Data Processing Addendum

Terms used but not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, and the California Consumer Privacy Act where applicable. “Personal Data” means any information Customer uploads to or causes to be processed by the Services that identifies a natural person.

Customer is the Controller (or Processor on behalf of its own Controller) of the Personal Data. Chatalott acts as a Processor and will only process Personal Data on documented instructions from Customer, including the instructions contained in the Terms of Service and this DPA.

Data subjects: Customer's end users, contacts imported into the Client Vault, team members Customer invites, recipients of email or scheduled posts Customer creates through the Services.

Categories of Personal Data: name, email address, phone number, postal address, profile photo, social-media handles, meeting notes, deal stages, follow-up history, and any additional fields Customer chooses to store.

Duration: for the term of the subscription plus a 60-day grace period, after which data is permanently deleted unless Customer requests earlier deletion.

Chatalott will:

• Process Personal Data only on Customer's documented instructions.
• Ensure personnel authorized to access Personal Data are bound by confidentiality obligations.
• Implement the technical and organizational measures described in Annex 2.
• Engage subprocessors only in accordance with Section 5.
• Assist Customer with responding to data-subject requests (access, correction, erasure, portability, objection) within the time limits required by applicable law.
• Notify Customer without undue delay — and in any event within 72 hours — of becoming aware of a Personal Data Breach affecting Customer's data.
• On termination, delete or return all Personal Data at Customer's choice, except where retention is required by law.
• Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer, subject to the procedures in Section 8.

Customer consents to Chatalott's use of the Subprocessors listed on our Subprocessors page. Chatalott will maintain an up-to-date list there and will notify Customer at least 30 days before engaging a new Subprocessor. Customer may object in writing to privacy@chatalott.com on reasonable grounds; if the objection cannot be resolved, Customer may terminate the affected Services with a pro-rata refund.

Chatalott remains fully liable to Customer for the performance of its Subprocessors' obligations under this DPA.

Chatalott is based in Canada, which is recognized by the European Commission as providing an adequate level of data protection (Commission Implementing Decision (EU) 2023/1795). For any transfer to a jurisdiction that is not covered by an adequacy decision, Chatalott and its Subprocessors will rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum to the SCCs.

Chatalott implements, at minimum:

• TLS 1.2+ encryption in transit for all external and internal service-to-service traffic.
• Encryption at rest for the primary database, object storage, and backups.
• Bcrypt password hashing (cost factor 10), rate-limited auth endpoints, optional TOTP two-factor authentication.
• Role-based access control for staff; privileged access requires justification and is logged.
• Application-layer isolation by tenant; SQL queries parameterized to prevent injection.
• Automatic daily backups with point-in-time recovery for seven days.
• Vendor due-diligence on every Subprocessor before first use and annually thereafter.
• Incident-response runbook, on-call rotation, and post-incident review with customer notification.
• A published Security page and vulnerability-disclosure policy.

Once per calendar year, with at least 30 days written notice, Customer may request an audit of Chatalott's compliance with this DPA. The audit must be conducted during business hours, in a manner that does not interfere with operations, and at Customer's expense. Chatalott may satisfy audit requests by providing third-party attestations (e.g. SOC 2 reports of Subprocessors) where available.

The liability provisions in the Terms of Service apply to this DPA. In case of conflict between this DPA and the Terms, this DPA controls for matters of data protection.

For customers on Pro or Premium plans, this DPA automatically takes effect alongside the Terms of Service upon subscription. Enterprise customers needing a counter-signed PDF copy should email privacy@chatalott.com.