Téléchargez notre brochure pour découvrir comment Retalk peut réduire jusqu'à 80% des demandes de support entrantes.
Retalk.bot logo

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) supplements the Terms of Service (the “Agreement”) between you (“Customer”) and Mailhub SA (Retalk.bot), 30, route de Mondorf, L-5552 Luxembourg (“Company”). By using Retalk.bot, you agree to this DPA. This DPA is effective as of your acceptance of the Agreement.

1. Definitions

  • Affiliate: Any entity controlling, controlled by, or under common control with a party, as long as such control exists.
  • Authorized Sub-Processor: A third party who needs access to Customer’s Personal Data to help Company provide the Services, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 4.2.
  • Company Account Data: Personal data relating to Company’s relationship with Customer (e.g., account contacts, billing info).
  • Company Usage Data: Service usage data collected by Company to provide, optimize, and secure the Services.
  • Data Exporter: Customer.
  • Data Importer: Company (Mailhub SA).
  • Data Protection Laws: All applicable data protection laws, including GDPR, UK GDPR, CCPA, Swiss FADP, and others as updated.
  • Personal Data, Processing, Controller, Processor, etc.: As defined in the GDPR.
  • Standard Contractual Clauses (SCCs): The EU and UK SCCs for international data transfers.

2. Relationship of the Parties; Processing of Data

  • Customer acts as controller or processor; Company acts as processor (except for Company Account/Usage Data, see Section 9).
  • Customer is responsible for the lawfulness, quality, and accuracy of Personal Data provided to Company and for its processing instructions.
  • Company will only process Personal Data as needed to provide the Services, as described in the Agreement, this DPA, and Customer’s instructions, unless required by law.
  • After termination, Company will delete or return Personal Data unless required by law to retain it.

3. Confidentiality

  • Company ensures that anyone authorized to process Personal Data is bound by confidentiality.
  • Company may disclose Personal Data to advisors, auditors, or third parties as needed to perform its obligations.

4. Sub-Processors

  • Company may engage sub-processors to help provide the Services. Customer gives general authorization for this.
  • The current list of sub-processors is available at: retalk.bot/legal/subprocessors
  • Company will notify Customer of new sub-processors. Customer may object in writing within 10 days for data protection reasons. If no reasonable alternative is found, Customer may discontinue the affected Service.
  • Company ensures sub-processors are bound by data protection obligations at least as strict as this DPA.

5. Security of Personal Data

  • Company maintains appropriate technical and organizational measures to protect Personal Data (see Exhibit C).

6. International Data Transfers

  • Company may transfer Personal Data outside the EEA/UK/Switzerland as needed to provide the Services, using SCCs or other legal mechanisms.
  • Details of transfers and safeguards are in Exhibit B and C.

7. Data Subject Rights

  • Company will notify Customer of any data subject requests (access, rectification, erasure, etc.) and will assist Customer in responding, where possible.
  • Customer is responsible for handling data subject requests related to its data.

8. Audits and Cooperation

  • Company will provide information and assistance for Customer to demonstrate compliance with Data Protection Laws, including audits (subject to reasonable notice and confidentiality).
  • Company will notify Customer if an instruction appears to violate Data Protection Laws.
  • In case of a Personal Data Breach, Company will notify Customer without undue delay and assist as required by law.

9. Company as Controller

  • For Company Account Data and Company Usage Data, Company acts as an independent controller (for business operations, compliance, security, etc.).
  • Processing is in accordance with the Retalk.bot Privacy Policy.

10. Conflict

  • In case of conflict, the following order applies: (1) SCCs, (2) this DPA, (3) Agreement, (4) Privacy Policy.

Exhibit A: Details of Processing

  • Nature and Purpose: To provide, secure, and improve the Services as described in the Agreement and this DPA.
  • Duration: As long as needed to provide the Services, for legitimate business needs, or as required by law.
  • Categories of Data Subjects: Customer’s employees, contractors, agents, and end users.
  • Categories of Personal Data: Name, email, job title, username, device identifiers, IP address, usage data, and any data provided by Customer or its users.
  • Sensitive Data: Customers must not provide special categories of data (e.g., health, criminal history).

Exhibit B: Sub-Processors and Transfers

  • List of Sub-Processors: retalk.bot/legal/subprocessors
  • Transfers: As needed to provide the Services, as described above.
  • Supervisory Authority: The authority of the Customer’s location (e.g., CNPD Luxembourg).

Exhibit C: Security Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication (MFA, SSO)
  • Regular backups and testing
  • Secure infrastructure (Vercel, Supabase, etc.)
  • Monitoring and logging
  • Data minimization and deletion on request
  • Confidentiality agreements with staff and sub-processors
  • Incident response procedures

Exhibit D: UK Addendum (if applicable)

  • For UK data transfers, the UK Addendum to the SCCs applies, governed by the laws of England and Wales.

For questions, contact help@retalk.bot.