ClientBuddy← back home
✦ Last updated · 6 May 2026

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller”) and AUTOPERATE.AI(KvK 97483672, BTW NL005273716B87; “Processor”) for the use of ClientBuddy. It implements art. 28 GDPR.

It applies automatically to every paying ClientBuddy customer; no signature is required. If your legal team needs a signed counterpart, email legal@clientbuddy.aiand we'll countersign within 2 working days.

1. Subject matter & duration

Processor processes personal data on behalf of Controller solely to provide ClientBuddy as described in the Terms of Service. This DPA runs for the duration of the subscription plus any wind-down period agreed in writing.

2. Nature, purpose & type of data

  • Nature of processing: hosting, storing, transmitting, semantic search, and AI-assisted response generation.
  • Purpose: answering Controller's end-customers, escalating to Controller's team, providing analytics and audit logs.
  • Categories of data subjects: Controller's end-customers, prospects, and website visitors.
  • Categories of personal data: name, email, message content, IP address, language preference, and any data Controller's end-customers volunteer in the chat.
  • Special categories: none expected. Controller agrees not to deliberately route special-category data through the agent.

3. Processor obligations

  • Process personal data only on Controller's documented instructions, including those in the Terms and this DPA.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex A).
  • Assist Controller with data subject requests, breach notifications, DPIAs, and prior consultations with the supervisory authority.
  • Notify Controller without undue delay (within 72 hours) of becoming aware of a personal data breach.
  • At Controller's choice, return or delete all personal data after the end of the service.
  • Make available all information necessary to demonstrate compliance and allow audits (see §6).

4. Sub-processors

Controller grants general authorization for the following sub-processors:

  • Mollie B.V. — payment processing (NL)
  • Vercel Inc. — hosting & edge delivery (USA, served from Frankfurt; SCC + DPF)
  • Supabase Inc. — database / auth / vector search (EU, eu-west-1)
  • Get Convex Inc. — realtime backend (EU, eu-west-1)
  • OpenAI Ireland Ltd. — LLM inference (Ireland; ZDR enabled where supported)
  • Resend / Postmark — transactional email (EU/USA; SCC)

We notify Controller of any new sub-processor at least 14 days before engagement, via email and an in-product banner. Controller may object on reasonable grounds; if we cannot resolve the objection, Controller may terminate the affected portion of the Service.

5. International transfers

Where personal data is transferred outside the EEA, Processor relies on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, 2021/914) and, where applicable, the EU-US Data Privacy Framework. The SCCs are deemed incorporated into this DPA where required.

6. Audits

On reasonable written notice (at least 30 days, no more than once per year, except after a confirmed breach), Controller may audit Processor's compliance. Audits are conducted at Controller's expense and must not unreasonably disrupt the Service. Processor may satisfy audit obligations by providing recent SOC 2 / ISO 27001 reports from its sub-processors.

7. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing here limits liability that cannot be limited under applicable law.

Annex A — Technical & organizational measures

  • EU-only primary infrastructure (Frankfurt / Dublin).
  • TLS 1.2+ in transit; AES-256 at rest for database and backups.
  • Row-level security and per-organization isolation in the database.
  • Least-privilege access; engineer access is logged and reviewed quarterly.
  • Multi-factor authentication required for all production access.
  • Daily encrypted backups with 30-day retention.
  • Vulnerability scanning, dependency monitoring, and a documented incident response plan.
  • Data is never used to train AI models.

Annex B — Sub-processor list

Maintained current at /legal/dpa and accessible to all customers.

Questions or signed copy: legal@clientbuddy.ai