Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Zybots Terms and Conditions and applies when Zybots processes Personal Data on behalf of a Customer in the course of providing the Zybots services.

This DPA is entered into between the Customer, meaning the person, company, organization, or other legal entity that creates an account, subscribes to a plan, signs an order form, or otherwise uses Zybots to process Personal Data, and Processor, meaning GLOSOFT SOLUTIONS SRL, operating the Zybots platform.

GLOSOFT SOLUTIONS SRL has its registered office at Str. Turda, nr. 98, bl. 29A, sc. 2, et. 8, ap. 26, Sector 1, Bucharest, Romania, is registered with the Trade Register under no. J2017000654526, and has VAT / Tax ID RO38032549 / CUI 38032549.

This DPA is accepted electronically as part of the Zybots Terms and Conditions. Enterprise customers may request a signed copy or a separately negotiated data processing agreement. If there is any conflict between this DPA and the Terms and Conditions regarding the processing of Personal Data on behalf of the Customer, this DPA will prevail for that processing.

"Agreement" means the Zybots Terms and Conditions, this DPA, any applicable order form, subscription plan, enterprise agreement, or other written agreement between the parties. "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including GDPR, Romanian data protection laws, and any other applicable EU, EEA, UK, or local data protection laws.

"Controller" means the entity that determines the purposes and means of processing Personal Data. "Processor" means the entity that processes Personal Data on behalf of the Controller. "Sub-processor" means any third party engaged by Zybots to process Personal Data on behalf of the Customer.

"Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA. "Customer Personal Data" means Personal Data processed by Zybots on behalf of the Customer through the Zybots services.

"Customer Content" means content, data, documents, files, URLs, prompts, instructions, Q&A pairs, corrections, conversations, lead data, API data, integration data, and other materials submitted, uploaded, connected, or processed by the Customer through Zybots. "End User" means a visitor, customer, prospect, user, employee, contractor, or other individual who interacts with a Zybots bot, widget, API, integration, or AI assistant deployed or configured by the Customer.

"Services" means the Zybots website, platform, dashboard, AI assistants, widgets, APIs, AI Actions, integrations, analytics, lead capture, knowledge base processing, documentation, and related SaaS services. Terms such as processing, data subject, personal data breach, supervisory authority, and special categories of personal data have the meanings given in GDPR or other Applicable Data Protection Laws.

For Customer Personal Data processed through the Services, the Customer is usually the Controller and Zybots is the Processor. If the Customer processes Personal Data on behalf of another Controller, such as when an agency uses Zybots for a client, the Customer acts as Processor or Sub-processor, and Zybots acts as Sub-processor.

The Customer is responsible for determining the purposes and means of processing Customer Personal Data. Zybots will process Customer Personal Data only on behalf of and according to the documented instructions of the Customer, except where required by EU or Member State law.

Zybots acts as an independent Controller for Personal Data processed for its own purposes, such as account administration, billing, security, fraud prevention, website analytics, legal compliance, product administration, and business communications. Such processing is described in the Zybots Privacy Policy and is not governed by this DPA.

The subject matter of processing is the processing of Customer Personal Data through the Zybots Services. Zybots will process Customer Personal Data for the duration of the Agreement and as necessary to provide the Services.

Processing may relate to AI chat widgets, AI assistant configuration, website and sitemap training, uploaded files and documents, text sources, Q&A pairs, corrections, conversation history, lead capture, analytics, API usage, AI Actions, third-party integrations, omnichannel messages, support workflows, workspace administration, bot deployment, security, and abuse prevention.

After the Agreement ends, Zybots will delete, return, anonymize, or restrict Customer Personal Data in accordance with this DPA, the Terms, the Privacy Policy, product settings, backup retention, and applicable legal obligations. Zybots may retain certain data where required or permitted by law, including for billing, tax, accounting, fraud prevention, security, dispute resolution, legal compliance, backups, and enforcement of rights.

The Customer instructs Zybots to process Customer Personal Data as necessary to provide, secure, support, maintain, and improve the Services according to the Agreement, product settings, API calls, integration configuration, and documented Customer instructions.

Customer instructions include account and workspace settings, bot configuration, knowledge base sources, widget deployment settings, AI Actions configuration, integration settings, API requests, retention and deletion settings, lead capture settings, support requests, and written instructions agreed by the parties.

