Data Processing Agreement

Effective date: 21 May 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Assistify and the merchant customer that accepts it for the provision of the Assistify service. It is entered into under Article 28 of Regulation (EU) 2016/679 (the "GDPR") and must be accepted before the Merchant goes live with the Assistify service.

1. Parties

Processor: NATIV STUDIO OÜ ("Assistify"), a company registered under number 17290338, with registered address Järvevana tee 9, Kesklinna linnaosa, 11314 Tallinn, Estonia.

Controller: the merchant customer (the "Merchant") that accepts this DPA through its Assistify account.

Assistify and the Merchant are each a "Party" and together the "Parties".

Effective date: the date on which the Merchant accepts this DPA, as recorded by Assistify.

2. Background and roles

2.1 Assistify provides Assistify, a business-to-business software-as-a-service product. Assistify is an embeddable AI customer-support chat widget. The in-product AI agent is named "Aiva".

2.2 For personal data of website visitors handled through the chat widget, the Merchant is the controller and Assistify is the processor. This DPA governs Assistify acting as a processor for the Merchant.

2.3 Website visitors who interact with the chat widget are the data subjects under this DPA.

2.4 Assistify is a separate and independent controller for the personal data of the Merchant's own account and billing. That processing is not covered by this DPA and is described in Assistify's privacy notice.

3. Definitions

3.1 "Personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given to them in the GDPR.

3.2 "Visitor data" means personal data relating to website visitors that Assistify processes on behalf of the Merchant through the chat widget.

3.3 "Sub-processor" means any third party engaged by Assistify to process visitor data on behalf of the Merchant.

3.4 "Main terms" means the master service agreement, subscription terms, or terms of service between the Parties for the Assistify service.

3.5 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914.

3.6 "EEA" means the European Economic Area.

3.7 Where the Controller is established in the UK, references to the GDPR in this DPA include the UK GDPR mutatis mutandis, and the Information Commissioner's Office (ICO) is the relevant supervisory authority.

4. Subject matter and duration of the processing

4.1 The subject matter of the processing is the provision of the Assistify chat widget service to the Merchant, including the operation of the Aiva AI agent.

4.2 This DPA takes effect on the effective date stated in clause 1 and remains in force for as long as Assistify processes visitor data on behalf of the Merchant under the main terms. The obligations on deletion or return of data in clause 11 survive the end of the main terms.

4.3 Full details of the processing are set out in Annex 1.

5. Nature and purpose of the processing

5.1 Assistify processes visitor data for the sole purpose of providing and operating the chat widget service for the Merchant. This includes receiving and storing chat messages, generating AI-assisted replies through Aiva, storing files that visitors upload during a conversation, and making conversation history available to the Merchant.

5.2 Assistify does not use visitor data for its own purposes. The large language models that power Aiva do not train on visitor data.

6. Types of personal data and categories of data subjects

6.1 The types of personal data and the categories of data subjects are set out in Annex 1.

6.2 The Merchant must not use the chat widget to collect special categories of personal data as defined in Article 9 of the GDPR, and must take reasonable steps to discourage visitors from submitting such data through the chat.

7. Controller obligations and instructions

7.1 The Merchant warrants that it has a valid legal basis for the processing of visitor data and that it has provided all notices and obtained all consents required for Assistify to process visitor data as described in this DPA.

7.2 The Merchant is responsible for the lawfulness of its instructions to Assistify.

7.3 The Merchant's documented instructions to Assistify consist of this DPA, the main terms, and the configuration choices the Merchant makes within the Assistify product. Any additional instruction must be given in writing and agreed by both Parties.

7.4 The Merchant must respond to requests from data subjects, supervisory authorities, and other third parties in relation to visitor data, with the assistance from Assistify described in clause 8.

7.5 The Merchant warrants that the service on which it embeds the chat widget is not directed at children, or, where it is, that the Merchant obtains parental or guardian consent where required by applicable law. The Merchant is responsible for determining the applicable age of consent for information society services in each relevant jurisdiction (for example, the threshold is 13 in Estonia).

7.6 AI transparency. Aiva is an AI system that interacts directly with the Merchant's website visitors. As the provider of Aiva, Assistify is responsible for designing it so that visitors are informed they are interacting with an AI system, as required by Article 50 of Regulation (EU) 2024/1689 (the EU AI Act). Assistify meets this by displaying a persistent indication that the visitor is chatting with an AI assistant while the AI is handling the conversation. As deployer, the Merchant must keep that disclosure enabled and visible, must not disable or obscure it, and must not present Aiva to its visitors as a human.

8. Processor obligations

Assistify undertakes the following.

8.1 Processing on documented instructions. Assistify processes visitor data only on the Merchant's documented instructions, including with regard to international transfers, unless required to process by EU or member state law to which Assistify is subject. In that case Assistify informs the Merchant of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. If Assistify believes an instruction infringes the GDPR or other data protection law, it informs the Merchant.

