Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Svyazio ("Processor") and the Customer ("Controller"), and governs the processing of personal data of Visitors on behalf of the Customer, in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

1. Subject Matter

1.1. The Processor agrees to process personal data only on documented instructions from the Controller (the Customer), and solely for the purpose of operating the Svyazio live chat platform.

1.2. The Controller is the data controller for Visitor personal data; the Processor acts as a sub-processor under Article 28 GDPR.

2. Processor Obligations

• Process data only on documented instructions from the Controller
• Ensure confidentiality — all personnel with access to data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (Article 32 GDPR)
• Assist the Controller in responding to data subject requests (access, erasure, restriction, portability)
• Notify the Controller of any personal data breach without undue delay
• Delete or return all personal data upon termination of the agreement, within 30 days
• Make available all information necessary to demonstrate compliance with GDPR obligations

3. Controller Obligations

• Ensure a lawful basis exists for collecting and processing Visitor data
• Obtain necessary consents from Visitors where required by applicable law
• Maintain a privacy policy on your website that references the use of Svyazio
• Not instruct the Processor to handle special categories of personal data (health, biometrics, political views, etc.)

4. Categories of Personal Data

The Processor may process the following categories on behalf of the Controller:

• Identity data: name, email address, phone number (if provided by the Visitor)
• Communication data: chat messages and attached files
• Technical data: IP address, browser type, device type, URL, session cookies

5. Security Measures

The Processor implements the following measures:

• TLS encryption for all data in transit (HTTPS)
• Encrypted data storage at rest
• Role-based access controls with least-privilege principles
• Regular automated backups
• Audit logs for access to production data
• Penetration testing and vulnerability assessments

6. Sub-processors

6.1. The Controller authorises the Processor to engage sub-processors (cloud infrastructure providers) to deliver the Service. These providers act only as hosting infrastructure and do not independently access or process Customer data.

6.2. The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

7. Data Transfers

Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place (e.g., Standard Contractual Clauses or adequacy decisions as applicable).

8. Liability

8.1. The Processor is liable to the Controller for damage caused by processing that has not complied with GDPR or the instructions of the Controller.

8.2. The Controller is solely responsible for the lawfulness of data collection and for ensuring Visitors are properly informed about the use of the Svyazio widget.

9. Termination & Data Deletion

Upon termination of the Terms of Service, all personal data associated with the Customer's account will be securely deleted within 30 days, unless retention is required by law.

10. Contact