cbClientBuddy← back home
— Legal
Privacy PolicyTerms of ServiceData Processing AddendumImprint
AUTOPERATE.AI
KvK 97483672
BTW NL005273716B87
✦ Last updated · 5 July 2026

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller”) and AUTOPERATE.AI(KvK 97483672, BTW NL005273716B87; “Processor”) for the use of ClientBuddy. It implements art. 28 GDPR.

It applies automatically to every paying ClientBuddy customer; no signature is required. If your legal team needs a signed counterpart, email info@clientbuddy.aiand we'll countersign within 2 working days.

1. Subject matter & duration

Processor processes personal data on behalf of Controller solely to provide ClientBuddy as described in the Terms of Service. This DPA runs for the duration of the subscription plus any wind-down period agreed in writing.

2. Nature, purpose & type of data

  • Nature of processing: hosting, storing, transmitting, semantic search, and AI-assisted response generation.
  • Purpose: answering Controller's end-customers, handing conversations to Controller's team, providing analytics and audit logs.
  • Categories of data subjects: Controller's end-customers, prospects, and website visitors.
  • Categories of personal data: name, email address (including visitor emails captured for lead handover), message content, IP address, language preference, website content crawled to build the knowledge base, and any data Controller's end-customers volunteer in the chat.
  • Special categories: none expected. Controller agrees not to deliberately route special-category data through the assistant.

3. Processor obligations

  • Process personal data only on Controller's documented instructions, including those in the Terms and this DPA.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex A).
  • Assist Controller with data subject requests, breach notifications, DPIAs, and prior consultations with the supervisory authority.
  • Notify Controller without undue delay (within 72 hours) of becoming aware of a personal data breach.
  • At Controller's choice, return or delete all personal data after the end of the service, with two narrow exceptions: invoices and billing event records are retained under Dutch tax law (on an anonymized organization record), and the Controller's registrable website domain is retained to enforce the one-free-trial-per-domain rule (abuse prevention).
  • Make available all information necessary to demonstrate compliance and allow audits (see §6).

4. Sub-processors

Controller grants general authorization for the following sub-processors:

  • Mollie B.V.: payment processing (NL)
  • Vercel Inc.: hosting & edge delivery (USA, served from Frankfurt; SCC + DPF)
  • Get Convex Inc.: realtime backend, database, auth & vector search (EU, eu-west-1)
  • OpenAI (OpenAI Ireland Ltd. / OpenAI, L.L.C.): LLM inference & embeddings for chat content and knowledge base excerpts; may process data in the USA (SCC + DPF; API data not used for model training per OpenAI's API terms)
  • Resend, Inc.: transactional email, limited to password-reset links and trial-expiry notices (USA, EU sending region; SCC)
  • Telegram Messenger Inc.: owner & lead notifications (global). Customer-optional: engaged only when Controller opts in to connect Telegram

We notify Controller of any new sub-processor at least 14 days before engagement, via an in-product banner. Controller may object on reasonable grounds; if we cannot resolve the objection, Controller may terminate the affected portion of the Service.

5. International transfers

Where personal data is transferred outside the EEA, Processor relies on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, 2021/914). Where applicable, Processor also relies on the EU-US Data Privacy Framework. The SCCs are deemed incorporated into this DPA where required.

6. Audits

On reasonable written notice (at least 30 days, no more than once per year, except after a confirmed breach), Controller may audit Processor's compliance. Audits are conducted at Controller's expense and must not unreasonably disrupt the Service. Processor may satisfy audit obligations by providing recent SOC 2 / ISO 27001 reports from its sub-processors.

7. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing here limits liability that cannot be limited under applicable law.

Annex A: Technical & organizational measures

  • Primary application data stored in the EU (database in Convex's eu-west-1 region); AI inference via OpenAI under SCCs (see §5).
  • TLS 1.2+ in transit; encryption at rest for database and backups (managed by our infrastructure providers).
  • Per-organization data isolation enforced in the backend on every query.
  • Least-privilege access to production systems.
  • Multi-factor authentication for production access.
  • Encrypted backups managed by our infrastructure providers.
  • Dependency monitoring and automated error & incident alerting.
  • Sensitive tokens (e.g. one-tap login links) stored hashed; server-to-server calls authenticated with constant-time secret comparison.
  • Data is never used to train AI models.

Annex B: Sub-processor list

Maintained current at /legal/dpa and accessible to all customers.

Questions or signed copy: info@clientbuddy.ai