8.2 Confidentiality of personnel. Assistify ensures that personnel authorised to process visitor data are bound by an appropriate duty of confidentiality and access visitor data on a need-to-know basis.

8.3 Security measures. Assistify implements the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

8.4 Sub-processors. Assistify engages sub-processors only on the conditions set out in clause 9.

8.5 Assistance with data subject requests. Taking into account the nature of the processing, Assistify assists the Merchant by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Merchant's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.

8.6 Assistance with Articles 32 to 36. Assistify assists the Merchant in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Assistify. This covers security of processing, personal data breach notification and communication, data protection impact assessments, and prior consultation with a supervisory authority.

8.7 Deletion or return of data. At the end of the provision of services, Assistify deletes or returns visitor data to the Merchant in accordance with clause 11.

8.8 Demonstrating compliance and audits. Assistify makes available to the Merchant all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and this DPA. Assistify allows for and contributes to audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant. Audits must be requested in writing with reasonable notice, must take place during normal business hours, must not unreasonably disrupt Assistify's operations, and must respect the confidentiality and security of other customers' data. If in future Assistify holds a relevant independent audit report or certification, it may offer that as part of its response to an audit request; this does not replace or limit the Merchant's audit right under this clause.

9. Sub-processors

9.1 The Merchant gives Assistify a general written authorisation to engage sub-processors to process visitor data. The sub-processors approved as at the effective date are listed in Annex 3 and in the public sub-processor list referenced there.

9.2 Where Assistify engages a sub-processor, it imposes on that sub-processor, by a written contract, data protection obligations that are no less protective than those in this DPA, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures.

9.3 Assistify remains fully liable to the Merchant for the performance of each sub-processor's obligations.

9.4 Assistify maintains a versioned sub-processor list. Before a new or replacement sub-processor starts processing visitor data, Assistify gives the Merchant's administrators at least 30 days notice by email.

9.5 The Merchant may object to a new or replacement sub-processor on reasonable data protection grounds by notifying Assistify in writing within the 30-day notice period. The Parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Merchant may terminate the affected part of the service, or the main terms, in accordance with the main terms.

10. International transfers

10.1 All production processing by Assistify and the primary PostgreSQL database are hosted in the EU. Uploaded chat files are stored on Assistify's own EU infrastructure.

10.2 Some sub-processors are located outside the EEA. Where visitor data is transferred to a country outside the EEA, the transfer is made on the basis of an adequacy decision, the EU-US Data Privacy Framework where the recipient is certified, or the Standard Contractual Clauses together with a transfer impact assessment and any supplementary measures that the assessment identifies as necessary.

10.3 The transfer mechanism applicable to each sub-processor is identified in the sub-processor list referenced in Annex 3. The SCC arrangements are addressed in Annex 4.

11. Deletion or return of data

11.1 Assistify applies a centrally managed retention schedule that is uniform across all merchants. Visitor chat data is retained for 12 months after a conversation closes. Uploaded files are retained for 90 days. Data is then deleted automatically on schedule.

11.2 On termination or expiry of the main terms, Assistify deletes or returns visitor data at the Merchant's choice, and deletes existing copies, unless EU or member state law requires further storage of the data.

11.3 The Merchant must communicate its choice between deletion and return within 30 days of the end of the main terms. If the Merchant does not communicate a choice within that period, Assistify deletes the visitor data.

12. Personal data breach notification

12.1 Assistify notifies the Merchant without undue delay after becoming aware of a personal data breach affecting visitor data, and in any event in sufficient time for the Merchant to meet its own 72-hour notification duty as controller.

12.2 The notification includes, to the extent known and available to Assistify, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, the measures taken or proposed in response, and a contact point for more information. Assistify provides the Merchant with the information the Merchant needs to meet its own obligations under Articles 33 and 34 of the GDPR.

12.3 As the processor, Assistify does not notify the supervisory authority or data subjects on the Merchant's behalf unless the Merchant instructs it to do so in writing.

13. Liability and indemnity

13.1 Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main terms.

13.2 Each Party is liable for damage caused by processing only where it has not complied with the obligations of the GDPR directed specifically to processors or where it has acted outside or contrary to the lawful instructions of the controller, in accordance with Article 82 of the GDPR.

13.3 Each Party will indemnify the other against fines, claims, and reasonable costs that result directly from that Party's breach of this DPA, subject to the liability provisions of the main terms.

14. Governing law and jurisdiction

14.1 This DPA is governed by Estonian law.

14.2 The courts of Tallinn, Estonia have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the rights of data subjects and supervisory authorities under the GDPR.

15. Order of precedence

15.1 This DPA forms part of and is subject to the main terms.

15.2 If there is a conflict between this DPA and the main terms on a matter of personal data protection, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail. In all other respects the main terms prevail.

