1. Subject matter and scope
This Data Processing Agreement (“DPA”) supplements our
Terms and Conditions and applies whenever we process personal data of your customers or end visitors (“Customer Personal Data”) on your behalf, in connection with your use of ChatNorris. In the event of a conflict, this DPA prevails over the Terms with respect to the processing of personal data.
2. Definitions
- Data exporter: you, as a ChatNorris customer.
- Data importer: ChatNorris.
- Data protection laws: applicable personal data protection laws, including the GDPR (EU/EEA) and equivalent laws in other jurisdictions where applicable.
- Customer Personal Data: personal data of your end visitors that we process while providing the service to you (for example, conversation messages).
3. Roles of the parties
With respect to Customer Personal Data, you act as the
data controller and ChatNorris acts as the
data processor. For data about your own account (billing, contact details, platform usage metrics), ChatNorris acts as an independent controller, as described in our
Privacy Policy.
4. Customer instructions
ChatNorris will process Customer Personal Data only in accordance with your documented instructions (the features you configure on the platform) and as necessary to provide the service, unless required otherwise by law. If an instruction infringes applicable law, we will notify you.
5. Nature, purpose and duration of processing
Nature and purpose: receiving, storing and processing conversation messages to generate AI responses, semantic search over your knowledge base, and delivering usage analytics.
Categories of personal data: contact identifiers voluntarily shared by the end visitor during the conversation (name, email, phone) and the content of the messages.
Categories of data subjects: the end visitors of your website or connected WhatsApp/Instagram channels.
Duration: while your account is active, as described in our Privacy Policy.
6. Confidentiality
ChatNorris ensures that anyone authorized to process Customer Personal Data is subject to a confidentiality obligation, whether contractual or statutory.
7. Sub-processors
You authorize ChatNorris to engage the following sub-processors to provide the service, under agreements that impose data protection obligations equivalent to those in this DPA:
- Supabase — database, authentication and storage.
- Vercel — application hosting.
- Anthropic (Claude) — message processing to generate AI responses.
- OpenAI — embeddings generation for semantic search.
- Meta — WhatsApp and Instagram integration.
- Resend — transactional email delivery.
- Cloudflare — anti-bot protection.
If we engage a new sub-processor that materially processes Customer Personal Data, we will notify you by email or through a notice on the platform.
8. Security measures
ChatNorris implements appropriate technical and organizational measures, including: encryption in transit (HTTPS/TLS) and at rest, per-organization data isolation via Row Level Security in Supabase, authentication with anti-bot verification, role-based access control, and infrastructure backups managed by our hosting providers.
9. International data transfers
Where processing involves transferring Customer Personal Data outside your region (for example, to the United States, where several of our sub-processors operate), we rely on the transfer mechanisms and contractual safeguards those providers offer to maintain an adequate level of protection.
10. Assistance with data subject rights
If ChatNorris receives a request from an end visitor to exercise their rights of access, rectification, erasure or objection over Customer Personal Data, we will notify you and forward the request, since you are responsible for resolving it directly. We will provide reasonable technical assistance when you cannot respond on your own (for example, by enabling export or deletion of conversations from the dashboard).
11. Data breach notification
If we detect a security breach affecting Customer Personal Data, we will notify you without undue delay, with available information about its nature, scope, and the measures taken to mitigate it, so you can fulfill your own notification obligations if applicable.
12. Audits
Upon reasonable request, ChatNorris will provide the information necessary to demonstrate compliance with this DPA, including responses to security questionnaires. On-site audits will be scheduled with reasonable advance notice and must not interfere with the normal operation of the service.
13. Term and data deletion
This DPA remains in effect while ChatNorris processes Customer Personal Data on your behalf. Upon termination of the relationship, we will delete or return such data within the timeframes described in our
Privacy Policy, unless the law requires us to retain it longer.
14. Order of precedence
In the event of a conflict between this DPA and the Terms and Conditions regarding the processing of Customer Personal Data, this DPA prevails. In all other respects, the
Terms and Conditions apply.