Alapchat
Alapchat

Data Processing Agreement

Last updated: June 2026

1. Parties

This Data Processing Agreement ('DPA') is entered into between the Customer (data controller) and Alapchat (data processor).

2. Scope and Duration

This DPA applies to all processing of personal data by Alapchat on behalf of the Customer in connection with the Alapchat service. It remains in effect for the duration of the service agreement.

3. Nature and Purpose of Processing

Alapchat processes personal data to provide the AI chatbot service, including:

4. Data Categories

  • End-user chat messages and AI responses
  • Customer account information (name, email)
  • Uploaded documents and content
  • Usage and billing data

5. Processor Obligations

  • Process data only on documented instructions from the Customer
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior authorization

6. Security Measures

We implement TLS 1.3 encryption in transit, AES-256 encryption at rest, row-level security for tenant isolation, and regular security assessments.

7. Sub-processors

Alapchat uses the following sub-processors:

  • legal.dpa.sec1
  • legal.dpa.sec2

8. International Transfers

All data is processed within the European Union. No Standard Contractual Clauses are required.

  • SupabaseStores application data, conversations, and embeddings
  • CloudflareWorkers runtime, R2 storage, content delivery
  • StripeProcesses billing and payment data
  • GoogleGoogle OAuth for login, Gemini AI for chat responses

9. Data Breach Notification

Alapchat will notify the Customer of any personal data breach within 72 hours of becoming aware of it, in accordance with GDPR Art. 33.

10. Audit Rights

The Customer has the right to audit Alapchat's data processing practices, subject to reasonable notice and confidentiality obligations.

11. Data Return and Deletion

Upon termination, Alapchat will return or delete all personal data within 30 days, unless retention is required by law.

12. Liability

Liability under this DPA is subject to the limitations set forth in the main service agreement.

13. Contact

For DPA-related inquiries, contact alapchat.com/contact.