Data Processing Agreement
Last updated: 2026-05-26
This Data Processing Agreement ("DPA") forms part of the agreement between Individual Entrepreneur Dmytro Buslov ("Processor", "ChatsControl") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the ChatsControl translation service.
How to execute: review this DPA, then email help@chatscontrol.com with subject "DPA execution" — include your legal entity name, registration number, jurisdiction, and the signatory's contact. We countersign and send a PDF back. Alternatively, this DPA is incorporated by reference into our Terms of Service for customers on Business and Enterprise plans.
1. Definitions
"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Sub-Processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"). "Service" means the ChatsControl document translation service.
2. Subject matter and duration
The Processor processes Personal Data on behalf of the Controller solely to provide the Service. Processing continues for the term of the underlying service agreement plus the data retention periods specified in Annex 2.
3. Nature and purpose of processing
The Processor processes Personal Data uploaded by the Controller's authorized users (account credentials, document contents) for the purpose of (a) performing document translation, (b) authenticating users, (c) providing technical support requested by the Controller, and (d) producing aggregated, anonymized service metrics.
4. Categories of Data Subjects and Personal Data
- Data Subjects: the Controller's authorized end users, and any third parties whose Personal Data may appear in documents uploaded to the Service.
- Categories of Personal Data: contact details (name, email), authentication data, document contents (which may include arbitrary categories of Personal Data chosen by the Controller).
- Special categories (health, biometric, etc.) are processed only if uploaded by the Controller; the Controller acknowledges that uploading such data requires lawful basis under Art. 9 GDPR and warrants that such basis exists.
5. Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller, including for transfers outside the EEA (the underlying service agreement and this DPA constitute such instructions).
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
- Implement the technical and organizational security measures described in Annex 1.
- Engage Sub-Processors only on the terms set out in Section 7.
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to Data Subject requests (Arts. 12–22 GDPR).
- Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all Personal Data after end of the provision of services (subject to the retention periods in Annex 2 and applicable law).
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (see Section 9).
6. Obligations of the Controller
- The Controller represents and warrants that it has a lawful basis under the GDPR for the Personal Data it instructs the Processor to process and that its instructions comply with applicable law.
- The Controller is responsible for informing Data Subjects about the processing in line with Arts. 13–14 GDPR.
- The Controller is responsible for the accuracy, quality, and legality of the Personal Data it provides.
7. Sub-Processors
The Controller authorizes the Processor to engage the Sub-Processors listed in Annex 3. The Processor will:
- Impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.
- Remain fully liable to the Controller for the performance of each Sub-Processor's obligations.
- Notify the Controller of any intended addition or replacement of Sub-Processors with at least 30 days' notice; the Controller may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection (failing which the Controller may terminate the underlying service agreement without penalty).
8. International transfers
Where the Processor or its Sub-Processors transfer Personal Data outside the European Economic Area, such transfers are made under (a) an adequacy decision of the European Commission, or (b) the EU Standard Contractual Clauses (SCCs) approved by Decision (EU) 2021/914 (Module 3, Processor to Sub-Processor), or (c) other appropriate safeguards under Art. 46 GDPR. The SCCs are incorporated by reference where applicable.
9. Security, incidents, and audits
- The Processor maintains the technical and organizational measures described on the Security page and summarized in Annex 1.
- The Processor notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data (consistent with the controller's GDPR Art. 33 notification timeline).
- Audits: the Controller may, no more than once per year (and additionally if required by a regulator or following a security incident), request the Processor's most recent security documentation. On-site audits are by mutual agreement and must respect the Processor's confidentiality obligations to other customers.
10. Liability
Liability under this DPA is subject to the liability limitations of the underlying service agreement, except where prohibited by applicable law.
11. Term and termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Sections 5 (last bullet), 9, 10, and 11 survive termination.
Annex 1 — Technical and organizational measures (summary)
- Encryption in transit (TLS 1.2+); passwords stored as bcrypt hashes.
- Access control: SSH-key only, no password auth; staff access to user data only via user support request.
- Cloudflare DDoS / WAF protection; nginx rate limiting.
- Dependency pinning and monthly security updates.
- Sentry error monitoring; structured logging (no card numbers / plaintext passwords / document contents in logs).
- Incident response plan with 72-hour breach notification commitment.
Full details, including a transparent list of measures not yet implemented (disk encryption at rest, automated backups, SOC 2, external pentest): /security.
Annex 2 — Retention
- Documents and translations: retained for as long as the user's account exists; user can delete manually any time.
- Account data: for the term of the agreement plus a 30-day grace period.
- Logs: 90 days.
- Billing records: as required by Ukrainian tax law (3 years).
Annex 3 — Sub-Processors
| Sub-Processor | Purpose | Location | Privacy |
|---|---|---|---|
| OpenRouter, Inc. | LLM gateway for translation and OCR. All requests are routed to Google Gemini via OpenRouter. | United States | link |
| Mailgun Technologies, Inc. | Transactional email delivery (verification codes) | European Union | link |
| Stripe, Inc. | Payment processing | United States / EU | link |
| Hetzner Online GmbH | Server hosting and data storage | European Union (Germany / Finland) | link |
| Cloudflare, Inc. | DNS, DDoS protection, CDN | Global | link |
| Google LLC (Analytics) | Website usage analytics (consent-based) | United States / EU | link |
Questions? Email us at help@chatscontrol.com or on Telegram @mrbuslov.