Data Processing Agreement (DPA)

1. Parties & Scope

This DPA forms part of the agreement between Olga AI Inc. (“Processor”) and the entity or individual agreeing to the Terms (“Controller”) for Olga AI services (the “Services”). It governs Processor’s processing of personal data on behalf of Controller under applicable data protection laws, including GDPR/UK GDPR and comparable laws.

2. Roles & Instructions

Controller is the controller of Customer Data; Processor processes Customer Data only on documented instructions from Controller, including as set forth in the Agreement, this DPA, and Controller’s configuration of the Services.

3. Confidentiality

Processor ensures that persons authorized to process Customer Data are bound by confidentiality obligations.

4. Security

Processor implements appropriate technical and organizational measures described in Annex II to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5. Sub‑processors

Controller authorizes Processor to engage sub‑processors listed in Annex III and any others Processor may add with prior notice. Processor will impose data protection obligations on sub‑processors substantially similar to those in this DPA and remains responsible for their performance.

6. International Transfers

Where Customer Data is transferred internationally, Processor will ensure appropriate safeguards (e.g., Standard Contractual Clauses) and will require sub‑processors to do the same.

7. Assistance & Data Subject Requests

Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller’s obligations to respond to data subject requests and to comply with Articles 32–36 GDPR (security, breach notification, DPIAs, and consultations).

8. Breach Notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide information reasonably available to assist Controller in meeting any obligations to notify authorities or affected individuals.

9. Audits & Reports

On Controller’s reasonable request, Processor will make available information necessary to demonstrate compliance with this DPA and allow for audits by Controller or an independent auditor mandated by Controller, subject to reasonable confidentiality, security, and scheduling requirements. Processor may satisfy this by providing third‑party audit reports or compliance documentation.

10. Return & Deletion

Upon termination of the Services or upon Controller’s written request, Processor will delete Customer Data or return it to Controller (at Controller’s choice), unless retention is required by law. Deletion will occur within a commercially reasonable timeframe consistent with backup cycles.

11. Liability

The parties’ liability under this DPA is subject to the limitations set forth in the Agreement.

Annex I — Details of Processing

Subject matter: Provision of Olga AI chatbot Services.

Duration: For the term of the Agreement and any transition period.

Nature & purpose: Hosting, processing, transmitting, and analyzing chat interactions and related metadata to provide automated responses, lead capture, and support features.

Categories of data subjects: Controller’s employees and representatives; website visitors and end‑users who interact with Controller’s chatbot; Controller’s customers and leads.

Categories of personal data: Names, emails, phone numbers (if provided), chat content, identifiers (IP address, device/browser info), usage and diagnostic data, billing contact details (for Controller’s users/admins).

Special categories: Not intended. Controller is responsible for avoiding submission of special categories unless explicitly agreed in writing.

Processing operations: Collection, storage, retrieval, organization, transmission, display, analysis for automated responses, and deletion, as configured by Controller.

Annex II — Technical & Organizational Measures

• Encryption: TLS for data in transit; encryption at rest provided by hosting and database providers.
• Access Control: least‑privilege roles, need‑to‑know access, MFA for admin accounts.
• Segregation & Isolation: logical separation of Customer Data.
• Logging & Monitoring: audit logs for administrative actions; security monitoring.
• Vulnerability Management: dependency updates and remediation processes.
• Business Continuity: regular backups and tested restore procedures.
• Personnel Practices: confidentiality obligations and security training.
• Incident Response: documented process for detection, assessment, notification, and remediation.

Annex III — Authorized Sub‑processors

• Stripe, Inc. — payment processing and invoicing (global; may involve international transfers).
• Netlify, Inc. — hosting/CDN, Identity/GoTrue, and serverless functions.
• Email Service Provider (e.g., Google Workspace or equivalent) — transactional and support email.

Processor may update this list by providing notice to Controller (e.g., email or in‑app). Controller may object on reasonable grounds related to data protection; if unresolved, Controller may terminate the affected Services.

Contact

Olga AI Inc., Ontario, Canada — support@heyolga.com