Data Processing Agreement

Botpress Data Processing Agreement (DPA)

This DPA is supplemental to, and forms an integral part of, the agreement between the entity of the Botpress group identified in the Terms of Service and the Customer. This DPA is in force upon its incorporation into such agreement by reference.

1. Definitions

1.a  Capitalized  terms  not  defined  herein  have  the  meaning  ascribed  to  them  in  the Agreement.

1.b  In this DPA :

(a) “Agreement” has the meaning ascribed to such term in the Terms of Service.

(b) “Botpress Group” means Botpress and any affiliates thereof.

(c) “California  Personal  Information”  means  Personal  Data  that  is  subject  to  the protection of the CCPA.

(d) “Canadian Data Protection Laws” means the Personal Information Protection and Electronic  Documents  Act,  SC  2000,  c  5  and  the  Act  respecting  the  protection  of personal  information  in  the  private  sector,  CQLR  c  P-39.1  as  may  be  amended, superseded or replaced.

(e) “CCPA”  means  California  Civil  Code  Sec.  1798.100  et  seq.  (also  known  as  the California Consumer Privacy Act of 2018).

(f) “Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given to them in the CCPA.

(g) “Controller” means any Person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

(h) “Data  Protection  Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to a party to this DPA, including without limitation European Data Protection Laws, Canadian Data Protection Laws and the CCPA in each case as amended, repealed, consolidated or replaced from time to time.

(i) “Data Subject” means the individual to whom Personal Data relates.

(j) “Europe”  means  the  European  Union,  the  European  Economic  Area  and/or  their member states, Switzerland and the United Kingdom.

(k) “European Data Protection Laws” means data protection laws applicable in Europe, as may be amended, superseded or replaced.

(l) “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

(m) “Permitted Affiliates” means any Customer Affiliates that (i) are permitted to use the Software Services pursuant to the Agreement, (ii) qualify as a Controller of Personal Data Processed by Botpress, and (iii) are subject to European Data Protection Laws.

(n) “Person” is to be interpreted broadly and includes any individual, corporation, limited liability company, limited partnership, company, association, partnership, trust or estate, joint venture, governmental entity or political subdivision thereof, or any other entity.

(o) “Personal  Data”  means  any  information  relating  to  an  identified  or  identifiable individual.

(p) “Processing”  or  “Process”  means  any  operation  or  set  of  operations  which  is performed by a Processor upon Personal Data, whether or not by automatic means;

(q) “Processor” means a Person which Processes Personal Data on behalf of a Controller.

(r) “Regulator” means, as applicable, any Person or law enforcement or other agency having regulatory, supervisory or governmental authority (whether under a statutory scheme  or  otherwise)  over  all  or  any  part  of  the  Processing  of  Personal  Data  in connection with the provision or receipt of the Services, including, without limitation, the European data protection supervisory authorities;

(s) “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted,  stored  or  otherwise  Processed  by  Botpress  and/or  Sub-Processors  in connection  with  the  provision  of  the  Services,  not  including  events  that  do  not compromise  the  security  of  Personal  Data,  including  unsuccessful  log-in  attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(t) “Services” means the Software Services or Professional Services provided by any entity of the Botpress Group to the Customer or to its Affiliates.

(u) “Standard Contractual Clauses” means the standard contractual clauses annexed to the  European  Commission’s  Decision  (EU)  2021/914  of  4  June  2021;  as  may  be amended, superseded or replaced.

(v) “Sub-Processor” means any Processor engaged by Botpress or Botpress Affiliates to assist in fulfilling Botpress obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Botpress Affiliates but will not include individuals employed or engaged by Botpress.

(w) “Third-Country” means a jurisdiction or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data; and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data;

(x) “Usage Data” means data pertaining to the Authorized Users’ Use of the Software, which may contain Personal Data where identifying individual users is necessary but excluding any Conversation Data. Usage Data may include Personal Data about the employees and contractors of the Customer but not about end-users interacting with Customer Bots.

2. Role of the parties

2.a  In Processing Conversation Data through the Services, the parties acknowledge and agree that the Customer acts as the Controller and that Botpress acts as a Processor.

2.b  If Customer acts as a Processor on behalf of a Controller, Botpress shall be deemed a sub-processor of Customer.

2.c  Botpress shall be a Controller with respect to Usage Data.

3. Compliance with Data Protection Laws

3.a  Each  party  shall  carry  out  any  processing  of  Personal  Data  in  compliance  with  all applicable Data Protection Laws.

