Data Processing Agreement

1. Subject and scope of the DPA

1.1 Subject

This DPA is the Data Processing Agreement between the User (hereinafter: Controller) and the Service Provider (hereinafter: Processor) under Article 28 of the GDPR (EU 2016/679).

The DPA forms an inseparable part of the Terms of Service (Terms) signed between the Parties or accepted by use of the Platform.

1.2 When it applies

This DPA applies if and only if the Service Provider processes personal data on the Controller's (User's) instructions in the role of processor. This typically covers:

• handling of Content uploaded by the User (PDF, CSV, URL, text, YouTube);

• handling of chat messages and Lead data of End Users conversing with the Public Assistant;

• handling of fields stored in the Contract Assistant.

The DPA does not apply when the Service Provider acts as its own controller (the User's account data, billing, platform analytics).

2. Definitions

• GDPR: the EU General Data Protection Regulation (EU 2016/679).

• Data subject: the natural person whose data is processed by the Processor on the Controller's instructions.

• Subprocessor: a third party engaged by the Processor in data processing.

• Personal data: any data relating to or making the Data subject identifiable.

• Personal data breach: as defined in GDPR Article 4(12).

3. Details of processing (per GDPR Article 28(3))

3.1 Subject matter

The Service Provider performs processing operations relating to the operation of the Platform on the Controller's instructions.

3.2 Duration

The duration of the service contract (Terms), supplemented by the deletion-retention period (see Section 10).

3.3 Nature and purpose

Enabling AI-based conversations with End Users on the User's website, knowledge base processing, lead capture, contract document generation.

3.4 Types of personal data

• Identifying data (name)

• Contact details (email address, phone number)

• Conversational content (text, file)

• Technical data (IP address, user-agent, timestamp)

• Other personal data that may be present in content uploaded by the Controller to the knowledge base

3.5 Categories of data subjects

• End Users visiting the Controller's website

• The Controller's customers, prospects, partners, where they appear in the knowledge base or contract fields

• The Controller's employees, where they use an internal Knowledge Base Assistant

3.6 Controller's obligations and rights

The Controller:

• shall have the appropriate legal basis for processing data subjects' data (contract, legitimate interest, consent, etc.);

• shall provide End Users with appropriate information in its own Privacy Policy;

• is responsible for the lawful handling of third-party data contained in content uploaded to the knowledge base.

4. Processor's obligations

4.1 Processing on instructions

The Processor processes personal data only on the Controller's documented instructions. Acceptance of the Terms and this DPA, together with settings available in the Platform interface, constitute documented instructions.

If the Processor considers that an instruction infringes the GDPR or other Union or Member State data protection law, it informs the Controller without delay.

4.2 Confidentiality

The Processor ensures that persons authorised to process personal data have committed to confidentiality or are under a statutory obligation of confidentiality.

4.3 Security measures (GDPR Article 32)

The Processor implements the following technical and organisational measures (TOMs):

Technical:

• Encryption in transit (TLS 1.2+)

• Encryption at rest (AES-256)

• Access control (RBAC), 2FA for administrative access

• Daily automated backups

• Security logs retained for 6 months

• Vulnerability management, regular dependency audits

Organisational:

• Confidentiality declarations of employees

• Authorisation management procedure (least privilege principle)

• Internal incident response protocol

• Subprocessor audit procedure

4.4 Subprocessors (GDPR Article 28(2)-(4))

4.4.1 General authorisation

The Controller grants the Processor a general authorisation to engage subprocessors. The current subprocessor list is set out in Section 9 of the Privacy Policy (echoai.hu/privacy).

4.4.2 Notification of changes

Before engaging a new subprocessor or replacing an existing one, the Processor notifies the Controller by email and via the Platform at least 30 calendar days in advance.

4.4.3 Right to object

The Controller may reasonably object to the change. If the Processor implements the change despite the objection, the Controller may terminate the service contract at the end of the current billing period.

4.4.4 Subprocessors' contractual obligations

The Processor ensures that it concludes a written contract with every subprocessor containing data protection obligations equivalent to those set out in this DPA, in particular:

• security measures;

• confidentiality;

• prohibition on using Personal Data to train their own models (notably: OpenAI, z.AI).

4.5 Assistance with data subject rights

The Processor assists the Controller through appropriate technical and organisational measures with the fulfilment of data subject rights (GDPR Articles 12-22):

• Access, rectification, erasure, restriction, portability, objection.

