Data Processing Agreement (DPA)

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

• Controller — The customer organization that contracts ChatSense's services and that determines the purposes and means of processing personal data of its end customers.
• Processor — Omega Capital Holding Gestão e Participações Empresariais Ltda ("ChatSense," "we," "our"), which processes personal data on behalf of and under the instructions of the Controller.

Scope: This DPA applies to all personal data of the Controller's end customers that is processed through the ChatSense platform, supplementing the Terms of Service and Privacy Policy. In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to the processing of personal data.

2. Definitions

For the purposes of this DPA, the terms below shall have the following meanings, aligned with the LGPD (Law No. 13,709/2018) and the GDPR (EU Regulation 2016/679):

• Personal Data — Any information relating to an identified or identifiable natural person (LGPD art. 5, I; GDPR art. 4(1)).
• Processing — Any operation performed on personal data, including collection, receipt, storage, modification, communication, transfer, dissemination, extraction, and deletion (LGPD art. 5, X; GDPR art. 4(2)).
• Controller — A natural or legal person to whom decisions regarding the processing of personal data pertain (LGPD art. 5, VI; GDPR art. 4(7)).
• Processor — A natural or legal person that processes personal data on behalf of the controller (LGPD art. 5, VII; GDPR art. 4(8)).
• Sub-processor — A third party engaged by the Processor to carry out specific personal data processing activities on behalf of the Controller.
• Personal Data Breach — A security incident that results in unauthorized access, destruction, loss, alteration, or disclosure of personal data (LGPD art. 46; GDPR art. 4(12)).
• ANPD — Autoridade Nacional de Proteção de Dados (National Data Protection Authority), the body responsible for overseeing personal data protection in Brazil (LGPD art. 55-A).
• Supervisory Authority — An independent public authority responsible for supervising the application of data protection legislation in its jurisdiction (GDPR art. 4(21)).

3. Subject Matter and Duration

Subject Matter: This DPA establishes the terms and conditions under which the Processor (ChatSense) shall process personal data on behalf of the Controller (customer organization), exclusively for the purpose of providing the services of the ChatSense multichannel customer service platform.

Duration: This DPA shall remain in effect for the entire duration of the main agreement (Terms of Service) between the Controller and the Processor, and shall extend until all personal data has been returned or deleted in accordance with the provisions of this agreement.

4. Nature and Purpose of Processing

The Processor shall process personal data exclusively for the following purposes:

• Receipt, storage, and transmission of multichannel messages — Processing of communications received and sent via WhatsApp, Instagram DM, Facebook Messenger, Telegram, Email, and Live Chat.
• Artificial Intelligence processing — Use of language models (LLM) for automated response generation, response suggestions, summarization, and conversation classification, as described in the Artificial Intelligence Policy.
• Media storage — Secure storage of media files (images, audio, video, documents) sent or received during interactions.
• Sentiment analysis — Automated classification of sentiment expressed by end customers during interactions.
• Aggregated report generation — Production of analytical and statistical reports on volume, performance, and quality of service, using anonymized or aggregated data when possible.

5. Types of Personal Data Processed

The following types of personal data may be processed by the Processor in the context of service provision:

• Identification data — Name, telephone number, email address.
• Communication content — Text messages sent and received across all supported channels.
• Media files — Images, audio recordings, videos, and documents shared during interactions.
• Location data — Location information voluntarily shared by end customers (for example, via WhatsApp).
• Technical metadata — IP address, browser user-agent, interaction timestamps, session identifiers.
• CRM data — Company, title/role, document (CPF/CNPJ), website, date of birth, and other contact enrichment fields.

6. Categories of Data Subjects

The personal data processed pertains to the following categories of data subjects:

• End customers and contacts — Individuals who interact with contracting organizations (Controllers) through customer service channels integrated with the ChatSense platform.
• Chat widget visitors — Users who access and interact with live chat widgets embedded on the websites of contracting organizations.
• Campaign recipients — Individuals who receive campaign communications sent by contracting organizations through the platform.

7. Obligations of the Processor (ChatSense)

The Processor undertakes to:

7.1 Documented Instructions

Process personal data exclusively based on documented instructions from the Controller, including instructions contained in this DPA, the Terms of Service, and any additional written instructions. Should the Processor consider that an instruction from the Controller violates applicable data protection legislation, the Processor shall inform the Controller immediately.

