B
Botennica

Data Processing Agreement

Last updated: October 27, 2025

This agreement is between Botennica Inc. (Data Processor) and our customers (Data Controller) for the processing of personal data in accordance with GDPR and other applicable data protection laws.

1. Definitions

"Data Controller" means the customer who determines the purposes and means of processing personal data.

"Data Processor" means Botennica Inc., who processes personal data on behalf of the Data Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or destruction.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Subject Matter and Duration

This agreement governs the processing of personal data by Botennica Inc. on behalf of our customers in connection with our AI chatbot services. The duration of this agreement corresponds to the duration of the service agreement between the parties.

The Data Processor will process personal data only for the purposes specified in this agreement and in accordance with the Data Controller's documented instructions.

3. Nature and Purpose of Processing

The Data Processor processes personal data for the following purposes:

  • Providing AI chatbot services and functionality
  • Processing uploaded documents and context for chatbot responses
  • Managing user accounts and authentication
  • Providing customer support and technical assistance
  • Improving our AI models and services (using anonymized data)
  • Complying with legal obligations

The types of personal data processed may include names, email addresses, IP addresses, uploaded documents, chatbot conversation logs, and usage analytics.

4. Data Controller Obligations

The Data Controller is responsible for:

  • Ensuring they have a legal basis for processing personal data
  • Providing clear information to data subjects about data processing
  • Obtaining necessary consents from data subjects
  • Ensuring the accuracy and quality of personal data
  • Implementing appropriate security measures
  • Responding to data subject rights requests

The Data Controller must ensure that any personal data uploaded to our services complies with applicable data protection laws and does not contain sensitive personal information without proper legal basis.

5. Data Processor Obligations

5.1 Processing Instructions

The Data Processor will:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure data security
  • Assist the Data Controller in responding to data subject rights requests
  • Notify the Data Controller immediately of any data breaches

5.2 Security Measures

The Data Processor implements the following security measures:

  • Encryption of data in transit and at rest using industry-standard protocols
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Secure data centers with physical and environmental controls
  • Incident detection and response procedures
  • Regular backup and disaster recovery procedures

5.3 Subprocessors

The Data Processor may engage subprocessors to assist in providing services. All subprocessors are bound by data protection obligations at least as protective as those in this agreement. A current list of subprocessors is available upon request.

6. Data Subject Rights

The Data Processor will assist the Data Controller in fulfilling data subject rights requests, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

The Data Processor will respond to such requests within 30 days and provide the Data Controller with the necessary information to fulfill the request.

7. Data Breach Notification

In the event of a personal data breach, the Data Processor will:

  • Notify the Data Controller without undue delay, and in any case within 72 hours
  • Provide detailed information about the breach, including the nature of the breach, categories of data affected, and number of data subjects
  • Describe the likely consequences of the breach
  • Outline measures taken or proposed to address the breach
  • Provide contact details for further information

The Data Processor will document all data breaches and maintain records of the facts, effects, and remedial actions taken.

8. Data Retention and Deletion

Personal data will be retained only for as long as necessary to provide the services or as required by law. Upon termination of services or at the Data Controller's request, the Data Processor will:

  • Return all personal data to the Data Controller in a structured, commonly used format
  • Delete all personal data from its systems
  • Provide written confirmation of deletion
  • Ensure that any subprocessors also delete the data

The Data Processor may retain anonymized, aggregated data for service improvement purposes, provided it cannot be used to identify individuals.

9. Audit Rights

The Data Controller has the right to audit the Data Processor's compliance with this agreement. The Data Processor will:

  • Provide reasonable access to relevant facilities, systems, and personnel
  • Allow inspection of data processing activities
  • Provide documentation and evidence of compliance
  • Cooperate with any regulatory audits or inspections

Audits will be conducted during normal business hours with reasonable notice and will not interfere with the Data Processor's operations.

10. International Data Transfers

The Data Processor may transfer personal data to countries outside the European Economic Area (EEA). Such transfers will be made in accordance with GDPR requirements, including:

  • Adequacy decisions by the European Commission
  • Appropriate safeguards such as Standard Contractual Clauses
  • Binding corporate rules
  • Other mechanisms approved by data protection authorities

The Data Processor will ensure that all international transfers comply with applicable data protection laws and provide appropriate safeguards for personal data.

11. Liability and Indemnification

Each party's liability under this agreement is limited to the extent permitted by applicable law. The Data Processor will indemnify the Data Controller for any damages resulting from the Data Processor's breach of this agreement.

The Data Controller will indemnify the Data Processor for any damages resulting from the Data Controller's breach of their obligations under this agreement or applicable data protection laws.

12. Governing Law and Disputes

This agreement is governed by the laws of the jurisdiction where Botennica Inc. is incorporated. Any disputes will be resolved through binding arbitration in accordance with the rules of the American Arbitration Association.

The parties agree to attempt to resolve disputes amicably before pursuing formal dispute resolution procedures.

13. Contact Information

For questions about this Data Processing Agreement or data protection matters, please contact:

Data Protection Officer: [email protected]

Legal Department: [email protected]

Address: Goudhi purwa, nighasan lakhimpur kheri, uttar pradesh, india, 262903

Phone: +91 9415455867