This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller," "Customer") and DRAGbot ("Processor," "we," "us") for use of the DRAGbot platform.
This DPA applies when you use DRAGbot to process personal data on behalf of your end users or organization.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data (collection, storage, retrieval, etc.) |
| Controller | You; the entity that determines purposes and means of Processing |
| Processor | DRAGbot; we Process data on your behalf |
| Sub-processor | Third parties we engage to assist in Processing |
| Data Subject | The individual whose Personal Data is Processed |
| Supervisory Authority | A public authority responsible for data protection (e.g., ICO, CNIL) |
2. Scope and Roles
2.1 Your Role (Controller)
You determine:
- What data your bots collect
- Why that data is collected (purposes)
- How long data is retained
- Who has access within your organization
2.2 Our Role (Processor)
We:
- Process data only on your documented instructions
- Provide the infrastructure for your bots
- Implement security measures
- Assist with your compliance obligations
2.3 Data Categories
| Data Type | Controller | Processor |
|---|---|---|
| Your account data | You | DRAGbot |
| Documents you upload | You | DRAGbot |
| Bot configurations | You | DRAGbot |
| End user conversations | You | DRAGbot |
| Ghostform submissions | You | Not DRAGbot (data goes to your webhook) |
3. Processing Instructions
3.1 Documented Instructions
We Process Personal Data only in accordance with:
- This DPA
- The Terms of Service
- Your configuration choices in the platform
- Specific written instructions you provide
If we believe an instruction violates applicable data protection law, we will inform you.
3.2 Purpose Limitation
We Process Personal Data only to:
- Provide the DRAGbot service
- Maintain and improve the platform
- Comply with legal obligations
- Respond to your support requests
We do not:
- Use your data for our own purposes
- Sell or rent data
- Use data for advertising
- Train AI models on your data
4. Sub-processors
4.1 Current Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase | Database, auth, storage | United States | Account data, documents |
| Fly.io | Container hosting | United States | Bot configs, conversations |
| Resend | Transactional email | United States | Email addresses |
Your LLM provider (OpenAI, Anthropic, Google, Cohere) processes data based on your API key and configuration. You have a direct relationship with them.
4.2 Sub-processor Changes
Before adding or replacing a sub-processor:
- We will notify you at least 30 days in advance
- You may object based on reasonable data protection concerns
- If we cannot address your objection, you may terminate affected services
Subscribe to sub-processor updates by contacting admin@dragbot.io
4.3 Sub-processor Obligations
We ensure sub-processors:
- Are bound by written contracts with equivalent protections
- Implement appropriate security measures
- Process data only as necessary for their function
5. Security Measures
5.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections |
| Encryption at rest | AES-256 for databases, AES-256-GCM for API keys |
| Access control | Row-Level Security, authentication required |
| Data isolation | Per-customer database rows, per-deployment containers |
| Integrity verification | SHA-256 hash chains for conversations |
| Secure development | Code review, dependency scanning |
5.2 Organizational Measures
| Measure | Implementation |
|---|---|
| Access limitation | Least-privilege access for staff |
| Confidentiality | Staff bound by confidentiality obligations |
| Training | Staff trained on data protection |
| Incident response | Documented procedures for breaches |
| Vendor management | Security review of sub-processors |
5.3 Ghostform Security
For Ghostform deployments:
- Form values remain in end user's browser
- Only structural markers transmitted to our infrastructure
- Actual data transmitted directly to your webhook via HTTPS
- We architecturally cannot access Ghostform values
6. Data Subject Rights
6.1 Your Obligations
As Controller, you are responsible for:
- Responding to Data Subject requests (access, deletion, etc.)
- Maintaining procedures for handling requests
- Providing privacy notices to Data Subjects
6.2 Our Assistance
We will assist you by:
- Providing export functionality for conversation data
- Deleting data upon your instruction
- Providing information about our Processing activities
- Not directly responding to Data Subject requests (we will refer them to you)
If a Data Subject contacts us directly, we will:
- Direct them to contact you
- Notify you of the request
- Not take action without your instruction (unless legally required)
7. Data Breach Notification
7.1 Our Obligations
If we become aware of a Personal Data breach affecting your data:
| Timeline | Action |
|---|---|
| Within 24 hours | Initial notification to you |
| Within 72 hours | Detailed information (nature, categories, likely consequences) |
| Ongoing | Updates as investigation proceeds |
| Post-incident | Root cause analysis and remediation report |
7.2 Notification Contents
We will provide:
- Description of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
- Contact point for further information
7.3 Your Obligations
You are responsible for:
- Notifying Supervisory Authorities (where required)
- Notifying affected Data Subjects (where required)
- Determining appropriate response measures
8. International Transfers
8.1 Transfer Mechanisms
For transfers of Personal Data outside the EEA/UK:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
- Sub-processors maintain their own transfer mechanisms
- We assess the legal regime of destination countries
8.2 Supplementary Measures
We implement supplementary measures including:
- Encryption in transit and at rest
- Access controls limiting who can access data
- Contractual commitments from sub-processors
8.3 Transparency
Upon request, we will provide:
- Copies of SCCs in place
- Information about sub-processor transfer mechanisms
- Transfer impact assessments (where conducted)
9. Audit Rights
9.1 Audit Information
Upon request, we will provide:
- Documentation of security measures
- Relevant compliance certifications
- Third-party audit reports (under NDA)
- Answers to security questionnaires
9.2 On-Site Audits
You may conduct or commission on-site audits:
- With 30 days advance notice
- During business hours
- At your expense
- No more than once per year (unless required by Supervisory Authority or following a breach)
- Subject to reasonable confidentiality protections
9.3 Audit Scope
Audits may cover:
- Processing activities related to your data
- Security measures
- Sub-processor management
- Incident response procedures
Audits may not compromise other customers' confidentiality or our proprietary systems.