7.2 Confidentiality

Ensure that all persons authorized to process personal data have committed to confidentiality obligations, whether through non-disclosure agreements (NDAs), contractual clauses, or equivalent legal obligations.

7.3 Technical and Organizational Measures

Implement and maintain appropriate technical and organizational measures to ensure a level of security commensurate with the risk of processing, pursuant to art. 46 of the LGPD and art. 32 of the GDPR. The implemented measures are detailed in the Annex: Technical and Organizational Measures (TOMs) of this DPA (Section 13).

7.4 Breach Notification

Notify the Controller of any personal data breach within a maximum of 72 (seventy-two) hours after becoming aware of the incident, in compliance with art. 48 of the LGPD and art. 33 of the GDPR. The notification shall contain the information detailed in Section 11 of this DPA.

7.5 Data Subject Rights

Assist the Controller, through appropriate technical and organizational means, in fulfilling its obligation to respond to requests for the exercise of data subject rights, including access, rectification, deletion, portability, and objection to processing.

7.6 Data Protection Impact Assessment (DPIA)

Assist the Controller in conducting Data Protection Impact Assessments (DPIAs), where applicable, by providing necessary information about the processing operations performed.

7.7 Return or Deletion of Data

Upon termination of the agreement, and at the Controller's election, return all personal data to the Controller or securely delete it, including existing copies, unless applicable law requires retention of the data. The Controller shall have a period of 30 (thirty) days after termination of the agreement to request export of its data before deletion.

8. Sub-processors

8.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following sub-processors for specific processing activities:

• Google Cloud (Gemini API) — Artificial Intelligence inference for response generation, sentiment analysis, summarization, and conversation classification. Location: United States.
• OpenAI — Generation of vector embeddings for semantic search (RAG). Location: United States.
• Meta Platforms — Delivery and receipt of messages via WhatsApp Business API, Instagram DM, and Facebook Messenger. Location: United States / Ireland.
• Telegram — Delivery and receipt of messages via Telegram Bot API. Location: United Arab Emirates.
• Stripe — Payment processing and subscription management. Location: United States.
• Asaas — Payment processing and subscription management (Brazilian market). Location: Brazil.

8.2 Notification of Changes

The Processor shall notify the Controller with a minimum of 15 (fifteen) days' advance notice regarding the addition or replacement of sub-processors, providing the sub-processor's name, the nature of the processing, and the geographic location.

8.3 Right of Objection

The Controller may object to the addition or replacement of a sub-processor, in writing, within 15 days of the notification. If the objection cannot be reasonably accommodated, the Controller may terminate the agreement without penalties.

8.4 Liability

The Processor shall remain fully liable to the Controller for the performance of its sub-processors' obligations. The Processor shall enter into agreements with each sub-processor imposing data protection obligations equivalent to those established in this DPA.

9. International Data Transfers

9.1 Transfers to Third Countries

Due to the engagement of the sub-processors listed in Section 8, personal data may be transferred outside of Brazil, in particular to the United States of America. These transfers are carried out in compliance with art. 33 of the LGPD and Chapter V of the GDPR.

9.2 Transfer Mechanisms

• Standard Contractual Clauses (SCCs) — For transfers to the United States (Google, OpenAI, Meta, Stripe), the Processor utilizes Standard Contractual Clauses approved by the European Commission, supplemented by additional measures when necessary.
• Adequacy Decisions — Where available and applicable, the Processor shall base transfers on adequacy decisions issued by the ANPD or the European Commission.
• Specific consent — Where the other mechanisms are not applicable, the Controller shall obtain specific and prominent consent from the data subject for international transfer (LGPD art. 33, VIII).

9.3 Minimization of Transfers

The Processor adopts measures to minimize personal data transferred internationally. Vector embeddings are stored locally in the PostgreSQL database (pgvector extension) and are not shared with third parties. Only content strictly necessary for AI inference is sent to LLM providers.

10. Data Subject Rights

10.1 Cooperation

The Processor shall cooperate with the Controller to fulfill data subject rights requests, as provided in arts. 17 to 22 of the LGPD and arts. 15 to 22 of the GDPR, including:

• Confirmation of the existence of processing
• Access to personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability
• Deletion of personal data processed with consent
• Withdrawal of consent

10.2 Available Tools

ChatSense provides the following API endpoints to facilitate the exercise of data subject rights:

• /gdpr-export — Complete export of all of the data subject's personal data in a structured, machine-readable format.
• /gdpr-erase — Irreversible deletion of all of the data subject's personal data, including messages, media, metadata, and CRM records.