If a data subject contacts the Processor directly, the Processor forwards the request to the Controller without undue delay and acts on the Controller's instructions.

4.6 Assistance to the Controller (GDPR Article 28(3)(f) and (h))

The Processor assists the Controller with:

• Data Protection Impact Assessment (DPIA) (GDPR Article 35), upon the Controller's request, where the Processor may charge a reasonable fee for material assistance.

• Consultation with the supervisory authority (Article 36).

• Incident management (Articles 33-34).

4.7 Personal data breach (GDPR Article 33)

The Processor notifies the Controller within 72 hours of becoming aware of a personal data breach, with the following content:

• the nature of the breach, the likely categories and approximate number of data subjects, and the categories and approximate volume of personal data concerned;

• the likely consequences;

• the measures taken or proposed.

4.8 Audit right

The Controller is entitled to audit the Processor's data protection practices:

• by reviewing documentation made available by the Processor (Security Overview, ISO certifications, SOC reports, where available);

• by an on-site audit at most once per year, after 30 days' prior notice, where the documentation level proves insufficient.

The audit is carried out at the Controller's expense, except where the audit reveals material non-compliance — in which case the costs are borne by the Processor.

5. International data transfers

5.1 Data storage locations

Personal data is primarily stored in the EU (Railway EU region, PostHog EU, Cloudflare R2 EU).

5.2 US transfer

AI inference (OpenAI) and certain communication services (Postmark, Google) operate in the USA. The legal basis for the US transfer:

• EU Standard Contractual Clauses 2021 (Commission Implementing Decision 2021/914);

• EU-US Data Privacy Framework (DPF) for certified providers;

• Supplementary technical measures: encryption, access restrictions.

5.3 UK and Switzerland

For UK data subjects, UK GDPR + UK IDTA apply; for Swiss data subjects, the FADP applies, in addition to the EU SCCs.

6. AI model training — exclusion

6.1 The Processor's commitment

The Processor declares and warrants:

• It does not use Personal Data to train, fine-tune, or develop its own AI models;

• It has imposed contractual obligations on the LLM subprocessors used (OpenAI, z.AI) not to use Personal Data to train their own models;

• For OpenAI, the Processor uses "zero data retention" or an equivalent configuration for all User data processing on the Platform.

6.2 Anonymised, aggregated data

The Processor uses only anonymised, aggregated usage metrics for Platform development, which do not contain Personal Data.

7. Return and deletion of data

7.1 Upon termination of the contract

Upon termination of the service contract for any reason, the Processor:

1. For 30 days following termination of the contract, allows the Controller to export the Personal Data (Platform export functions or, on request, custom export).

2. After the 30-day period, the Processor deletes or returns the Personal Data at the Controller's choice.

3. Deletion from backups occurs automatically as part of rotation, but no later than 90 days.

7.2 Exceptions

The Processor may retain Personal Data whose retention is required by Union or Member State law (e.g. 8 years under Hungarian accounting law).

8. Liability

Liability between the Parties for breaches of obligations under this DPA is governed by Section 15 of the Terms (Liability). Liability under GDPR Article 82 is borne in accordance with the GDPR.

9. Effect and modification of the DPA

9.1 Effective date

This DPA enters into force simultaneously with acceptance of the Terms and remains in effect until termination of the service contract.

9.2 Separately signed B2B version

Upon corporate customer request, the Processor provides a separately signable PDF version of the DPA, identical to the online version. Available at: privacy@echoai.hu.

9.3 Modification

The Processor may modify this DPA in line with changes in applicable law. The Processor notifies the Controller of material modifications at least 30 calendar days in advance. If the Controller does not accept the modification, it may terminate the service contract under Section 6.6 of the Terms.

10. Miscellaneous

10.1 Governing law

The laws of Hungary, with direct application of the GDPR.

10.2 Jurisdiction

The court designated in Section 19.2 of the Terms.

10.3 Conflict

If this DPA and other provisions of the Terms conflict regarding the processing of Personal Data, this DPA prevails.

Annexes

Annex 1: Subprocessor list

The complete list is set out in Section 9 of the Privacy Policy (echoai.hu/privacy). In case of changes, the Processor notifies the Controller by email and via the Platform 30 calendar days in advance.