Zybots will not process Customer Personal Data for purposes incompatible with these instructions unless required by applicable law. If Zybots believes that an instruction infringes Applicable Data Protection Laws, Zybots will inform the Customer unless prohibited by law. Zybots may suspend processing where necessary to prevent unlawful processing, security incidents, abuse, platform disruption, or violation of the Agreement.

The Customer is responsible for the accuracy, quality, legality, and appropriateness of Customer Content and Customer Personal Data. The Customer is responsible for responding to data subject requests where it acts as Controller.

The Customer must not use Zybots to process Personal Data in a manner that violates the Terms, Acceptable Use Policy, Privacy Policy, AI Transparency Notice, or Applicable Data Protection Laws.

Zybots will process Customer Personal Data only on documented Customer instructions, ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations, implement appropriate technical and organizational measures, and use Sub-processors only in accordance with this DPA.

Zybots will reasonably assist the Customer with data subject requests, security, breach notification, data protection impact assessments, and regulatory consultations where required by law and reasonably possible. Zybots will delete or return Customer Personal Data at the end of the Services, subject to legal retention and backup limits, make available information reasonably necessary to demonstrate compliance with Article 28 GDPR obligations, and notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

Zybots shall ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations, whether contractual, statutory, or professional. Access to Customer Personal Data will be limited to personnel and Sub-processors who need access to provide, secure, support, maintain, or improve the Services. Confidentiality obligations will survive termination of the Agreement.

Zybots shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, or other unlawful processing. Security Measures may evolve over time, provided that updates do not materially reduce the overall level of protection for Customer Personal Data.

The Customer is responsible for securing its own accounts, using strong passwords, protecting API keys, limiting team access, configuring integrations safely, securing its own websites and applications, and ensuring that Customer-side systems are protected.

Zybots shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Where not all information is available at once, Zybots may provide information in phases without undue further delay.

The notification will include, where available, a description of the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, measures taken or proposed to address the breach, measures to mitigate possible adverse effects, and a contact point for follow-up.

The Customer is responsible for determining whether it must notify a supervisory authority or affected data subjects. Zybots will reasonably assist the Customer with breach assessment and notification obligations where required by Applicable Data Protection Laws. Zybots' notification of a breach is not an admission of fault or liability.

Zybots shall, to the extent legally required and reasonably possible, assist the Customer in responding to data subject requests relating to Customer Personal Data, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint handling.

If Zybots receives a request directly from a data subject concerning Customer Personal Data, Zybots may refer the data subject to the Customer, unless legally required to respond directly. The Customer remains responsible for verifying the identity of the requester and determining whether and how to respond.

Zybots shall reasonably assist the Customer with compliance obligations under Applicable Data Protection Laws, taking into account the nature of processing and the information available to Zybots. Assistance may include documentation, platform features, exports, support responses, security summaries, questionnaires, or written information. Reasonable fees may apply for assistance outside normal support scope.

The Customer grants Zybots general authorization to engage Sub-processors to provide the Services. Zybots may use Sub-processors for functions such as cloud hosting, database hosting, file storage, vector storage or search, AI/model processing, embeddings, payment processing, email delivery, analytics, logging and monitoring, customer support, messaging, security, integrations, error tracking, and infrastructure management.

Zybots shall ensure that Sub-processors are bound by written obligations that provide at least substantially similar data protection obligations to those in this DPA, to the extent applicable to the services provided by the Sub-processor. Zybots remains responsible for the performance of its Sub-processors' obligations under this DPA.

A list of Sub-processors or categories of Sub-processors is provided in Annex 3 or on a public Sub-processors page. Zybots may update the Sub-processor list from time to time. Where required by Applicable Data Protection Laws or enterprise agreement, Zybots will provide notice of new Sub-processors and allow the Customer to object on reasonable data protection grounds. If the Customer reasonably objects, the parties will work in good faith to find a commercially reasonable solution. If no solution is available, the Customer may terminate the affected Services according to the Agreement.

Zybots may process or transfer Customer Personal Data outside Romania, the European Union, or the European Economic Area where necessary to provide the Services. Where Customer Personal Data is transferred internationally, Zybots shall use appropriate safeguards as required by Applicable Data Protection Laws.

