Chatric logo

BETA

Log in
Sign up

DPA

Data Processing Addendum (DPA) — GDPR

Last updated: 8 October 2025
Parties:
(1) Customer (as defined in the Terms), acting as Controller (and, where Customer is a processor, Customer appoints Swavvy AB as Sub-processor); and
(2) Swavvy AB, org. no. 5590083670, Täppgränd 95, 121 33 Enskededalen, Sweden (“Processor”).

This DPA forms part of the Terms of Service (Chatric).

1. Subject matter & duration

Processor processes Customer Personal Data solely to provide the Service on Customer’s documented instructions for the term of the Agreement and any wind-down/back-up period.

2. Nature & purpose of processing

  • Ingestion, storage, transformation, analysis, activation of Customer Data from connected sources/destinations configured by Customer.

  • Model inference to generate responses to Customer prompts.

  • Support & security (incident investigation, logs).
    No processing for independent purposes of Processor.

3. Types of data & data subjects

  • Data subjects: end-users/visitors/customers of Customer; Customer personnel/contractors.

  • Personal data: online identifiers, events/engagement, campaign metadata, order/customer records from commerce systems; prompts/outputs; basic account identifiers (name, email).

  • Special categories: not intended. Customer will not submit special-category data, children’s data, payment card numbers, national IDs, or precise geolocation unless agreed in writing with appropriate safeguards.

4. Processor obligations

  • Process only on documented instructions (this DPA, in-app settings, Customer’s written requests).

  • Ensure confidentiality and training of personnel.

  • Implement appropriate technical and organizational measures (Annex II).

  • Assist Customer with data subject requests, security, DPIAs, and consultation with authorities (Art. 32–36) to the extent relevant to the Service.

  • Delete or return Customer Personal Data at termination or upon written request, unless law requires retention.

  • Maintain records of processing and make available all information necessary to demonstrate compliance, including audit rights (Section 9).

  • No training of AI models on Customer Personal Data unless Customer opts in.

5. Sub-processors

Customer authorizes Processor to use Sub-processors listed on the Sub-processor Page (as updated). Processor will:
(a) impose data protection obligations at least as protective as this DPA;
(b) remain liable for Sub-processor performance;
(c) provide advance notice of new/replacement Sub-processors via the Sub-processor Page (and in-app/email where feasible); Customer may object on reasonable privacy/security grounds—Processor will work in good faith to resolve; failing resolution, Customer may suspend the affected feature or terminate the impacted Order with pro-rated refund.

6. International transfers

Primary hosting is in the EEA (GCP europe-west1). Where processing occurs in a third country (e.g., Firebase Authentication or certain AI inference), Processor implements EU Standard Contractual Clauses (SCCs) (Module 2/3 as applicable) and supplementary safeguards. On request, Processor will provide details of transfer mechanisms.

7. Security incidents

Processor will notify Customer without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Processor will provide available details, take reasonable steps to mitigate, and cooperate with Customer’s remediation.

8. Data subject requests

Where feasible, Processor will enable Customer to address requests (access, rectification, erasure, restriction, portability, objection). If Processor receives a request directly, Processor will promptly forward it to Customer (unless legally prohibited).

9. Audits

Once per 12-month period (and after a breach), Customer may conduct a reasonable audit of Processor’s compliance (including reviewing third-party certifications, SOC/ISO reports, and responses to security questionnaires). On-site audits are limited to where necessary, upon 30 days’ notice, during business hours, and subject to confidentiality and safety rules.

10. Assistance & cooperation

Processor will reasonably assist with DPIAs, prior consultations, and regulator/customer inquiries relating to processing under this DPA.

11. Return & deletion

Upon termination/expiry, Processor will (at Customer’s choice) return or delete Customer Personal Data and existing copies within a reasonable period (backups purge on rolling cycles). If law prevents deletion, Processor will securely isolate and protect the data.

12. Liability & governing law

Liability is as set out in the Agreement. This DPA is governed by the Agreement’s governing law and venue (Sweden / Stockholm).

Annex I — Description of Processing

  • Controller: Customer (and/or Customer’s clients, where Customer acts as processor).

  • Processor: Swavvy AB.

  • Processing activities: as set out in Sections 1–3.

  • Frequency: continuous during the term.

  • Duration: term of the Agreement + retention windows (see Privacy Policy).

  • Data transfers: as in Section 6.

  • Data subjects & data types: as in Section 3.

  • Special categories: not intended.

Annex II — Technical & Organizational Measures (TOMs)

  • Governance: Security policy, access management (least privilege, RBAC), background-checked staff, onboarding/offboarding.

  • Identity & auth: SSO/MFA support; Firebase Auth for sign-in; session cookie HttpOnly/Secure/SameSite; server-side session store.

  • Encryption: TLS 1.2+ in transit; AES-256 (or provider equivalent) at rest; KMS-managed keys for tokens/secrets.

  • App security: secure SDLC, code review, dependency scanning, vulnerability management, penetration tests as appropriate.

  • Network & infra: segmentation, firewalls, hardened images, backups (rolling ~35 days), monitoring/alerting.

  • Data minimization: prompt/output retention defaults; configurable org-level retention; redaction where feasible.

  • Logging & audit: audit trails for admin actions and data access; immutable logs where feasible; time-sync.

  • Business continuity: redundancy in GCP europe-west1; disaster-recovery runbooks.

  • Incident response: documented IR plan; 24×7 alerting; breach notification within 48 hours.

  • Vendor risk: sub-processor review, SCCs for transfers, annual re-assessment.

Annex III — Authorized Sub-processors (as of this DPA)

  • Google Cloud Platform (GCP) — hosting, storage, networking — EU (europe-west1).

  • Firebase Authentication (Google LLC) — authentication — US/global auth infra (SCCs).

  • Sentry (Functional Software, Inc.) — error/performance monitoring — EU residency where available; otherwise US (SCCs; data minimization).

  • OpenAI (GPT-5) — model inference — global (may include US) (SCCs; no-training on Customer Data by default).

Annex IV — SCCs

Where required, the EU Standard Contractual Clauses (2021/914) apply:

  • Module 2 (Controller → Processor) and, where Customer is itself a processor, Module 3 (Processor → Processor).

  • The parties complete the SCC annexes by reference to Annex I–III above.

  • Supervisory authority: IMY (Sweden) unless otherwise required by Customer’s establishment.

  • Docking clause applies.