governed by the laws of the State of Florida, United States, unless otherwise required by applicable data protection law.

Get in Touch
More
Social
Instagram Facebook Linkedin Youtube Spotify

Developed by Bethel Agency.