DATA PROCESSING AGREEMENT

1.1 Definitions

• Controller: The customer using GETA AI's services
• Processor: GETA AI Private Limited
• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Data Subject: The individual whose personal data is being processed
• GDPR: General Data Protection Regulation (EU) 2016/679
• Supervisory Authority: The relevant data protection authority

1.2 Scope

This DPA applies to all personal data processed by GETA AI on behalf of the Controller through:

• AI Chatbot services
• Live Chat functionality
• Email Marketing campaigns
• SMS Marketing services
• WhatsApp Marketing
• Journey Builder automation
• Contact Data Management
• Customer Data Platform services

2.1 Subject Matter and Purpose

GETA AI processes personal data to provide customer communication services, automate marketing campaigns, manage customer inquiries, build personalized customer journeys, and analyze engagement metrics.

2.2 Duration of Processing

Processing will occur for the duration of the Service Agreement and may continue for up to 90 days post-termination for data return/deletion purposes.

2.3 Nature of Processing

• Collection and storage of personal data
• Automated processing through AI chatbots
• Communication facilitation via multiple channels
• Marketing campaign execution
• Data analysis and reporting
• Customer journey automation

2.4 Categories of Personal Data

• Contact information (names, email addresses, phone numbers)
• Communication content (chat messages, emails, SMS)
• Behavioral data (website interactions, engagement metrics)
• Preference data (communication preferences, interests)
• Technical data (IP addresses, device information, cookies)
• Transaction data (purchase history, order information)

2.5 Categories of Data Subjects

• End customers of the Controller
• Website visitors and users
• Marketing campaign recipients
• Chat and support users
• Prospects and leads

3.1 Processing Instructions

GETA AI shall process personal data only on documented written instructions from the Controller, including regarding transfers of personal data to third countries or international organizations.

3.2 Personnel Confidentiality

GETA AI ensures that all personnel authorized to process personal data have committed to confidentiality or are under appropriate statutory obligation of confidentiality.

3.3 Security Measures

• Encryption of data in transit and at rest
• Multi-factor authentication for system access
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• Secure backup procedures including AWS S3 and Glacier storage
• Network security monitoring and intrusion detection
• Regular software updates and security patches

3.4 Sub-Processor Management

GETA AI shall not engage another processor without prior written authorization from the Controller. Current sub-processors include:

• Amazon Web Services (cloud infrastructure)
• WhatsApp Business API providers
• Email delivery service providers
• SMS gateway providers

Any changes to sub-processors require 30 days advance notice to the Controller.

3.5 Data Subject Rights Assistance

GETA AI shall assist the Controller in fulfilling data subject rights requests including:

• Access requests (Article 15)
• Rectification (Article 16)
• Erasure (Article 17)
• Data portability (Article 20)
• Objection to processing (Article 21)

Response time: Within 10 business days of receiving a request.

3.6 Data Breach Notification

GETA AI shall notify the Controller without undue delay (within 24 hours) of any personal data breach, providing:

• Description of the breach
• Categories and approximate number of affected data subjects
• Likely consequences of the breach
• Measures taken or proposed to address the breach

3.7 Data Protection Impact Assessment

GETA AI shall assist the Controller in carrying out data protection impact assessments when required.

4.1 Lawful Basis

The Controller warrants that it has established appropriate lawful bases for processing under Article 6 GDPR.

4.2 Processing Instructions

The Controller shall provide clear, documented instructions for data processing activities.

4.3 Data Subject Rights

The Controller remains responsible for responding to data subject rights requests and maintaining appropriate privacy notices.

5.1 Technical Measures

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Secure API authentication using OAuth 2.0
• Database encryption and access logging
• Regular automated backups with encryption

5.2 Organizational Measures

• Background checks for personnel with data access
• Regular security training programs
• Incident response procedures
• Access control policies and procedures
• Data retention and disposal policies

6.1 Audit Rights

The Controller has the right to audit GETA AI's compliance with this DPA through:

• Annual compliance questionnaires
• Review of security certifications (ISO 27001, SOC 2)
• On-site inspections with reasonable advance notice

6.2 Audit Support

GETA AI shall provide all information necessary to demonstrate compliance and contribute to audits.

7.1 International Transfers

Any transfers of personal data outside the European Economic Area shall be subject to appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses where applicable.

8.1 Return and Deletion

Upon termination of services or Controller request, GETA AI shall:

• Return all personal data to the Controller in a commonly used electronic format
• Delete all personal data from GETA AI systems within 90 days
• Provide written certification of data deletion
• Delete data from all backups and sub-processor systems

Exceptions apply where data retention is required by applicable law.