Article 28, in good faith.

The Processor processes personal data on behalf of the Controller when delivering the EasyLiveChat Service. The categories of data subjects include the Controller's employees, agents, contractors, and the end-users with whom the Controller converses through the Service.

The categories of personal data include contact identifiers (name, email, phone, social handles), conversation content, session metadata (IP, user agent, page URL), and any attribute data the Controller chooses to associate with a contact.

The processing has the nature of message storage, real-time routing, search indexing, and channel egress. It lasts for the duration of the underlying subscription. The purpose is to enable the Controller to operate a live-support function across the channels supported by EasyLiveChat.

The Processor will process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by EU or Member State law to which the Processor is subject. In such a case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information.

The Processor ensures that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access is restricted on a least-privilege basis and audited.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, the Processor implements appropriate technical and organisational measures, including:

• encryption in transit (TLS 1.3) and at rest (AES-256);
• strict tenant isolation enforced at every database read;
• annual SOC 2 Type II audit (report available under NDA);
• continuous vulnerability scanning, quarterly third-party penetration testing;
• documented incident-response runbooks with target response times;
• mandatory two-factor authentication for all EasyLiveChat personnel.

The Controller authorises the Processor to engage the sub-processors listed below. The Processor will notify the Controller in advance of any addition or replacement, and the Controller may object on reasonable grounds within 30 days.

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data-subject rights under Chapter III of the GDPR.

The Processor will notify the Controller without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where personal data is transferred outside the European Economic Area, the transfer is governed by the European Commission's 2021 Standard Contractual Clauses (Module 2 — Controller-to-Processor), which are hereby incorporated by reference, with supplementary technical and organisational measures including end-to-end encryption and split-key management for backups.

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by it. Routine compliance is demonstrated through the annual SOC 2 Type II report; on-site audits require reasonable advance notice and reimbursement of Processor costs.

At the choice of the Controller, the Processor will delete or return all personal data after the end of the provision of services relating to processing, and will delete existing copies unless storage is required by Union or Member State law. On-demand exports are provided in machine-readable JSON or NDJSON format.

The aggregate liability of each party arising out of or in connection with this DPA is subject to the limitations of liability set out in the underlying Terms of Service. In case of conflict between this DPA and any other agreement between the parties on the subject of data processing, this DPA prevails.