Data Processing Addendum

Last updated: 2026-06-06

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Scalebloom LLC ("Chatporch", “Processor”) and the customer (“Customer”, “Controller”). It governs Chatporch‘s processing of Personal Data on Customer’s behalf when Customer uses the Chatporch service. In case of conflict between the Terms and this DPA on the subject of data protection, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meanings in the Terms of Service.

• “Applicable Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK DPL”), the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
• “Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Processing”, and related terms have the meanings given to them in the GDPR (or the equivalent under other Applicable Data Protection Laws).
• “Customer Personal Data” means Personal Data that Chatporch processes on Customer’s behalf in connection with the service.
• “Standard Contractual Clauses” or “SCCs” means the EU Commission’s Standard Contractual Clauses approved under Decision 2021/914, as supplemented by the UK International Data Transfer Addendum where applicable.

2. Roles of the parties

The parties agree that, with respect to the processing of Customer Personal Data, Customer is the Controller and Chatporch is the Processor. For Personal Data that Chatporch processes about Customer’s own account (such as Customer’s account identity and billing information), Chatporch is an independent Controller and handles that data under its Privacy Policy.

For the avoidance of doubt: chat conversations between Customer’s site visitors and the Chatporch widget are Customer Personal Data, processed by Chatporch as Processor on Customer’s behalf.

3. Scope and details of processing

The details of processing required by Article 28(3) GDPR are:

• Subject matter: providing the Chatporch service described in the Terms.
• Duration: the term of the Terms, plus any post-termination period required to return or delete data.
• Nature and purpose: hosting an embeddable chat widget on Customer’s website; receiving messages from visitors; generating AI replies; storing conversation logs for the retention period set in the Privacy Policy; and providing the dashboard to Customer.
• Types of Personal Data: chat message content (which may incidentally include any category of personal data that a visitor chooses to type), a randomly generated conversation identifier, the URL and title of the page on which the widget is open, an approximate country derived from network geo data, and a one-way hashed identifier derived from the visitor’s IP address (scoped per customer site).
• Categories of Data Subjects: Customer’s website visitors who interact with the widget.
• Sensitive data: Chatporch does not solicit or require special categories of data. Visitors may voluntarily include such data in chat messages; if Customer’s use case is reasonably likely to elicit it, Customer must obtain a lawful basis and inform visitors accordingly.

4. Customer’s instructions

Customer authorizes Chatporch to process Customer Personal Data: (a) to provide and improve the service in accordance with the Terms and this DPA, (b) as configured by Customer through the dashboard, and (c) as required by applicable law.

Chatporch will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws, and may suspend the affected processing pending resolution.

5. Confidentiality of personnel

Chatporch ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and receive appropriate training on their obligations.

6. Security

Chatporch implements appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex II — Technical and Organizational Measures. Customer agrees that those measures, in light of the state of the art and the nature of the data, are appropriate.

7. Sub-processors

Customer grants Chatporch a general written authorization to engage Sub-processors to process Customer Personal Data, subject to this Section.

• Chatporch’s current Sub-processors are listed in Annex III — Sub-processors.
• Each Sub-processor is bound by a written agreement containing data protection obligations no less protective than those in this DPA, including the same Article 28(3) GDPR obligations.
• Before engaging a new Sub-processor or replacing an existing one, Chatporch will update Annex III and notify Customer by updating this page (and, where reasonable, by email to the address on file) at least 14 days in advance.
• Customer may object on reasonable data-protection grounds within 14 days of notice. If the parties cannot reach a solution, Customer may terminate the affected service by written notice, with a pro-rata refund of any prepaid fees for the unused portion of the term.
• Chatporch remains fully liable to Customer for the performance of its Sub-processors’ obligations.

8. International data transfers

Chatporch is established in the United States and may process Customer Personal Data in the United States and in other countries where its Sub-processors operate.

For transfers of Personal Data subject to GDPR, UK GDPR, or the Swiss FADP from the EEA, the United Kingdom, or Switzerland to a country that the European Commission, the UK Government, or the Swiss authorities (as applicable) has not deemed adequate, the parties agree:

• The EU Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor as applicable) are incorporated by reference into this DPA and apply with Customer as data exporter and Chatporch as data importer.
• For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated and modifies the SCCs as needed for UK data protection law.
• For Swiss transfers, references to the GDPR in the SCCs are read as references to the Swiss FADP and references to EU member-state supervisory authorities are read as references to the Swiss Federal Data Protection and Information Commissioner.
• Chatporch enters into equivalent transfer mechanisms with each Sub-processor it engages that is located outside the EEA, UK, or Switzerland.

The clauses in SCC Section IV (Final Provisions) are completed as follows: governing law is the law of Ireland; the competent courts are the courts of Ireland; supervisory authority is the Irish Data Protection Commission (or, for UK transfers, the UK Information Commissioner’s Office).