Safeguards may include European Commission Standard Contractual Clauses, adequacy decisions, transfer impact assessments where appropriate, contractual security and confidentiality obligations, encryption, access controls, data minimization, Sub-processor due diligence, and other lawful transfer mechanisms.

The Customer authorizes Zybots to enter into Standard Contractual Clauses with Sub-processors where necessary. Where required, the parties will cooperate to implement additional measures for international transfers.

Zybots may use third-party AI model providers, embedding providers, inference providers, or AI infrastructure providers to deliver AI assistant functionality. Such processing may include generating AI responses, retrieving relevant knowledge base context, creating embeddings, summarizing conversations, extracting leads, classifying messages, powering AI Actions, and improving safety and reliability.

Unless expressly stated otherwise, Zybots will not intentionally allow third-party AI model providers to use Customer Personal Data submitted through the Services to train their general-purpose AI models. The Customer acknowledges that AI providers may process Customer Personal Data as Sub-processors where required to provide the Services.

The Customer is responsible for ensuring that it does not submit sensitive, regulated, or prohibited data to AI features unless lawful and appropriately protected.

Zybots may generate AI outputs based on Customer Content, prompts, instructions, retrieval systems, integrations, and third-party model providers. This DPA governs processing of Personal Data. It does not guarantee the accuracy, legality, or suitability of AI outputs for the Customer's business use case.

The Customer shall not submit, upload, connect, or process special categories of Personal Data or regulated data through Zybots unless it has a valid legal basis and appropriate safeguards. Unless expressly agreed in writing, Zybots is not intended for processing regulated medical records, payment card data, high-risk automated decision data, or other highly sensitive data.

During the term of the Agreement, the Customer may delete or export certain Customer Personal Data using platform features, where available. Upon termination or expiration of the Agreement, Zybots will delete, return, anonymize, or restrict Customer Personal Data according to the Agreement, product functionality, plan limits, Customer instructions, retention settings, legal obligations, backup rotation, and security requirements.

Zybots may retain Customer Personal Data where necessary for billing, tax, accounting, legal compliance, dispute resolution, fraud prevention, security investigations, abuse prevention, backup retention, or enforcement of rights. Backups may retain deleted data for a limited period until backup rotation completes. Zybots is not required to restore deleted Customer Personal Data unless required by law or expressly agreed in writing.

Zybots shall make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR obligations, such as this DPA, security summaries, Sub-processor information, technical and organizational measures, privacy documentation, compliance questionnaires, certifications or reports if available, and written responses to reasonable audit questions.

If legally required and where written information is insufficient, the Customer may request an audit. Audits must be limited to Customer Personal Data processing, conducted during normal business hours, subject to reasonable prior written notice, avoid disruption to Zybots operations, protect confidentiality and security of other customers, be performed by an independent qualified auditor under confidentiality obligations, and not include access to systems, data, or infrastructure that would compromise security or third-party confidentiality.

Zybots may charge reasonable fees for audit support unless prohibited by law or agreed otherwise. No audit may be performed more than once per year unless required due to a confirmed Personal Data Breach or supervisory authority request.

Zybots shall maintain records of processing activities where required by Applicable Data Protection Laws. The Customer is responsible for maintaining its own records of processing activities, including records relating to its use of Zybots, legal bases, categories of data subjects, categories of Personal Data, recipients, transfers, retention periods, and security measures.

Where the Customer is required to conduct a data protection impact assessment or consult a supervisory authority regarding its use of Zybots, Zybots will provide reasonable assistance, taking into account the nature of processing and information available to Zybots. Assistance may include product documentation, security information, Sub-processor information, data flow descriptions, retention information, and answers to reasonable questions. The Customer remains responsible for determining whether a DPIA or prior consultation is required.

If Zybots receives a legally binding request from a public authority, court, regulator, or law enforcement body for Customer Personal Data, Zybots will, where legally permitted, notify the Customer, review the request, disclose only the data legally required, and challenge or limit the request where appropriate and legally possible.

