Annex 1 to Terms of Service · Revision 2 · Effective date: April 13, 2026
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service (the "Agreement") between Svyazio ("Processor") and the Customer ("Controller"), and governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Svyazio live chat platform. This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR") and shall be read and interpreted in light of the provisions of the GDPR.
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data. Terms not defined herein shall have the meaning ascribed to them in the GDPR or, failing that, in the Agreement.
1.1. Controller. The "Controller" is the Customer who has entered into the Agreement with Svyazio and who determines the purposes and means of the processing of personal data collected through the Svyazio widget installed on the Controller's website or application. The Controller is the entity that decides to use Svyazio as a communication tool and is responsible for establishing a lawful basis for the collection and processing of personal data of its website visitors and end users.
1.2. Processor. The "Processor" is Svyazio, a software-as-a-service platform operated by Eduard Pashchenko (Sole Trader / Individual Entrepreneur), INN 231221935418, OGRNIP 321237500279053. The Processor provides the technical infrastructure, software, and services that enable the Controller to communicate with its website visitors in real time via a live chat widget, and processes personal data solely on behalf of and under the documented instructions of the Controller.
1.3. Scope. This DPA applies to all processing of personal data that the Processor carries out on behalf of the Controller in connection with the provision of the Svyazio service. This includes, without limitation, the collection of visitor data through the chat widget, the storage and transmission of chat messages and file attachments, the generation of analytics and reporting, and all ancillary processing activities necessary for the delivery of the service.
1.4. Categories of Data Subjects. The personal data processed under this DPA relates to the following categories of data subjects: (a) Visitors — individuals who visit the Controller's website or application where the Svyazio widget is installed, and who may or may not initiate a chat conversation; (b) End Users — visitors who actively engage in chat conversations, provide personal information, or upload files through the widget; and (c) Customer Employees — the Controller's agents, operators, and administrators who use the Svyazio dashboard to manage conversations and configure the service.
2.1. Subject Matter. The subject matter of the processing is the provision of the Svyazio live chat service, which involves: the storage and retrieval of real-time chat messages exchanged between visitors and the Controller's agents; the collection and processing of visitor metadata for the purpose of identifying returning visitors and providing contextual information to agents; the secure storage of file attachments uploaded during chat conversations; the generation of analytics data including conversation volumes, response times, and agent performance metrics; and the delivery of notifications to agents via email, browser push, and mobile push channels.
2.2. Duration. The processing of personal data under this DPA shall commence on the date the Controller first activates the Svyazio service (by installing the widget code on their website) and shall continue for the entire duration of the Agreement. Upon termination or expiration of the Agreement, the Processor shall continue to process personal data only to the extent necessary to fulfill its obligations under Section 12 (Return and Deletion of Data) of this DPA.
2.3. Retention. During the term of the Agreement, personal data is retained in accordance with the Processor's data retention policies as described in the Privacy Policy. The Controller may delete individual conversations, visitor records, or export data at any time through the Svyazio dashboard. Following termination of the Agreement, the retention and deletion schedule set forth in Section 12 shall apply.
3.1. Collection of Visitor Data. When a visitor loads a webpage on which the Svyazio widget is installed, the widget automatically collects certain technical data, including the visitor's IP address, browser type and version, operating system, device type, the URL of the current page, the referring URL, and approximate geolocation derived from the IP address (country and city level). This data is transmitted to the Processor's servers and is used to identify returning visitors, provide contextual information to the Controller's agents, and generate analytics reports.
3.2. Chat Message Processing. When a visitor initiates a conversation through the widget, the Processor stores the full text of all messages exchanged between the visitor and the Controller's agents, along with associated metadata such as timestamps, message delivery status, and read receipts. This processing is necessary for the core functionality of the service — enabling real-time communication and preserving conversation history for the Controller's reference.
3.3. File Attachment Processing. Visitors and agents may upload files (images, documents, and other attachments) during chat conversations. The Processor stores these files securely and makes them accessible to both parties within the conversation context. Files are stored for the duration of the conversation record's retention period.