3.b  Botpress is not responsible for compliance with any Data Protection Laws applicable to the Customer or to the Customer’s industry that are not generally applicable to Botpress.

3.c  If Botpress becomes aware that it cannot Process Personal Data in accordance with Customer’s instructions due to a legal requirement under any applicable law, Botpress will (i) promptly notify the Customer of that legal requirement to the extent permitted by applicable law; and (ii) where necessary, stop all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new instructions in compliance with applicable law. If this provision is invoked, Botpress will not be liable to Customer under the Agreement for any failure to perform the applicable Software Services or Professional  Services  until  such  time  Botpress  reasonable  determines  that  Customer’s instruction are lawful.

4. Botpress Obligations

4.a  Botpress will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of lawful instructions received from the Customer, except where and to the extent otherwise required by applicable law.

4.b  Botpress  shall  implement  and  maintain  appropriate  technical  and  organizational measures  to  protect  Personal  Data  from  Security  Incidents,  including  as  described  under Schedule 2 to this DPA (“Security Measures”). Botpress may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

4.c  Botpress  shall  treat  Personal  Data  as  Customer’s  confidential  information  and  will ensure that any of its employees or contactors authorized to access or Process Personal Data is  subject  to  appropriate  confidentiality  obligations  (whether  contractual  or  statutory)  with respect to that Personal Data.

4.d  Botpress will delete or return all Personal Data Processed pursuant to this DPA, on termination or expiration of the Agreement. Botpress may retain copies of Personal Data where required by applicable law, or where Personal Data has been archived on back-up systems, which data will be securely isolated and protected from any further Processing and deleted in accordance with applicable deletion practices.

5. Customer’s Obligations

5.a  The Customer is responsible to ensure that its use of the Software Services or the Software is in accordance with all applicable Data Protection Laws, including by ensuring that (i) it is authorized to appoint Botpress to Process Personal Data on its behalf in accordance with this DPA, (ii) it has the right to transfer, or provide access to, the Personal Data to Botpress for Processing in accordance with the terms of the Agreement (including this DPA), (iii) ensuring that Customer’s instructions with respect to the Processing of Personal Data comply with applicable laws, including Data Protection Laws;

5.b  Customer shall promptly notify Botpress in writing if it has reason to believe or if it has been notified that the Processing of Personal Data effected by Customer through the Services is or may be in violation of applicable law, including Data Protection Laws.

5.c  Customer is responsible for determining whether the security measures implemented by Botpress  adequately  meets  Customer’s  obligations  under  applicable  Data  Protection  Laws. Customer is also responsible to ensure that its access to the Software Services is secured and reserved to authorized personnel.

6. Security Breach

6.a  Botpress will promptly notify Customer if it becomes aware of any Security Breach and will  provide  timely  information  relating  to  such  Security  Breach  as  it  becomes  known  or reasonably requested by Customer.

6.b  Upon request, Botpress will promptly provide reasonable assistance to Customer as necessary to allow Customer to notify a Security Breach to Regulators and/or affected Data Subjects, if such notification is required under Data Protection Laws.

7. Sub-Processors

7.a  Botpress   may engage Sub-Processors to Process Personal Data. Current Sub-Processors are listed at Schedule 3, any change to Sub-Processors will be notified to Customer.

7.b  Botpress selects Sub-Processors who offer data protection undertakings that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Botpress remains responsible  for  each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor causing a breach any of Botpress’ obligations under this DPA.

7.c  If Botpress Processes European Data on behalf of Customer, Customer may object to a new Sub-Processor, for reasonable reasons based on data protection. If notified of such an objection,  Botpress  agrees  to  discuss  the  matter  in  good  faith  to  achieve  a  commercially reasonable resolution. If no such resolution can be reached, Botpress may either elect to forgo the appointment of the new Sub-Processor, or allow the Customer to terminate its subscription to the portion of the Software Services relying on such new Sub-Processor without liability to either party (but without prejudice to any fees incurred prior to termination).

7.d  If  required  by  law  or  under  the  Standard  Contractual  Clauses,  Botpress  will  make reasonable  efforts  to  make  available  to  Customer  required  information  about  Botpress’ agreements with Sub-Processors. Customer agrees that some information may be redacted from such agreements or provided on a confidential basis.

8. Transfer of Personal Data

8.a  The processing of Personal Data other than European Data by Botpress Group entities will take place in any jurisdiction where such processing is permitted by the applicable laws of the Privacy Jurisdiction.

