Data Processing Addendum (DPA)
Effective Date: September 20th, 2025
Between: Bot On Site, Inc. ("Processor", "Service Provider", "we", "us") and the customer identified in the Order or online account ("Customer", "Controller" or "Business").
This DPA forms part of the Master Subscription Agreement, Terms of Service, or other agreement governing Customer's use of Bot On Site services (the "Agreement"). If there's a conflict between this DPA and the Agreement regarding Personal Data, this DPA controls.
1) Definitions
Applicable Data Protection Laws:
all laws governing privacy and data protection that apply to the Processing of Personal Data under the Agreement, including GDPR, UK GDPR, and CPRA/CCPA.
Personal Data/Personal Information:
any information relating to an identified or identifiable natural person processed under the Agreement.
Customer Personal Data:
Personal Data that Customer (or its end users) provides to or makes available in the Services (e.g., lead details and chat transcripts).
Processing, Controller/Processor, Business/Service Provider, Sub-processor, Data Subject, Supervisory Authority:
as defined in Applicable Data Protection Laws.
Services:
Bot On Site's AI receptionist product and related features (e.g., widget, dashboard, APIs, ROI calculator).
Special Categories:
as defined in GDPR Art. 9 (e.g., health, biometric, etc.).
Security Incident:
a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data processed by Processor.
2) Scope; Roles; Instructions
2.1 Roles.
For Customer Personal Data, Customer is Controller/Business and Bot On Site is Processor/Service Provider.
2.2 Purpose & Nature.
Processor will Process Customer Personal Data solely to provide the Services (answer FAQs, capture leads, route transcripts, provide analytics/support), as detailed in Annex I.
2.3 Customer Instructions.
Processor will Process Customer Personal Data only on documented instructions from Customer contained in this DPA, the Agreement, and Customer's in-product configuration. Customer is responsible for the lawfulness of instructions.
2.4 Restrictions (CPRA).
Processor will not: (a) sell or share Customer Personal Information; (b) retain, use, or disclose it for any purpose other than providing the Services; (c) combine it with other data except as permitted for a Business Purpose (e.g., security, fraud prevention, service improvement in de-identified or aggregated form).
3) Customer Responsibilities
3.1 Lawful Basis & Notice.
Customer is responsible for providing required notices, obtaining any consents, and establishing a lawful basis for Processing.
3.2 Data Quality & Minimization.
Customer controls what is collected via the widget and should avoid unnecessary data.
3.3 Prohibited Data.
Do not submit Special Categories, children's data, or government IDs unless explicitly enabled and agreed. PHI is prohibited unless a separate HIPAA BAA is executed.
4) Confidentiality & Personnel
Processor ensures personnel are bound by confidentiality obligations and receive appropriate privacy/security training. Access follows least-privilege and need-to-know principles.
5) Security
Processor implements and maintains appropriate Technical and Organizational Measures (TOMs) described in Annex II (e.g., encryption in transit/at rest, access controls, monitoring, backups, incident response).
6) Sub-processors
6.1 Authorization.
Customer authorizes Processor to engage Sub-processors to provide the Services. Processor will impose data protections no less protective than this DPA.
6.2 List & Notice.
Current Sub-processors are listed at https://botonsite.com/legal/subprocessors. Processor will provide 30 days' notice of new Sub-processors. Customer may object within 30 days if the new Sub-processor creates material risk.
7) Data Subject Rights
Processor will assist Customer in responding to Data Subject requests by providing available tools and data access. Customer is responsible for responding to Data Subjects within required timeframes.
8) Data Protection Impact Assessments
Processor will reasonably assist Customer with Data Protection Impact Assessments and consultations with Supervisory Authorities when required by law.
9) Security Incidents
Processor will notify Customer without undue delay (and within 72 hours where feasible) of any Security Incident and provide reasonable assistance with breach notifications and remediation.
10) International Transfers
Where Personal Data is transferred outside the EEA/UK, Processor will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).
11) Data Return & Deletion
Upon termination, Processor will delete or return Customer Personal Data as instructed, except where retention is required by law. Deletion will occur within 90 days unless otherwise agreed.
12) Audits
Processor will make available information necessary to demonstrate compliance and allow for audits. Customer may conduct audits annually upon reasonable notice, or Processor may provide third-party audit reports.
13) Liability
Each party's liability for data protection violations is subject to the limitation of liability provisions in the Agreement, except where prohibited by Applicable Data Protection Laws.
14) Term & Updates
This DPA remains in effect for the duration of the Agreement. Processor may update this DPA to reflect changes in law or business practices with 30 days' notice.
Annex I: Processing Details
Annex II: Technical and Organizational Measures
Contact: support@botonsite.com
Note: This template is provided for informational purposes. Have legal counsel review before publishing.