3.4. Analytics and Reporting. The Processor processes personal data to generate aggregated and per-conversation analytics for the Controller, including metrics such as total conversation volume, average response time, agent activity statistics, visitor satisfaction ratings, peak traffic periods, and page-level engagement data. These analytics assist the Controller in evaluating and improving its customer communication operations.
3.5. Notification Delivery. To enable timely responses to visitor inquiries, the Processor processes personal data for the purpose of sending notifications to the Controller's agents. This includes email notifications containing message previews, browser push notifications, and mobile push notifications. Notification delivery may involve the transmission of limited personal data (such as the visitor's name and a message excerpt) through third-party notification channels.
The Processor processes the following types of personal data on behalf of the Controller:
4.1. Visitor and End User Data:
4.2. Customer Employee Data (Agents and Administrators):
4.3. Communication Metadata:
4.4. Special Categories of Data. The Processor does not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). The Controller shall not instruct visitors to provide such data through the chat widget. If special category data is inadvertently submitted by a visitor in a chat message, the Controller shall promptly notify the Processor, and the Processor shall assist in the secure deletion of such data upon request.
5.1. Processing on Instructions. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are documented in this DPA, the Agreement, and any subsequent written instructions provided by the Controller. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
5.2. Confidentiality. The Processor shall ensure that all persons authorized to process personal data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of any individual's engagement with the Processor. The Processor shall ensure that access to personal data is limited to those personnel who require such access for the performance of the services under the Agreement, and that such personnel are informed of the confidential nature of the personal data and receive appropriate training on their data protection responsibilities.
5.3. Security of Processing. The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. These measures are described in detail in Annex 1 (Technical and Organizational Measures) of this DPA. The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and shall update them as necessary in response to evolving threats and technological developments.
5.4. Sub-Processors. The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The conditions for engaging sub-processors are set forth in Section 6 of this DPA.
5.5. Assistance with Data Subject Requests. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR. This includes requests for access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor shall promptly notify the Controller if it receives a request from a data subject directly and shall not respond to the data subject without the Controller's prior written instruction, unless legally compelled to do so.
5.6. Assistance with Compliance Obligations. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with: ensuring the security of processing (Article 32); notification of personal data breaches to the supervisory authority (Article 33); communication of personal data breaches to the data subject (Article 34); data protection impact assessments (Article 35); and prior consultation with the supervisory authority (Article 36). Where the Controller is required to carry out a data protection impact assessment relating to processing performed by the Processor, the Processor shall provide such information as is reasonably necessary for the Controller to complete the assessment.
5.7. Deletion or Return of Data. At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services relating to processing, and shall delete existing copies unless Union or Member State law requires storage of the personal data. The specific procedures for return and deletion are set forth in Section 12 of this DPA.
5.8. Demonstration of Compliance. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the conditions set forth in Section 7 (Audit Rights) of this DPA.
6.1. General Authorization. The Controller hereby grants the Processor a general written authorization to engage the sub-processors listed in this Section 6 for the purposes described below. Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor, by way of a contract or other legal act, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
6.2. Current Sub-Processors. The following sub-processors are authorized as of the effective date of this DPA:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Primary infrastructure hosting (RU region servers) | Germany / Finland | All service data for RU-region customers |
| Vultr Holdings LLC | Infrastructure hosting (US/COM region servers) | USA (New Jersey) | All service data for COM-region customers |
| Google LLC (Analytics) | Website analytics via Google Analytics 4 (GA4) on svyazio.com | USA | IP address, browsing behavior, device information |
| Yandex LLC (Metrika) | Website analytics and session recording on svyazio.com | Russia | IP address, browsing behavior, session recordings |
| Roistat LLC | Marketing analytics and conversion tracking on svyazio.com | Russia | Visit data, conversion data |
| Google LLC (Fonts) | Web font delivery (Google Fonts CDN) | USA | IP address (transmitted upon font request) |
6.3. Changes to Sub-Processors. The Processor shall maintain the current list of sub-processors at https://svyazio.com/legal/dpa.html. The Processor shall notify the Controller by email at least thirty (30) days before adding a new sub-processor or replacing an existing one. The notification shall include the identity of the proposed sub-processor, the nature of the processing to be performed, and the location of the processing.
