Data Processing Addendum
Last updated: April 1, 2026
1. Scope and Applicability
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Greetler ("Processor," "we") and the subscribing law firm ("Controller," "you," "Firm") and applies to the extent that Greetler processes Personal Data on behalf of the Controller in the course of providing the Service.
This DPA is intended to ensure compliance with Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates (primarily website visitors who interact with the chat widget).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Details of Processing
| Subject Matter | Provision of AI-powered chat concierge and lead capture service |
| Duration | For the duration of the Terms of Service, plus 30 days for data deletion |
| Nature and Purpose | Processing chat messages to generate AI responses, capturing and storing lead contact information, producing analytics |
| Categories of Data Subjects | Website visitors who interact with the chat widget on the Controller's website |
| Types of Personal Data | Chat message content, names, email addresses, phone numbers (when voluntarily provided), session identifiers, page URLs |
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf
- Provide appropriate notice to Data Subjects regarding the processing (the widget includes a visible privacy disclaimer; the Controller must not remove or obscure it)
- Comply with all applicable data protection laws in its role as Controller
- Respond to Data Subject rights requests, with assistance from the Processor as described in Section 8
5. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (as set forth in the Terms of Service and portal configuration), unless required to do so by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 6)
- Not engage additional Sub-processors without prior notice to the Controller (see Section 7)
- Assist the Controller in responding to Data Subject rights requests (see Section 8)
- Assist the Controller in ensuring compliance with data breach notification obligations (see Section 9)
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice, within 30 days
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 10)
6. Security Measures
The Processor implements the following technical and organizational measures:
- TLS encryption for all data in transit
- Encrypted storage at rest (database and backups)
- JWT-based authentication with short-lived access tokens (15 minutes)
- Secure httpOnly cookies for refresh tokens
- Per-firm data isolation in all database queries (tenant isolation)
- Rate limiting and abuse detection at application level
- Regular security updates and dependency monitoring
- Access logging and monitoring
7. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| OpenAI, Inc. | USA | AI response generation | Chat messages, firm website content |
| Paddle.com Market Ltd | UK | Payment processing | Firm billing data (no visitor data) |
| The Constant Company (Vultr) | USA | Cloud hosting | All data (encrypted at rest) |
| Zoho Corporation | EU | Email delivery | Lead notification emails (visitor name, email) |
The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object to a new Sub-processor within 14 days; if the objection cannot be resolved, the Controller may terminate the Service.
The Processor shall impose data protection obligations on each Sub-processor no less protective than those in this DPA.
8. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling Data Subject requests to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, objection).
If the Processor receives a request directly from a Data Subject, it shall promptly forward the request to the Controller and shall not respond directly unless instructed to do so by the Controller.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach. The notification shall include:
- A description of the nature of the breach, including categories and approximate number of Data Subjects affected
- The name and contact details of the Processor's contact point
- A description of the likely consequences of the breach
- A description of measures taken or proposed to address the breach
10. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of any audit.
11. International Transfers
To the extent that the processing involves the transfer of Personal Data from the EU/EEA or UK to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfers shall be subject to the EU Standard Contractual Clauses (SCCs) for transfers from controllers to processors (Commission Implementing Decision (EU) 2021/914, Module Two), which are hereby incorporated by reference.
For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference.
12. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Upon termination of the Service, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days, and delete existing copies unless applicable law requires storage.
13. Governing Law
This DPA shall be governed by the laws that govern the Terms of Service. For matters specifically related to GDPR compliance, the DPA shall be interpreted in accordance with GDPR regardless of the governing law of the Terms.
14. Contact
For questions about this DPA or data processing matters:
Email: privacy@greetler.com