Data Processing Agreement (DPA)

Terms governing UjumbeAI’s processing of personal data on behalf of customers under GDPR.

Last Updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between UjumbeAI ("Processor") and the Customer ("Controller").

This DPA governs the processing of personal data by UjumbeAI on behalf of the Customer in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

1. Subject Matter and Scope

This DPA applies where UjumbeAI processes personal data on behalf of the Customer in connection with the provision of the Service.

2. Nature and Purpose of Processing

UjumbeAI processes personal data solely for the purpose of providing and securing the Service, including:

  • Hosting and storing conversation data
  • Processing AI-generated responses
  • Providing administrative dashboards
  • Enabling analytics and system monitoring
  • Supporting data export and deletion workflows

Processing does not include use of Customer data for advertising or independent commercial purposes.

3. Categories of Data Subjects

Personal data processed may relate to:

  • Customer personnel
  • End-users (e.g., guests, clients, website visitors)
  • Authorized users of the platform

4. Types of Personal Data

Depending on Customer configuration, personal data may include:

  • Names
  • Contact information
  • Conversation content
  • Metadata (timestamps, session identifiers)
  • Technical usage data

Special categories of data should not be processed unless explicitly configured and legally permitted by the Customer.

5. Duration

Processing continues for the duration of the Customer's subscription. Upon termination, data is retained only as necessary for backup, legal, or accounting obligations and is deleted in accordance with documented retention procedures.

6. Processor Obligations

UjumbeAI shall:

  • Process personal data only on documented instructions from the Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures
  • Assist the Customer in responding to data subject requests
  • Notify the Customer of personal data breaches without undue delay
  • Maintain records of processing activities where required

7. Security Measures

UjumbeAI implements technical and organizational safeguards including:

  • Encryption in transit (TLS 1.2+)
  • Encrypted storage managed by infrastructure providers
  • Row-Level Security (RLS) for tenant isolation
  • Role-Based Access Control (RBAC)
  • Structured audit logging
  • Restricted production access

Details are further described in the Security & Compliance page.

8. Subprocessors

UjumbeAI may engage subprocessors to provide components of the Service, including:

  • Vercel (application hosting)
  • Supabase (database and storage)
  • OpenAI (AI processing)
  • Resend (email delivery)

Subprocessors are bound by contractual data protection obligations. UjumbeAI remains responsible for compliance of subprocessors under GDPR Article 28.

A current list of subprocessors may be requested.

9. International Transfers

Where personal data is transferred outside the EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms are applied.

10. Data Subject Rights

UjumbeAI shall assist the Customer, taking into account the nature of processing, in responding to requests for:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability

Customers remain responsible for fulfilling such requests.

11. Audit Rights

The Customer may request reasonable information necessary to demonstrate compliance with this DPA.

On-site audits are permitted only where legally required and subject to:

  • Reasonable prior written notice
  • Confidentiality obligations
  • Scope limitations to avoid disruption
  • Cost allocation to the requesting party

12. Personal Data Breach

In the event of a personal data breach affecting Customer data, UjumbeAI shall notify the Customer without undue delay and provide information reasonably required to support regulatory obligations.

13. Deletion and Return of Data

Upon termination of the Service, Customer data may be exported during the retention window. Data will be deleted in accordance with documented retention policies, subject to backup and legal retention requirements.

14. Liability

Liability arising from this DPA shall be subject to the limitations set forth in the Terms of Service.

15. Governing Law

This DPA shall be governed by the same governing law specified in the Terms of Service.