Data Processing Agreement
Version: 1.0
Effective Date: February 8, 2026
Last Updated: February 8, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between IdeaVista, trading as TalkBuildr ("Processor") and you, the customer ("Controller"). By using the Service, you accept this DPA as required by GDPR Article 28(3).
Disclaimer: This DPA was drafted with AI assistance. It is not legal advice. We recommend having a qualified Dutch/EU data protection lawyer review your data processing arrangements.
1. Definitions
- "Controller" means you, the TalkBuildr customer who determines the purposes and means of processing personal data through the Service.
- "Processor" means IdeaVista, trading as TalkBuildr (KvK: 97755893, Amsterdam, The Netherlands), which processes personal data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings given in the GDPR.
- "Service" means the TalkBuildr platform as described in the Terms of Service.
2. Scope & Processing Details
The Processor processes personal data on behalf of the Controller as follows:
| Subject Matter | Provision of the TalkBuildr chatbot platform, including AI-powered chat, knowledge base management, analytics, and lead capture |
| Duration | For the term of the Controller's use of the Service, plus 30 days for data deletion |
| Nature & Purpose | Processing chat messages via AI models, storing conversation history, collecting lead form submissions, generating analytics, and delivering email notifications |
| Types of Personal Data | Chat messages and conversation content, IP addresses, email addresses (if lead capture enabled), browser/device metadata, any personal data voluntarily provided by end users in chat |
| Categories of Data Subjects | Website visitors who interact with embedded chatbots, employees and representatives of the Controller |
3. Processing on Documented Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Controller's instructions are documented in this DPA and the Terms of Service. Additional instructions may be given in writing (including email) and will be retained as part of this agreement.
If the Processor considers that an instruction infringes the GDPR or other Union or Member State data protection provisions, it shall immediately inform the Controller.
4. Confidentiality
The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security Measures (Technical and Organizational Measures)
In accordance with GDPR Article 32, the Processor implements the following measures to ensure a level of security appropriate to the risk:
- Encryption: TLS 1.2+ for all data in transit; AES-256 encryption for data at rest in the database
- Access Control: Row-Level Security (RLS) enforced on all 50 database tables with 87 policies; role-based access controls (RBAC) with 5 distinct permission levels
- Rate Limiting: Per-endpoint and per-chatbot rate limiting via Upstash Redis to prevent abuse
- Monitoring: Real-time error tracking via Sentry (EU-hosted in Germany); structured application logging
- Input Validation: Zod schema validation on all API inputs; content sanitization to prevent injection attacks
- Authentication: Secure session management via Supabase Auth with refresh token rotation; httpOnly, secure, sameSite cookies
- Infrastructure: Hosted on Vercel (serverless, auto-scaling); Supabase managed database with automated patching
6. Sub-processor Management
The Controller provides general written authorization for the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days before the change, giving the Controller the opportunity to object.
In accordance with GDPR Article 28(4), the Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract, ensuring that each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
If the Controller objects to a new or replacement sub-processor on reasonable grounds relating to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the Service in accordance with the Terms of Service.
Sub-processor changes will be communicated by email to the Controller's account email address.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | USA | SCCs |
| Vercel Inc. | Application hosting and delivery | USA | DPF |
| OpenAI LLC | AI chat response generation | USA | DPA |
| Stripe Inc. | Payment processing | USA | DPF |
| Resend Inc. | Transactional email delivery | USA | DPF |
| Upstash Inc. | Rate limiting and caching | EU/USA | SCCs |
| Functional Software (Sentry) | Error monitoring | EU (Germany) | N/A (EU-hosted) |
| Google LLC | Analytics (with user consent only) | USA | DPF |
DPF = EU-US Data Privacy Framework; SCCs = EU Standard Contractual Clauses; DPA = Data Processing Agreement
7. Data Subject Rights Assistance
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under GDPR Chapter III (Articles 15–22).
The Service provides the following self-service tools to support data subject requests:
- Data export (JSON format) via account settings
- Account and data deletion via account settings
- Conversation deletion by end users
- Cookie consent management and withdrawal via the cookie preferences dialog
For requests that cannot be handled through self-service tools, the Processor shall respond to the Controller's requests within a reasonable timeframe.
8. Compliance Assistance
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor. This includes assistance with:
- Security of processing (Article 32)
- Notification of a personal data breach to the supervisory authority (Article 33)
- Communication of a personal data breach to the data subject (Article 34)
- Data protection impact assessments (Article 35)
- Prior consultation with the supervisory authority (Article 36)
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
- The name and contact details of the Processor's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its effects
This notification enables the Controller to meet its own 72-hour notification obligation to the Autoriteit Persoonsgegevens under GDPR Article 33.
10. Data Deletion and Return
Upon termination of the Service or upon the Controller's request, the Processor shall, at the choice of the Controller:
- Return all personal data to the Controller in a commonly used, machine-readable format (JSON export via account settings), and/or
- Delete all personal data within 30 days of termination, unless Union or Member State law requires storage of the personal data (e.g., billing records retained for 7 years under Dutch tax law)
The Processor shall certify deletion upon the Controller's request.
11. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear its own costs of any audit. The Processor may charge reasonable fees for time spent assisting with audits that exceed one per year.
12. International Data Transfers
The Processor shall not transfer personal data to a country outside the EEA unless appropriate safeguards are in place as described in the sub-processor table above (Section 6). Current transfer mechanisms include:
- EU-US Data Privacy Framework (DPF): For sub-processors certified under the DPF adequacy decision (Stripe, Vercel, Resend, Google)
- Standard Contractual Clauses (SCCs): For sub-processors not covered by adequacy decisions (Supabase, Upstash)
- EU-hosted: Sentry processes data within the EU (Germany) — no international transfer
13. AI-Specific Provisions
- No Training on Customer Data: OpenAI does not train its models on data submitted via the API. The Processor does not use Controller data to train any AI models.
- No Automated Decision-Making: The Service does not make automated decisions with legal or similarly significant effects on data subjects within the meaning of GDPR Article 22. AI is used solely to generate conversational responses.
- BYOK: Controllers using Bring Your Own Key (BYOK) encryption accept additional responsibilities as described in the Terms of Service.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service (Section 12 — Limitation of Liability). Nothing in this DPA limits either party's liability for breaches of its obligations under GDPR that cannot be excluded or limited by law.
15. Governing Law
This DPA shall be governed by and construed in accordance with the laws of The Netherlands. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, The Netherlands.
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
16. Contact
For questions about this DPA or data protection matters:
- Email: privacy@talkbuildr.com
- Company: IdeaVista, trading as TalkBuildr
- KvK: 97755893
- Address: Amsterdam, The Netherlands