Skip to content

Legal

DPA

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Chatvox (“Processor”) and you (“Controller”) and applies to the extent Chatvox processes Personal Data on your behalf while providing the Chatvox Service.

This page summarizes Chatvox’s current data processing commitments. It is not a substitute for a signed enterprise DPA where one is required for your organization.

2. Definitions

“Personal Data” means information relating to an identified or identifiable natural person processed by Chatvox on your behalf.

“Service” means the Chatvox AI chat agent platform, dashboard, hosted chat experiences, embeds, APIs, integrations, and related support services.

“Sub-processor” means a third-party service provider engaged by Chatvox that may process Personal Data to help provide the Service.

3. Processing of Personal Data

3.1 Roles of the Parties

For end-user conversation data, lead data, and knowledge base content that you submit to Chatvox, you are the Data Controller and Chatvox acts as your Data Processor. You are responsible for determining the lawful basis for processing, providing required notices, and obtaining any required consents from your end users.

3.2 Scope of Processing

Chatvox processes Personal Data to provide and secure the Service, including maintaining chat sessions, generating AI responses, storing configured knowledge sources, capturing leads when enabled, providing integrations, processing billing, preventing abuse, and supporting customer requests.

3.3 Documented Instructions

Chatvox processes Personal Data according to your documented instructions as reflected in the Terms of Service, this DPA, your product configuration, and any written agreement executed with Chatvox.

4. Sub-processors

You authorize Chatvox to engage Sub-processors that are necessary to provide, secure, and support the Service. Current categories include:

  • OpenAI: AI model services used to generate responses and embeddings.
  • Stripe: Payment, billing, subscription, and invoice processing.
  • Cloudflare: Security, bot mitigation, object storage, content delivery, and content processing services.
  • Google: Authentication services when Google sign-in is used.
  • Slack and Salesforce: Optional customer-configured integrations when enabled by you.
  • Hosting, database, email, logging, and infrastructure providers: Providers used to host, operate, monitor, and support the Chatvox platform.

Chatvox requires Sub-processors to process Personal Data only for the services they provide to Chatvox and under appropriate confidentiality and data protection obligations.

5. Security

Chatvox maintains technical and organizational measures designed to protect Personal Data against unauthorized access, accidental loss, misuse, alteration, and disclosure. Current measures include:

  • Tenant-level logical isolation of customer data.
  • Role-based access controls for team members and administrators.
  • Hashed password storage and support for two-factor authentication.
  • Encryption for sensitive integration credentials and action authentication secrets.
  • Transport security for production service traffic and provider API calls.
  • Operational logging, abuse prevention, rate limiting, and account moderation controls.

Some security controls, including storage encryption, backup protection, and network controls, may be provided by Chatvox’s infrastructure providers. Chatvox does not currently claim third-party certifications such as SOC 2, ISO 27001, or HIPAA unless separately stated in a signed agreement.

6. Data Subject Rights

As Controller, you are responsible for responding to Data Subject Requests under applicable privacy laws. Chatvox provides product features that can assist with those requests, including deleting specific conversations, clearing an agent’s conversations, deleting leads, deleting agents, deleting teams, and exporting available lead and activity data.

If Chatvox receives a request directly from a Data Subject that relates to your end-user data, Chatvox will direct the requester to contact the relevant Controller where reasonably identifiable.

7. Deletion, Return, and Retention

You may delete conversations, leads, agents, teams, and knowledge sources through the Service where those features are available. Deletion may not immediately remove data from backups, logs, billing records, fraud-prevention records, or records that Chatvox is required to keep by law.

Chatvox currently supports lead export, activity export, and individual conversation transcript export. Broader account export, automated post-termination deletion windows, and expanded retention controls are on the product roadmap and should be confirmed with Chatvox before relying on them for a specific compliance requirement.