10. Data Retention and Deletion
10.1 During the Agreement
We retain your data as long as needed to provide the service:
| Data Type | Retention |
|---|---|
| Account data | Until account deletion |
| Documents | Until you delete them |
| Deployments | Until you destroy them |
| Conversations | Until deployment destruction |
10.2 Upon Termination
When you terminate your account or this DPA:
| Timeline | Action |
|---|---|
| Immediately | Access revoked |
| Within 30 days | Active data deleted |
| Within 60 days | Backups cycled out |
You should export any data you wish to retain before termination.
10.3 Exceptions
We may retain data beyond termination:
- As required by law
- For legitimate backup/disaster recovery (deleted within 60 days)
- In aggregated/anonymized form for analytics
11. Assistance with Compliance
11.1 Data Protection Impact Assessments
If you conduct a DPIA involving DRAGbot, we will provide:
- Information about our Processing activities
- Documentation of security measures
- Details about data flows
11.2 Supervisory Authority Cooperation
We will cooperate with Supervisory Authorities regarding Processing carried out on your behalf, including responding to inquiries and providing information.
11.3 Records of Processing
We maintain records of Processing activities as required by Article 30 GDPR, including:
- Categories of Processing
- Transfers to third countries
- Security measures
- Retention periods
12. Liability
12.1 Allocation
Each party is liable for damages caused by its breach of this DPA or applicable data protection law.
12.2 Limitations
Liability under this DPA is subject to the limitations in the Terms of Service, except where prohibited by applicable law.
13. Term and Termination
13.1 Term
This DPA is effective when you accept the Terms of Service and continues until your account is terminated.
13.2 Survival
The following survive termination:
- Data deletion obligations (Section 10)
- Confidentiality obligations
- Liability provisions
14. Conflict
If there is a conflict between this DPA and the Terms of Service, this DPA prevails regarding data protection matters.
15. Amendments
We may update this DPA to:
- Reflect changes in law
- Address new sub-processors
- Improve our practices
Material changes require 30 days notice. Continued use after notice constitutes acceptance.
16. Contact
For all inquiries: admin@dragbot.io
Toronto, ON, Canada
Appendix A: Standard Contractual Clauses
For transfers from the EEA/UK, the applicable SCCs are incorporated by reference:
- EU SCCs: Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor)
- UK Addendum: International Data Transfer Addendum to the EU SCCs
The completed SCCs are available upon request.
Appendix B: Technical and Organizational Measures
B.1 Access Control
- Authentication required for all platform access
- Role-based access control (read/write/admin)
- Row-Level Security enforces data isolation
- API keys encrypted with AES-256-GCM
- Session management with secure tokens
B.2 Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest (Supabase)
- Per-deployment container isolation (Fly.io)
- No shared databases between customers
B.3 Availability
- Multi-region deployment capability
- Automated backups (30-day retention)
- Container auto-restart on failure
- Monitoring and alerting
B.4 Integrity
- SHA-256 hash chains for conversation integrity
- Database transaction logging
- Immutable audit trails for deployments
B.5 Incident Response
- 24-hour initial breach notification
- Documented incident response procedures
- Post-incident review and remediation
- Customer notification via email
B.6 Development Security
- Code review requirements
- Dependency vulnerability scanning
- Secure defaults in configuration
- Regular security assessments
Appendix C: Sub-processor Details
| Sub-processor | Legal Entity | Location | Purpose | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Supabase Inc. | San Francisco, CA, USA | Database, auth, storage | SCCs |
| Fly.io | Fly.io Inc. | Chicago, IL, USA | Container hosting | SCCs |
| Resend | Resend Inc. | San Francisco, CA, USA | Transactional email | SCCs |
Note: Your LLM provider is not our sub-processor. You have a direct Controller relationship with them based on your API key and configuration choices.
This DPA reflects our commitment to protecting your data and supporting your compliance obligations. Questions? Contact admin@dragbot.io.