Zybots may disclose Customer Personal Data without Customer notice where legally prohibited from notifying the Customer or where urgent disclosure is required by law. Zybots may investigate and remediate security events, abuse signals, suspicious activity, or policy violations that do not constitute a Personal Data Breach. Zybots is not required to notify the Customer of every security event unless required by law or the event materially affects Customer Personal Data.

The Customer is responsible for ensuring that it can identify, export, delete, or correct End User data where required. Zybots may provide product features or support assistance, but the Customer remains responsible for verifying the requester's identity, determining legal basis, deciding whether exceptions apply, responding within legal deadlines, and documenting responses.

Zybots may update this DPA from time to time. If changes are material, Zybots will take reasonable steps to notify Customers, such as through website notice, email, dashboard notice, or updates to the legal page. The updated DPA will apply from the effective date stated on the page. If the Customer continues using the Services after the updated DPA becomes effective, the Customer is deemed to have accepted the updated DPA.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except where such limitations are prohibited by Applicable Data Protection Laws. Nothing in this DPA limits either party's liability where liability cannot be limited under applicable law.

This DPA remains in effect while Zybots processes Customer Personal Data on behalf of the Customer. It terminates automatically when the Agreement terminates, Zybots no longer processes Customer Personal Data on behalf of the Customer, and all Customer Personal Data has been deleted, returned, anonymized, or lawfully retained according to this DPA. Obligations that by their nature should survive termination will survive.

For questions about this DPA, data protection, subprocessors, or privacy requests, contact GLOSOFT SOLUTIONS SRL at [email protected] or [email protected].

Registered office: Str. Turda, nr. 98, bl. 29A, sc. 2, et. 8, ap. 26, Sector 1, Bucharest, Romania. Trade Register: J2017000654526. VAT / Tax ID: RO38032549 / CUI 38032549. Website: https://www.zybots.ai. Platform: https://app.zybots.ai.

Subject matter: processing of Customer Personal Data through the Zybots Services, including AI assistants, widgets, dashboards, APIs, knowledge base features, lead capture, conversations, analytics, AI Actions, integrations, and support workflows.

Duration: for the duration of the Agreement and as necessary to provide the Services, followed by deletion, return, anonymization, restriction, or lawful retention according to the DPA, Terms, Privacy Policy, product settings, and legal obligations.

Nature of processing may include collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, disclosure to authorized Sub-processors, alignment or combination, restriction, deletion, anonymization, analysis, embedding generation, AI inference, summarization, classification, lead extraction, analytics, logging, backup, and security monitoring.

Purpose: to operate AI assistants, answer End User questions, process chat conversations, capture and manage leads, train and retrieve from knowledge sources, process uploaded files and documents, generate embeddings, run AI Actions, connect integrations, provide analytics, support API workflows, provide customer support, secure the platform, detect abuse and fraud, maintain logs and backups, and comply with Customer instructions.

Zybots implements technical and organizational measures designed to protect Customer Personal Data. Measures may evolve as the platform develops.

Zybots may use Sub-processors to provide the Services. The exact providers may change as the platform evolves.

Where Customer Personal Data is transferred outside the EEA or another protected jurisdiction, Zybots shall rely on appropriate transfer mechanisms required by Applicable Data Protection Laws, such as adequacy decisions, Standard Contractual Clauses, supplementary measures, contractual safeguards, technical safeguards, and transfer impact assessments where appropriate.

Where required, the parties agree that the relevant European Commission Standard Contractual Clauses apply to the transfer of Customer Personal Data. For controller-to-processor transfers, Module Two may apply. For processor-to-processor transfers, Module Three may apply.

Zybots may apply supplementary measures where appropriate, including encryption in transit, access controls, data minimization, contractual confidentiality, limited access, security review of providers, monitoring and logging, and provider due diligence. Zybots shall use reasonable efforts to ensure that Sub-processors provide appropriate safeguards regarding government access requests where required by Applicable Data Protection Laws.

The terms in this Annex apply only if expressly agreed in an enterprise order form, signed agreement, or written amendment. Enterprise Customers may request a signed version of this DPA, custom retention periods, advance notice of new Sub-processors and a defined objection period, reasonable security questionnaires or vendor assessments, additional transfer documentation where legally required, and separate SLA, uptime, support, or incident response commitments only if agreed in writing.