6.4. Right to Object. The Controller shall have the right to object to the appointment of a new sub-processor by notifying the Processor in writing within fifteen (15) days of receiving the notification described in Section 6.3. The objection must be based on reasonable grounds relating to data protection. If the Controller objects, the Processor shall make reasonable efforts to provide an alternative solution that avoids the use of the objected-to sub-processor. If no alternative is reasonably available, either party may terminate the Agreement with respect to the services that require the use of the proposed sub-processor, without penalty, by providing written notice to the other party.
7.1. Right to Audit. The Controller shall have the right to audit the Processor's compliance with this DPA. The Controller may exercise this right by: (a) requesting and receiving written information from the Processor about the processing activities conducted under this DPA, the technical and organizational measures in place, and any relevant changes since the last audit; (b) submitting written questions or compliance questionnaires, which the Processor shall respond to within thirty (30) days; or (c) conducting an on-site or remote audit of the Processor's facilities, systems, and records relevant to the processing of the Controller's personal data, either directly or through an independent third-party auditor appointed by the Controller.
7.2. Conditions for On-Site Audits. On-site audits shall be subject to the following conditions: (a) the Controller shall provide the Processor with at least thirty (30) days' prior written notice, specifying the scope, duration, and start date of the audit; (b) audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations; (c) the auditor (whether the Controller or its appointed third party) shall comply with the Processor's reasonable security policies and procedures while on-site; (d) all costs of the audit, including the fees of any third-party auditor, shall be borne by the Controller; and (e) the auditor shall enter into a confidentiality agreement acceptable to the Processor before commencing the audit, to the extent the auditor is not already bound by professional confidentiality obligations.
7.3. Frequency. The Controller may exercise its audit rights under Section 7.1 no more than once per calendar year, unless: (a) a personal data breach has occurred that affects the Controller's data; (b) the Controller has reasonable and documented grounds to suspect non-compliance with this DPA or applicable data protection law; or (c) an audit is required by a supervisory authority. In such cases, the Controller may request an additional audit at any time, subject to the conditions in Section 7.2.
7.4. Cooperation. The Processor shall cooperate with the Controller and provide reasonable access to relevant facilities, systems, documentation, and personnel as necessary for the Controller to conduct the audit. The Processor shall make available relevant records, including processing logs, security incident records, sub-processor agreements, and evidence of the implementation of technical and organizational measures.
7.5. Confidentiality of Results. The results of any audit conducted under this Section 7, including all reports, findings, and supporting documentation, shall be treated as confidential information of both parties and shall not be disclosed to any third party without the prior written consent of the other party, except as required by applicable law or by a supervisory authority. The Controller shall share the audit findings with the Processor and provide the Processor with a reasonable opportunity to respond to and remediate any identified issues.
8.1. Lawful Basis. The Controller shall ensure that it has a valid lawful basis under Article 6 of the GDPR (and, where applicable, Article 9) for the collection, processing, and transfer of personal data to the Processor. The Controller is solely responsible for determining the appropriate legal ground for each processing activity, whether consent, contractual necessity, legitimate interest, or another applicable basis.
8.2. Transparency and Consent. The Controller shall maintain a privacy policy on its website that adequately informs data subjects about the use of the Svyazio service, the types of personal data collected, the purposes of processing, and the data subjects' rights under applicable data protection law. Where the Controller relies on consent as the legal basis, the Controller shall obtain valid, informed, specific, and freely given consent from data subjects before their personal data is processed through the Svyazio widget. The Controller shall implement appropriate cookie consent mechanisms as required by the ePrivacy Directive and applicable national law.
