Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement between Chablyy ('Processor') and the customer ('Controller') (collectively, the 'Agreement') to reflect the parties' agreement with regard to the Processing of Personal Data. This DPA applies to the extent that Chablyy processes Personal Data on behalf of the Controller in connection with providing the Services.

Scope and Application

This DPA governs Chablyy's processing of Personal Data on behalf of the Controller. The parties agree that for Personal Data processed under the Agreement, the Controller is the data controller and Chablyy is the data processor. This DPA applies to Personal Data submitted to Chablyy via the Services, including data processed when integrating third-party platforms (e.g., Meta products).

Roles and Responsibilities

The Controller determines the purposes and means of processing Personal Data. Chablyy will process Personal Data only on documented instructions from the Controller (including via the Agreement and the Controller's use of the Services), unless otherwise required by applicable law. Where Chablyy is required by law to process Personal Data other than on Controller's documented instructions, Chablyy will notify the Controller to the extent permitted by law.

Categories of Data Subjects & Personal Data

Data Subjects: the Controller's customers, prospects, employees, contractors, and other individuals whose Personal Data is submitted to the Services. Categories of Personal Data: contact and account data (name, email, phone), credentials and identifiers, message content and metadata (messages exchanged through connected channels), usage and telemetry data, payment/billing metadata (not full card data), and any other Personal Data the Controller elects to submit through the Services.

Nature and Purpose of Processing

Chablyy will process Personal Data as necessary to provide the Services and features the Controller elects to use, including but not limited to message routing, chatbot automation, analytics, sentiment analysis, logging for troubleshooting, lead capture, and billing. Processing is limited to the Controller's documented instructions and to the extent necessary to comply with legal obligations.

Legal Basis

When applicable, the Controller is responsible for establishing the legal basis for processing Personal Data (e.g., consent, performance of a contract, legitimate interests). Chablyy will, at Controller's direction, assist with implementing lawful processing where the Processor's assistance is required by law (for example, facilitating data subject requests).

Duration of Processing

Chablyy will process Personal Data for the duration necessary to perform the Services or until the Controller deletes the data or terminates the Agreement, except where a longer retention is required by law. Data retention details and configurable retention settings are documented in the Services; default retention for message content is thirty (30) days unless the Controller configures a different setting where available.

Security Measures

Chablyy will implement and maintain appropriate technical and organizational measures to protect Personal Data commensurate with the risks, including but not limited to: TLS for data in transit, encryption of sensitive fields at rest, access controls and role-based permissions, logging and monitoring, secure development practices, vulnerability management, periodic security assessments and penetration testing, and incident detection/response processes.

Security Incidents & Breach Notification

Chablyy will notify the Controller without undue delay upon becoming aware of a confirmed security incident involving the Controller's Personal Data. The notice will include, where feasible, the nature of the breach, categories of Personal Data affected, likely consequences, measures taken or proposed to mitigate the breach, and contact information for further inquiries. Chablyy will cooperate with reasonable Controller requests to investigate and remediate the incident.

Sub-processors

The Controller grants Chablyy a general authorization to engage sub-processors to perform certain processing activities. Chablyy will maintain an up-to-date list of sub-processors (available on request or via the Services). Prior to engaging a new sub-processor, Chablyy will notify the Controller of the intended change and provide a meaningful opportunity to object. Chablyy will flow down data protection obligations to sub-processors consistent with this DPA and remain liable for sub-processor performance.

Audits and Inspections

Upon reasonable notice and subject to confidentiality constraints and commercially reasonable conditions, Chablyy will make available information necessary to demonstrate compliance with its obligations under this DPA and will allow for audits or inspections by the Controller or an independent auditor appointed by the Controller (limited to once per 12-month period unless otherwise required by law). Audits will not materially disrupt Chablyy's operations and may be subject to a mutually agreed scope and cost allocation.

Assistance with Data Subject Rights

Chablyy will, to the extent possible and subject to Controller's instructions, assist the Controller in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, objection, portability, restriction). The Controller should forward requests to legal@chablyy.com and provide sufficient information to verify the requestor and to permit Chablyy to comply with the instruction.

International Data Transfers

Chablyy may transfer Personal Data to countries outside the Controller's jurisdiction (including Nepal and other territories where Chablyy's processors operate). When transfers require legal safeguards, Chablyy will implement appropriate measures (e.g., standard contractual clauses or other legally recognized transfer mechanisms) or rely on an approved transfer basis. Controller may request a copy of the safeguards used for any given transfer.

Return, Deletion and Portability

Upon termination or at Controller's request, Chablyy will return or provide a copy of Personal Data in a commonly used, machine-readable format and will securely delete or anonymize Personal Data from production systems within thirty (30) days, except where retention is required by law or for limited backup and fraud prevention purposes. Controller is responsible for extracting exported data prior to deletion events.

Liability

The liability of each party for breaches of this DPA will be governed by the liability provisions in the Agreement. Nothing in this DPA will limit or exclude liability for death or personal injury resulting from negligence, or for fraud, or any other liability that cannot be limited or excluded by applicable law. For all other liabilities, the parties' aggregate liability will be subject to the caps set in the Agreement.

Changes to this DPA

Chablyy may update this DPA to reflect changes in legal or regulatory requirements or changes to the Services. Material changes will be communicated to the Controller with reasonable notice; continued use of the Services after notice constitutes acceptance. Controllers may request reasonable amendments to address specific legal requirements.

Contact Information

For questions regarding this DPA or Chablyy's data processing practices, contact: legal@chablyy.com. Postal correspondence: Chablyy, Balkot, Nepal, 44800.