8.b  The processing of European Data shall take place exclusively :

a) Within Europe;

b) in a jurisdiction that provides an adequate level of protection under a decision of the European Commission based on applicable Data Protection Laws;

c) in any jurisdiction, by an organization or entity offering appropriate safeguards, including through the Standard Contractual Clauses;

d) in any jurisdiction, with the written consent of the Customer or the concerned Data Subject.

8.c  When Processing of European Data takes place in a Third-Country, the parties shall be deemed to have entered into the Standard Contractual Clauses only with respect to the relevant Personal Data and the relevant Processing. The parties agree that for the purposes of the Standard Contractual Clauses :

a) If the Customer is a Controller and Botpress is a Processor, Module 2 (Controller to Processor) will apply.

b) If the Customer is a Processor and Botpress is a sub-processor, Module 3 (Processor to Processor) will apply.

c) With respect to Usage Data, Module 1 (Controller to Controller) will apply.

d) in Clause 7 of the Standard Contractual Clauses, the optional docking clause will not apply;

e) in Clause 9 of the Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be 10 days;

f) in Clause 11 of the Standard Contractual Clauses, the optional language will not apply;

g) in Clause 17 (Option 1), the Standard Contractual Clauses will be governed by Irish law;

h) in Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

i) Botpress will be the "data importer" and Customer will be the "data exporter" (on behalf of itself and Permitted Affiliates);

j) the relevant information set out in Schedule 1 and Schedule 2 of this DPA shall be deemed to be included in the Annexes of the Standard Contractual Clauses;

k) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

8.d  Switzerland and United Kingdom Transfers. To the extent that a transfer of Personal Data between Customer and Botpress and/or a Sub-Processor is subject to the Data Protection Laws of Switzerland or the United Kingdom, the Standard Contractual Clauses shall be deemed to be amended to reflect the requirements of the applicable Swiss and UK Data Protection Laws, including references to legislation, applicable law and competent authorities and courts.

9. CCPA Processing

9.a  When  processing  California  Personal  Information  in  accordance  with  Customer’s instructions, the parties acknowledge and agree that Customer is a Business and Botpress is a Service Provider for the purposes of the CCPA. The parties agree that Botpress will Process California Personal Information as a Service Provider strictly for the purpose of performing the Software Services and Professional Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA.

10. Third-Party Requests

10.a  Customer shall be responsible to address any request from a Data Subject or Regulator with respect to their Personal Data and Customer shall use the Software Services features available to retrieve relevant information about Personal Data processing.

10.b  If  Customer  is  unable  to  independently  address  a  request  for  a  Data  Subject  or Regulator  (“Request”),  Botpress  will  provide  reasonable  assistance  to  Customer,  in  order respond to any such requests relating to the Processing of Personal Data under the Agreement. Except where and to the extent that a request is based on the failure of Botpress to respect its obligations under this DPA, Customer shall reimburse Botpress for its reasonable expenses in providing any assistance to Customer.

10.c  If a Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Botpress, Botpress will promptly inform Customer and will advise the Data Subject or Regulator to submit their Request directly to Customer. Customer will be solely responsible for responding substantively to any such Requests or communications involving Personal Data.

11. Audit relating to personal data

11.a  Upon request and reasonable notice to Botpress, the Customer is authorized, at its own expense, to carry out the necessary verifications to ensure that the Personal Data processed by Botpress on the Customer’s behalf is processed in accordance with the Customer’s instructions. At the Customer’s request, Botpress shall allow for the audit and inspection of the processing carried out by Botpress. Such an audit may be conducted by the Customer and/or a third party (selected by the Customer and reasonably accepted by Botpress) acting on the Customer’s behalf.  The  Customer  shall  take  all  necessary  measures  to  avoid  causing  any  damage  or disruption to the premises, equipment, personnel and business of Botpress Group entities.

11.b  The Customer and Botpress shall agree in advance on the nature, scope and duration of any audit by the Customer, and the Customer shall reimburse Botpress for all reasonable costs associated with such an audit, which may be estimated at the Customer’s request prior to the start of the audit. To the extent possible, any Customer audit requirements shall be fulfilled through third-party audit reports provided by Botpress, if the same is available.

11.c  If Botpress Processes European Data on behalf of Customer, Botpress will provide Customer, upon reasonable request, (on a confidential basis) (i) a summary copy of its security testing report(s) and (ii) written responses to all reasonable requests for information made by Customer necessary to confirm Botpress compliance with this DPA, provided that Customer shall not exercise such right more than once per calendar year unless Customer can show reasonable grounds to suspect Botpress’ non-compliance with the DPA.