8.3. Instructions. The Controller shall ensure that its processing instructions to the Processor comply with all applicable data protection laws. The Controller shall not instruct the Processor to process personal data in a manner that would violate the GDPR or any other applicable legislation. The Controller acknowledges that the Processor's obligations under this DPA are limited to the processing of personal data in accordance with the Controller's lawful instructions and the terms of this DPA.
8.4. Special Categories of Data. The Controller shall not instruct visitors to provide, and shall take reasonable steps to prevent the submission of, special categories of personal data (as defined in Article 9 of the GDPR) through the Svyazio chat widget. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning health, or data concerning a natural person's sex life or sexual orientation. The Controller acknowledges that the Svyazio service is not designed for the processing of such data.
9.1. Regional Data Residency. Svyazio offers two infrastructure regions, and the Controller may select the region in which its personal data will be primarily stored and processed: (a) the RU region, hosted by Hetzner Online GmbH with data centers located in Germany and Finland (within the European Economic Area); or (b) the COM region, hosted by Vultr Holdings LLC with data centers located in the United States (New Jersey). The Controller's choice of region determines the primary location of data storage for all service data, including chat messages, visitor records, and file attachments.
9.2. Transfers Outside the EEA. Where personal data is transferred from the European Economic Area to a country that has not received an adequacy decision from the European Commission, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. The following transfer mechanisms are relied upon:
9.3. Transfer Impact Assessment. The Processor has conducted a transfer impact assessment for each transfer described in this Section 9 and has concluded that the applicable safeguards, in combination with any supplementary measures, ensure an essentially equivalent level of protection for personal data as guaranteed within the EEA. The Processor shall periodically review and update these assessments in light of changes to applicable law, enforcement practices, or the data protection landscape in the relevant third countries. The Controller may request a copy of the relevant transfer impact assessments upon written request.
10.1. Notification Obligation. The Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of a personal data breach affecting the Controller's personal data. Notification shall be provided to the Controller's designated contact email address on file, and, if necessary, by any additional means reasonably likely to ensure timely receipt.
10.2. Content of Notification. The breach notification shall include, to the extent such information is available and can be reasonably ascertained at the time of notification: (a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the name and contact details of the Processor's point of contact from whom more information can be obtained; (c) a description of the likely consequences of the personal data breach; and (d) a description of the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
10.3. Ongoing Cooperation. Where it is not possible to provide all the information required under Section 10.2 at the time of the initial notification, the Processor shall provide information in phases without further undue delay as such information becomes available. The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of the breach.
10.4. Documentation. The Processor shall document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation shall be made available to the Controller upon request and shall be maintained for a period of not less than five (5) years.
11.1. Assistance. The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). The Processor shall provide technical tools and features within the Svyazio dashboard that enable the Controller to independently access, export, rectify, and delete visitor and conversation data.
11.2. Direct Requests. If the Processor receives a request from a data subject directly (for example, a visitor contacting Svyazio to request deletion of their chat data), the Processor shall promptly redirect the data subject to the Controller, as the Controller is the party responsible for responding to such requests. The Processor shall not respond substantively to the data subject's request without the Controller's prior written instruction, unless the Processor is legally required to do so, in which case the Processor shall inform the Controller of such legal requirement before responding (to the extent permitted by law).
11.3. Response Support. Where the Controller requests the Processor's assistance in responding to a data subject request, the Processor shall provide such assistance without undue delay and in any event within a timeframe that enables the Controller to comply with the applicable statutory response period. The Processor may charge a reasonable fee for any manifestly unfounded or excessive assistance requests, based on the administrative costs of providing the assistance, provided that the Processor informs the Controller of such fees in advance.
12.1. Controller's Choice. Upon termination or expiration of the Agreement, the Controller shall have the choice to either: (a) request the return of all personal data processed under this DPA, in a structured, commonly used, and machine-readable format (JSON); or (b) request the deletion of all personal data processed under this DPA. The Controller shall communicate its choice to the Processor in writing within thirty (30) days of the effective date of termination.