10.3 Timelines

The Processor shall assist the Controller in responding to data subject requests within the timelines established by applicable law: 15 (fifteen) days pursuant to the LGPD (art. 18, paragraph 5) and 1 (one) month pursuant to the GDPR (art. 12(3)), extendable by an additional 2 months in cases of complexity.

11. Data Breach Notification

11.1 Notification Timeline

The Processor shall notify the Controller of any personal data breach within a maximum of 72 (seventy-two) hours after becoming aware of the incident, in compliance with art. 48 of the LGPD and arts. 33 and 34 of the GDPR.

11.2 Notification Content

The breach notification shall contain, at a minimum, the following information:

• Nature of the breach — Description of the incident, including the type of breach (unauthorized access, loss, alteration, disclosure).
• Categories and volume of affected data — Types of personal data compromised and approximate number of data subjects and records affected.
• Measures taken — Containment, mitigation, and remediation actions taken or proposed to minimize the effects of the breach.
• Point of contact — Name and contact details of the Data Protection Officer (DPO) or person responsible for incident management.
• Likely consequences — Assessment of the probable consequences of the breach for affected data subjects.

11.3 Incident Cooperation

The Processor shall fully cooperate with the Controller in the investigation, remediation, and communication of the incident to competent authorities (ANPD, Supervisory Authorities) and affected data subjects, as required by applicable law.

12. Audit

12.1 Right of Audit

The Controller has the right to request evidence of the Processor's compliance with the obligations established in this DPA and in applicable data protection legislation.

12.2 Documentation and Reports

ChatSense provides the following compliance evidence upon request:

• Security reports and vulnerability assessments
• Applicable certifications and compliance attestations
• Penetration testing (pentest) results
• Internal system audit records
• Documentation of implemented technical and organizational measures

12.3 On-Site Audits

The Controller may conduct on-site audits, subject to the following conditions:

• Prior notice — Written notification with a minimum of 30 (thirty) days' advance notice.
• Schedule — Audits shall be conducted during business hours, so as to minimize disruption to operations.
• Costs — Audit costs shall be borne entirely by the requesting Controller.
• Confidentiality — Auditors shall sign confidentiality agreements before the commencement of the audit.
• Scope — The audit shall be limited to processing operations performed on behalf of the requesting Controller, and shall not encompass data of other controllers.

13. Annex: Technical and Organizational Measures (TOMs)

The Processor implements the following technical and organizational measures to ensure the security of personal data processed on behalf of the Controller:

13.1 Encryption

• At rest — AES-256-GCM encryption for stored sensitive data, including channel tokens, credentials, and API keys.
• In transit — TLS 1.2/1.3 for all communications between client-server, server-database, and server-external providers.
• Passwords — Hashing with Argon2id (an algorithm resistant to GPU and memory-based attacks), preventing reversal of stored passwords.

13.2 Multi-Tenant Isolation

• Row-Level Security (RLS) — Row-level security policies in PostgreSQL, ensuring that each organization accesses exclusively its own data, with complete isolation between tenants.

13.3 Authentication and Access Control

• Multi-factor authentication (MFA/TOTP) — Support for TOTP-based two-factor authentication for platform access.
• RBAC (Role-Based Access Control) — Role-based access control with granular permissions per feature.
• SSRF protection — Blocking of requests to RFC-1918, loopback, and ULA addresses in automation webhooks, preventing SSRF attacks.

13.4 Auditing and Monitoring

• Audit logging — Complete logging of administrative actions, including IP address, user-agent, timestamp, and user identification.
• Infrastructure monitoring — Prometheus and Grafana for continuous monitoring of system metrics, performance, and availability.
• Error tracking — Sentry for real-time error detection, logging, and alerting.

13.5 Backups and Recovery

• Automated backups — Regular database backups with automatic rotation, ensuring recovery capability in the event of incidents.

13.6 Infrastructure

• Kubernetes — Container orchestration with namespace isolation, network policies, and automated updates.
• Envoy Gateway — API gateway with HTTP/3 support, rate limiting, and DDoS attack protection.

Contact

For questions regarding this Data Processing Agreement:

ChatSense — Omega Capital Holding Gestão e Participações Empresariais Ltda
CNPJ: 58.557.020/0001-48
General email: contato@chatsense.app
Data Protection Officer (DPO): privacidade@chatsense.app
Security: seguranca-ia@chatsense.app