12. Limitation of Liability

12.a  Botpress’ and its Affiliates’ liability, taken in aggregate,  arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be limited to the aggregate amount of the Fees paid by Customer to Botpress in consideration for the Services during the 12 month period preceding the occurrence giving rise to liability.

13. Jurisdiction

Unless required otherwise by applicable Data Protection Laws, this DPA shall be governed and construed in accordance with the laws applicable to the Agreement and any dispute regarding this Agreement shall be resolved by the competent courts of the jurisdiction indicated in the Proposal.

To the extent Data Protection Laws require that this DPA be governed by the laws of a member state of the European Union, this DPA shall be governed by the laws of Ireland and disputes regarding this Agreement shall be resolved by the Irish courts.

14. General

14.a  Precedence. In the event of any inconsistency between any of the provisions of this DPA and  any  other  provision  of  the  Agreement,  the  provisions  of  the  DPA  shall  always  take precedence, unless and to the extent that it is expressly stipulated that another provision of the Agreement shall take precedence or that a provision of this DPA shall be set aside or modified.

14.b  Amendments. Botpress may amend this DPA to reflect changes in its data processing practices.  Any  amendment  other  than  changes  to  clarify  language  (which  will  be  routinely communicated to the Customer) will be submitted to the Customer and will not apply unless accepted by Customer. If a modification of this DPA is required by applicable law, Customer will

have the option of accepting such modification or terminating its subscription to the Software Services.

14.c  Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

Schedule 1 – Details of Processing

Identification of Controller

The Customer

Contact Person : the person identified in the Proposal accepted by Customer. Identification of Processor

If Customer is located in Canada : Technologies Botpress Inc.

If Customer is located elsewhere : Botpress, Inc.

Contact Person:

Jean-Bernard Perrron

[email protected]

Categories of Data Subjects

Customer may submit Personal Data in the course of using the Software Service, the extent of which is determined and controlled by Customer in its sole discretion, subject to applicable terms of service, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

• Individuals using the Software on behalf of Customer
• End-Users of Customer Bots

Categories of Personal Data

Customer may submit Personal Data to the Software Services and may allow End-Users to submit Personal Data to the Software Services, the extent of which is determined and controlled by the Customer in its sole discretion, subject to applicable terms of service.

The  Software  Service  is  not  designed  for  the  purpose  of  Processing  sensitive  data,  the Customer should be responsible to determine the suitability of the Software Services to Process sensitive data.

Botpress will process contact information about Authorized Users (name, email, phone) and usage and behavioral data about product usage for technical support and statistical purposes.

Nature of Processing

• Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer;
• Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws;
• Botpress will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services.
• Botpress Processes Usage Data to provide technical support and for statistical purposes (for product improvement and development).

Period for which Personal Data will be retained

Subject to Botpress’ obligation to delete or return data to Customer, under the Agreement Botpress will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Schedule 2 – Security Measures

1. Governance

Botpress implements appropriate policies and procedures regarding Personal Data, including:

• Information Security Procedures;
• Policies on the use of Personal Data ;
• Security and Privacy Incident Reporting Procedure ;
• Risk Assessment Mechanisms;
• Internal Audit Procedures ;
• Contractual Measures;

2. User Access

• The functions and responsibilities of Botpress users and user profiles with access to Personal Data and information systems are clearly defined.
• Botpress adopts measures to inform its users of the security rules that affect the performance of their duties and the consequences if they violate these rules.
• Clear text protocols are not used to access or transfer Personal Data. Only the SSL protocol is accepted for these operations.
• Botpress ensures the security of processes and procedures for the handling or disposal of physical media or equipment that may contain Personal Data.
• Personal Data is physically separated, or logically separated if it is on a database or virtual environment, from other Botpress data. If Personal Data is not physically separated from other data, systems or applications not related to the Customer, Botpress employs appropriate security controls, including access controls.

3. Access control

Botpress  maintains  the  servers,  relevant  databases,  and  other  hardware  and/or  software components  that  store  Personal  Data  in  a  secure  data  center  with  access  controlled  and monitored to admit only authorized personnel.

Botpress employs effective logical access control measures on all systems used to create, transmit, or process Personal Data, such measures including, but not limited to:

• Authentication of the user, who must use unique identifiers ("user IDs") and names.
• A sufficiently complex and robust password strategy.

