Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between: (i) the customer that uses the dialobox Service ("Controller"), and (ii) Antoine Depuydt, the operator of the dialobox platform ("Processor"). The Processor processes personal data on behalf of the Controller in connection with the Service as described in the Terms of Service and Privacy Policy.

2. Subject matter and duration

The Processor processes personal data necessary to provide the Service (e.g. account data, form submissions, conversation and message data, reply tokens, and related metadata). The duration of processing is the term of the Controller's use of the Service plus any retention period required by law or this DPA.

3. Processing instructions

The Processor processes personal data only on documented instructions of the Controller (including via the Service configuration and the Terms) and in accordance with applicable data protection law (including the GDPR where applicable). The Controller is responsible for ensuring that its instructions and use of the Service comply with law and that it has a valid legal basis and any required notices (e.g. privacy notice, consent) for the processing.

4. Subprocessors

The Processor may engage subprocessors to support the Service (e.g. hosting, email delivery, payment processing). A list of subprocessors and their purposes is set out in our Privacy Policy. The Processor ensures that subprocessors are bound by obligations consistent with this DPA and applicable law. The Processor will inform the Controller of any intended changes concerning the addition or replacement of subprocessors and will give the Controller an opportunity to object in accordance with applicable law.

5. Security and confidentiality

The Processor implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including encryption in transit and at rest where applicable, access controls, and secure development practices. Personnel with access to personal data are bound by confidentiality obligations. Reply links for submitters are secured via time-limited cryptographic tokens. Customers are responsible for the confidentiality of links sent by email; forwarding the link may allow the recipient to access the conversation.

Annex – Technical and organizational measures

The Processor applies in particular: encryption in transit (HTTPS/TLS) and at rest for stored message content; time-limited cryptographic tokens for reply links and data subject requests; rate limiting on sensitive endpoints (e.g. reply submission, data request); logical segregation of customer data (tenant isolation); access controls and audit logging; and secure development practices.

6. Data subject rights and assistance

The Processor assists the Controller in responding to data subject requests (e.g. access, rectification, erasure, restriction, portability) to the extent possible within the scope of the Service. The Controller may use the in-product data export and account deletion features, and the public data request page (Data request), to help fulfill such requests.

7. Data return and deletion

At the end of the Service or upon request, the Processor will delete or return personal data in accordance with the Controller's instructions and the Terms, unless retention is required by law. Unless legally required to retain data, the Processor shall delete all personal data processed under this DPA within 30 days after termination of the Service or expiry of the export grace period set out in the Terms. Deletion is otherwise carried out within the timelines specified in the Privacy Policy.

8. Personal data breach

The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, in line with Article 33 GDPR.

9. Audits

The Processor makes available to the Controller information necessary to demonstrate compliance with this DPA. The Controller may request additional information or audits to the extent required by applicable law. Audits (including inspections) shall not occur more than once per calendar year unless required by law or following a material security incident. Any such audit will be subject to reasonable notice and confidentiality obligations.

10. Liability and governing law

Liability under this DPA is subject to the limitations set out in the Terms. This DPA is governed by the same law as the Terms. Any dispute arising in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms.

By using the Service, the Controller agrees to this DPA. For a countersigned copy or questions, contact us via our contact page.