Data Processing Agreement
Last updated: July 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ChatForger ("Processor") and the agency using the Service ("Customer", "Controller") whenever Customer's use of ChatForger involves the processing of personal data on Customer's behalf, including personal data of Customer's clients' website visitors. This DPA is automatically incorporated by reference into the Terms of Service and requires no separate signature to take effect. If your organization requires a countersigned copy for internal compliance records, contact us using the details in Section 10.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in Article 4 of the GDPR. "Sub-processor" means a third party engaged by ChatForger to process Personal Data on Customer's behalf.
2. Subject matter and duration
ChatForger processes Personal Data on Customer's behalf as necessary to provide the chatbot, knowledge base, lead capture, and analytics features of the Service. This DPA remains in effect for as long as ChatForger processes Personal Data on Customer's behalf under the Terms of Service.
3. Nature and purpose of processing
ChatForger processes Personal Data to: operate AI chatbots configured by Customer; store and retrieve knowledge base content; capture and store leads submitted by website visitors; generate usage analytics; and facilitate human handover between Customer's agents and website visitors.
4. Categories of data subjects and data
Data subjects: visitors to Customer's (or Customer's clients') websites who interact with a ChatForger-powered widget.
Data categories: chat message content, name/email/phone submitted via lead capture forms, session and device metadata (IP address, user agent, timestamps).
5. Processor obligations
- Process Personal Data only on Customer's documented instructions, as expressed through Service configuration
- Ensure personnel with access to Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 8)
- Assist Customer in responding to Data Subject requests (see Section 7)
- Notify Customer without undue delay upon becoming aware of a Personal Data breach
- Not engage a new Sub-processor without providing Customer the opportunity to object (see Section 6)
6. Sub-processors
Customer authorizes ChatForger to engage the following Sub-processors, each of which is bound by data protection terms consistent with this DPA. The current list is also maintained in Section 5 of the Privacy Policy:
- Supabase: database hosting and authentication
- Anthropic: AI chat completions
- Voyage AI: text embedding for knowledge base search
- Stripe: payment processing
- Resend: transactional email delivery
- Vercel: application hosting
ChatForger will provide at least 14 days' notice via email or in-Service notification before adding a new Sub-processor, giving Customer the opportunity to object on reasonable data protection grounds.
7. Assistance with Data Subject rights
ChatForger will provide reasonable technical assistance to help Customer respond to Data Subject requests (access, rectification, erasure, portability) concerning data processed through the Service. Where a Data Subject contacts ChatForger directly, ChatForger will forward the request to Customer without undue delay.
8. Security measures
ChatForger maintains technical and organizational measures appropriate to the risk, including encryption of data in transit (TLS) and at rest, role-based access controls, row-level security on stored data, HMAC-authenticated session tokens for visitor-facing endpoints, and regular security review of the Service.
9. Data deletion and return
Upon termination of Customer's account, ChatForger will delete Customer's Personal Data within 30 days, except where retention is required by law (see Privacy Policy Section 6 on retention periods, including the 7-year billing record requirement).
10. International transfers and contact
Where Sub-processors are located outside the EU/EEA, ChatForger relies on Standard Contractual Clauses or other approved transfer mechanisms, consistent with the Privacy Policy. For DPA questions, a countersigned copy, or Sub-processor details, contact support@chatforger.com.