• User access rights/privileges to information resources containing Personal Data must be granted on a need-to-know basis related to the user's duties and responsibilities.
• Users' access to computer systems permitting access to Personal Data shall be deleted immediately upon the user's departure or if the user changes jobs and the new job does not require access.
• Default passwords and security settings must be changed in the third-party products/applications used to support Personal Data.
• Third party service providers shall be subject to equivalent security requirements and obligations as Botpress's authorized users when processing Personal Data.
• Annual revalidation of the justification of user accounts and associated authorizations with access to personal information.

4. Network security architecture

Botpress employs effective network access control measures on all systems used to create, transmit, or process Personal Data, such measures including, but not limited to:

• Firewalls are operational at all times and are installed at the network perimeter between the internal (private) network of Botpress and the public network (Internet).
• Properly configured and monitored intrusion detection and prevention systems are used on the Botpress network.
• Only those services/processes and ports necessary to perform routine programs are enabled on the database and other information systems used for processing Personal Data. All other services/processes on the host are disabled.
• All information systems, repositories and other systems used to process Personal Data must be physically located in a controlled data center environment and used for the purpose of protecting information systems.
• ● Secure channels (e.g., TLS, SFTP, SSH, IPSEC, etc.) must be used consistently for communications to Botpress data center.

5. Vulnerability Management Controls

Botpress employs effective vulnerability management controls on all systems used to create, transmit, or process Personal Data, such measures including but not limited to:

• Deployment of network prevention and detection devices to help filter phishing emails and malware before they reach workstations managed by Botpress and having direct or indirect access to Personal Data.
• Deployment of anti-virus and anti-malware prevention and detection software on all workstations managed by Botpress and processing Personal Data.
• Maintain a standard patch management process and practice to ensure the protection of all devices used to access, process or store Personal Data.

• Devices and documents containing Personal Data must allow identification of the information accessed, be inventoried and accessible only to users who are authorized to access the data in accordance with the security document.
• Measures to prevent theft, loss or unauthorized access to Personal Data during transmission and transfer operations.

6. Data backup, recovery and availability

Botpress implements the following disaster recovery and business continuity plans to minimize maximum downtime and data loss.

• Botpress implements disaster recovery functions designed to restore the functionality of the system containing Personal Data within a period of time agreed upon by the parties or, failing that, within a reasonable period of time given the nature of the Personal Data.
• Botpress shall systematically ensure that Personal Data is inaccessible other than by authorized Botpress personnel (e.g. external back-ups shall systematically be encrypted).
• To reduce the risks from environmental threats, hazards and opportunities for unauthorized access equipment shall be located away from locations subject to high probability environmental risks and supplemented by redundant equipment located a reasonable distance.
• Security mechanisms and redundancies shall be implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.).
• Policies and procedures for data retention and storage shall be established and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of disk or tape backups shall be implemented at planned intervals.

7. Security audit

Botpress employs controls on all systems used to create, transmit, or process Personal Data, such controls including, but not limited to:

• Third party vulnerability scans or audits of externally facing (public) infrastructure devices containing Personal Data.
• Third party penetration testing of Botpress systems that store and process Personal Data.
• Periodic third-party evaluation where applications or processes support financial information.
• Botpress undertakes to deal with all vulnerabilities identified as a result of penetration tests and to notify the Customer of the remediation actions.

8. Training and awareness

Botpress implements a security awareness program for its employees and service providers who interact with the systems handling Personal Data, including:

• Botpress shall ensure that its staff has an understanding of information risk management threats and concerns relating to the Botpress Services and of relevant information risk management policies.
• Botpress staff shall receive training and regular updates on relevant information risk management policies and procedures of standard risk management classification scheme and appropriate procedures.
• Sub-contractor staff shall be made aware of Botpress's information risk management classification scheme and appropriate procedures.
• Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

Schedule 3 – Sub-Processors Unless otherwise indicated, the location of processing is : USA.

Amazon Web Services

• AWS hosts our cloud services and all Customer Data.
• AWS processes analytics information about usage of the Botpress cloud services.

Google Analytics

• Google  Analytics  processe  analytics  information  about  usage  of  Botpress  cloud services.

Freshdesk

• Freshdesk provides help desk services.
• Freshdesk processes all data provided by users for technical support purposes.

Hotjar

• We use Hotjar services on the service.
• Hotjar provides information about the behaviour of service visitors.

OpenAI

• OpenAI is used to process user text inputs to generate text responses.

Mixpanel

• Mixpanel is used to collect product and Website usage analytics, which is used to improve the service.

Intercom

• Intercom is used to provide live support to visitors of the service and the Website.