DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("DPA") is entered into by and between AnsChat ("Processor") and the Customer ("Controller") and is incorporated into the AnsChat Terms of Service.

1. DEFINITIONS
   "Controller" means the entity that determines species and means of processing personal data.
   "Processor" means the entity that processes personal data on behalf of the Controller.
   "Personal Data" means any information relating to an identified or identifiable natural person.
   "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. PROCESSING OF PERSONAL DATA
   2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and AnsChat is the Processor.
   2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations.
   2.3. Processor’s Processing of Personal Data. AnsChat shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions.

3. DATA SUBJECT REQUESTS
   AnsChat shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise Data Subject rights under GDPR. AnsChat shall not respond to any such Data Subject Request without Customer’s prior written consent except to confirm that the request relates to the Customer.

4. SUBPROCESSORS
   Customer acknowledges and agrees that AnsChat may engage third-party Subprocessors in connection with the provision of the Services. AnsChat has entered into specific written agreements with each Subprocessor containing data protection obligations not less protective than those in this Agreement.
   Current Subprocessors include: Vercel, Render/Supabase, Groq, Google (Gemini), Cloudflare, Stripe.

5. SECURITY
   AnsChat shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data.
   Measures include:
   - Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
   - Regular vulnerability scanning and penetration testing.
   - Access controls and strict privilege management.

6. PERSONAL DATA BREACH
   AnsChat shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. AnsChat shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as AnsChat deems necessary and reasonable in order to remediate the cause and to prevent the recurrence of such Personal Data Breach.

7. DELETION OR RETURN OF CUSTOMER DATA
   AnsChat shall return Customer Data to Customer and/or delete Customer Data in accordance with the procedures and timeframes specified in the Agreement (typically upon account termination or specific deletion request).

8. INTERNATIONAL TRANSFERS
   AnsChat ensures that any international data transfers comply with GDPR, utilizing Standard Contractual Clauses (SCCs) or adhering to the Data Privacy Framework where applicable.

ACCEPTED AND AGREED:

For Processor (AnsChat):
Name: ______________________
Title: _______________________
Date: _______________________

For Controller (Customer):
Name: ______________________
Title: _______________________
Date: _______________________