16. Acceptance

16.1 This DPA is accepted electronically. When an authorised representative of the Merchant accepts the Assistify Terms of Service during account registration, the Merchant accepts this DPA, which is incorporated into those Terms by reference.

16.2 Assistify records each acceptance, including the accepting user, the date and time, and the version of this DPA. That record is the evidence of the Merchant's agreement.

16.3 Electronic acceptance under this clause constitutes a binding agreement between the Parties for the purposes of Article 28(3) of the GDPR. No handwritten signature is required.

16.4 A Merchant that requires a separately negotiated or counter-signed DPA may contact Assistify at [email protected].

Annex 1: Details of the processing

Subject matter. Provision of the Assistify embeddable AI customer-support chat widget, including the Aiva AI agent, to the Merchant.

Duration. For the term of the main terms and until visitor data is deleted or returned in accordance with clause 11.

Nature and purpose. Receiving, transmitting, and storing chat messages between website visitors and the Merchant; generating AI-assisted replies through Aiva; storing files uploaded by visitors during a conversation; making conversation history available to the Merchant; and applying the retention and deletion schedule. The purpose is to enable the Merchant to provide customer support to its website visitors.

Types of personal data.

  • Identifiers and contact details that a visitor chooses to provide (for example name, email address, order or account references).
  • The content of chat messages exchanged between the visitor and the Merchant or Aiva.
  • Files uploaded by a visitor during a conversation, which may contain personal data.
  • Technical data associated with a chat session (for example a session identifier, IP address, timestamps, device and browser details, and an approximate location resolved to city, region, and country level, no per-visitor precise coordinates are stored).

Categories of data subjects. Website visitors who interact with the chat widget embedded on the Merchant's website, including the Merchant's customers and prospective customers.

Special categories of data. Not intended to be processed. The Merchant must not use the widget to collect special category data and must take reasonable steps to discourage visitors from submitting it.

Annex 2: Technical and organisational security measures

Assistify implements and maintains the following measures, in accordance with Article 32 of the GDPR. Assistify may update these measures over time provided the level of protection is not reduced.

  • Encryption in transit. Personal data is encrypted in transit using TLS.
  • Encryption at rest. Personal data stored by Assistify is encrypted at rest.
  • Role-based access control. Access to systems and data is governed by role-based access control.
  • Need-to-know access. Personnel access visitor data only on a need-to-know basis and are bound by confidentiality obligations.
  • Audit logging. Access to and actions on personal data are recorded in audit logs.
  • Tenant isolation. Each merchant's data is logically isolated, and every data access is scoped to the owning merchant.
  • Scheduled automatic deletion. Personal data is deleted automatically on a centrally managed retention schedule (visitor chat data 12 months after a conversation closes, uploaded files 90 days).
  • EU hosting. All production processing operated by Assistify and the primary PostgreSQL database are hosted in the EU. Uploaded chat files are stored on Assistify's own EU infrastructure. The language-model sub-processors that power Aiva may process data outside the EU; the transfer mechanism applicable to each is set out in the sub-processor list referenced in Annex 3.

Annex 3: Approved sub-processors

The sub-processors approved by the Merchant as at the effective date are the sub-processors listed in the Assistify sub-processor list. That document records, for each sub-processor, its name, the service it provides, its processing location, and the applicable transfer mechanism. It is published and versioned by Assistify and is incorporated into this DPA by reference.

The current version of the sub-processor list is available at https://assistify.chat/subprocessors.

New or replacement sub-processors are added in accordance with the notice and objection mechanism in clause 9.

Annex 4: Standard Contractual Clauses

This Annex governs the Standard Contractual Clauses relied on for any transfer of visitor data to a country outside the EEA that is not covered by an adequacy decision.

When the SCCs apply. Where a sub-processor is located outside the EEA and the transfer is not covered by an adequacy decision or, for the United States, by the EU-US Data Privacy Framework because the recipient is not certified, the transfer is made on the basis of the Standard Contractual Clauses adopted in Decision (EU) 2021/914, together with a transfer impact assessment and any supplementary measures that the assessment identifies as necessary. For language-model sub-processors located outside the EEA, the Standard Contractual Clauses together with a transfer impact assessment are the operative mechanism.

Which module applies.

  • Module Two (controller to processor) applies to the transfer from the Merchant, as controller, to Assistify, as processor, where Assistify is established outside the EEA. Assistify's production processing is EU-hosted, so this module is expected to apply only in limited circumstances.
  • Module Three (processor to processor) applies to the onward transfer from Assistify, as processor, to a sub-processor that acts as a further processor and is located outside the EEA.

Completed clauses. Assistify maintains the completed Standard Contractual Clauses for each relevant sub-processor and makes them available to the Merchant on request. Once completed and in force, the Standard Contractual Clauses prevail over this DPA in the event of a conflict, as set out in clause 15.