12.2. Export Period. Following termination or expiration of the Agreement, the Controller shall have a period of thirty (30) days during which the Controller may access the Svyazio dashboard in a read-only mode for the sole purpose of exporting its data. During this period, the Processor shall maintain the Controller's data in the same manner as during the term of the Agreement and shall make export functionality available.
12.3. Deletion. Following the expiration of the thirty (30) day export period described in Section 12.2, or upon the Controller's earlier written request for deletion, the Processor shall delete all personal data processed on behalf of the Controller within an additional thirty (30) days. Deletion shall encompass all copies of the Controller's personal data in the Processor's production systems, including chat messages, visitor records, file attachments, agent data associated with the Controller's organization, and all analytics and metadata. Backup copies shall be deleted in accordance with the Processor's standard backup rotation cycle, which shall not exceed sixty (60) days from the deletion of production data.
12.4. Confirmation. Upon completion of the deletion described in Section 12.3, the Processor shall provide the Controller with a written confirmation of deletion, certifying that all personal data (including backup copies) has been securely destroyed. The Processor may retain personal data beyond the deletion schedule only to the extent required by applicable Union or Member State law, in which case the Processor shall inform the Controller of the legal basis and scope of the continued retention and shall ensure that such data is processed only for the purpose required by law.
13.1. Processor Liability. The Processor shall be liable to the Controller for damages caused by processing that does not comply with the obligations of this DPA, the GDPR, or the Controller's lawful instructions. The Processor's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement (Terms of Service). The aggregate liability of the Processor under this DPA, whether in contract, tort, or otherwise, shall not exceed the aggregate liability cap set forth in the Agreement.
13.2. Controller Liability. The Controller shall be solely liable for: (a) the lawfulness of the processing instructions provided to the Processor; (b) the lawfulness of the collection of personal data from data subjects, including the establishment of a valid legal basis; (c) ensuring that data subjects are adequately informed about the processing of their personal data through the Svyazio service; and (d) any claims arising from the Controller's failure to comply with its obligations under applicable data protection law.
13.3. Indemnification. Each party shall indemnify and hold harmless the other party from and against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or related to the indemnifying party's breach of this DPA or its obligations under applicable data protection law, subject to the liability limitations set forth in the Agreement.
14.1. Term. This DPA shall become effective on the date the Controller first activates the Svyazio service and shall remain in effect for the duration of the Agreement. This DPA cannot be terminated independently of the Agreement.
14.2. Survival. The provisions of this DPA that by their nature should survive termination (including, without limitation, Sections 5.2 (Confidentiality), 7 (Audit Rights), 10 (Data Breach Notification), 12 (Return and Deletion of Data), 13 (Liability), and this Section 14.2) shall survive the termination or expiration of the Agreement until all personal data processed under this DPA has been deleted or returned in accordance with Section 12.
14.3. Effect of Termination. Upon termination of the Agreement, the Processor shall cease all processing of personal data on behalf of the Controller, except as necessary to comply with the data return and deletion obligations under Section 12 or as required by applicable law. The Controller's rights under Section 7 (Audit Rights) shall continue to apply during the data return and deletion period.
Pursuant to Article 32 of the GDPR, the Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures are subject to periodic review and improvement.
A1.1. Encryption.
A1.2. Access Control.
A1.3. Authentication.
A1.4. Network Security.
A1.5. Data Isolation.
A1.6. Backup and Recovery.
A1.7. Monitoring and Logging.
A1.8. Incident Response.
A1.9. Personnel Security.
A1.10. Physical Security (Data Centers).
Svyazio — Data Protection
Legal entity: Eduard Pashchenko (Sole Trader / Individual Entrepreneur)
Tax ID (INN): 231221935418 | Reg. No. (OGRNIP): 321237500279053
DPA and compliance enquiries: legal@svyazio.com
Privacy and data subject requests: privacy@svyazio.com
Data breach reports: security@svyazio.com
Revision 2 — April 13, 2026. This DPA supersedes all prior versions.