9. Data Subject requests

Chatporch will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to Data Subject requests under Applicable Data Protection Laws. The dashboard exposes self-service controls so Customer can access and delete conversations on its own site. Where additional assistance is needed, Customer may contact Chatporch at the address in Section 14.

If Chatporch receives a request directly from a Data Subject relating to Customer’s processing, Chatporch will, without responding, forward it to Customer without undue delay.

10. Security incidents

Chatporch will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. Chatporch will provide reasonable cooperation to assist Customer in meeting its own breach notification obligations.

Chatporch’s notification of, or response to, an incident is not an acknowledgment of any fault or liability.

11. Data Protection Impact Assessments

Chatporch will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to Chatporch.

12. Return and deletion of data

On termination of the Terms, or at any time during the term on Customer’s written request, Chatporch will, at Customer’s option, delete or return all Customer Personal Data in its active systems, unless retention is required by law. Personal Data residing in routine backups or archives is deleted in the ordinary course of our backup rotation and is not separately accessible during that interval. Conversation logs are in any case automatically deleted on the retention schedule set out in the Privacy Policy (currently 90 days from the last message).

13. Audits

Chatporch will make available to Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, subject to the following:

• Chatporch satisfies its audit obligation by providing, on Customer’s reasonable written request and no more than once per 12-month period, (i) written responses to a reasonable security questionnaire and (ii) where available, third-party audit reports or certifications (such as SOC 2 or ISO 27001).
• On-site inspections are not permitted, except where strictly required by a competent supervisory authority or by applicable law that cannot be satisfied by the means above. Any such inspection will be conducted by Customer or an independent auditor reasonably acceptable to Chatporch, during normal business hours, on at least 60 days’ prior written notice (except where a supervisory authority requires shorter notice), no more than once per 12-month period, subject to reasonable confidentiality undertakings, in a manner that does not unreasonably interfere with Chatporch‘s operations or compromise the confidentiality of other customers, and at Customer’s sole cost.
• Customer bears its own costs and reimburses Chatporch‘s reasonable costs of any audit-related support, including responses to security questionnaires and any on-site inspection.
• Audit findings, and any information obtained in connection with an audit, are Chatporch‘s confidential information and may be used only to verify compliance with this DPA.

14. Notices

Notices under this DPA go to the email address on Customer’s account (for notices to Customer) and to [email protected] (for notices to Chatporch).

15. Liability

The parties’ aggregate liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service. Each Data Subject’s rights against either party under the SCCs are governed by the SCCs themselves.

16. Term and order of precedence

This DPA takes effect when Customer accepts the Terms and remains in force as long as Chatporch processes Customer Personal Data. Termination of this DPA does not relieve either party of obligations that by their nature should survive.

If there is any conflict between (i) the SCCs, (ii) this DPA, and (iii) the Terms, the order of precedence is (i) > (ii) > (iii) on data protection matters.

Annex I — Description of processing

Data exporter: Customer (the entity that accepts the Terms). Data importer: Scalebloom LLC d/b/a Chatporch, Charlotte, NC, United States. Subject matter, duration, nature, purpose, types of data, categories of Data Subjects: as set out in Section 3. Competent supervisory authority for SCCs: the Irish Data Protection Commission.

Annex II — Technical and organizational measures

Chatporch maintains, at minimum, the following measures:

• Encryption in transit. All endpoints serving Customer Personal Data are exposed only over HTTPS/TLS.
• Encryption at rest. Persistent storage of Customer Personal Data uses encryption at rest provided by the relevant managed infrastructure provider.
• Access control. Production credentials are stored as secrets in our hosting environment and scoped to the Chatporch project. Database credentials are scoped so that the public-facing service cannot reach unrelated data.
• Authentication. The dashboard requires authentication via established identity methods (email magic-link or third-party OAuth), with session management handled by an established authentication library and rotating session tokens.
• Authorization. The admin API enforces role-based and site-scoped access checks on every request: customer accounts may only access sites assigned to them.
• Visitor IP minimization. Raw visitor IP addresses are used in memory only for rate limiting. Where any IP-derived identifier is persisted, it is stored only as a one-way hash scoped per customer site, which prevents correlation of the same visitor across different customers’ sites.
• Rate limiting and abuse defense. Layered rate limits at multiple time windows enforced at the edge. Origin allowlists enforced on every request. Anti-bot measures deployed on public-facing endpoints.
• Data minimization in geo. Visitor location is captured at country granularity only.
• Retention controls. Conversation logs are deleted by an automated sweep within the retention window described in the Privacy Policy. The dashboard exposes self-service deletion for individual conversations and entire sites.
• Code and deploy controls. Source code and production deploys are managed through established version control and CI providers, with deploy logs retained.
• Audit log. Configuration changes are recorded with an identifier of the editor and a record of before/after values.
• Logging. Operational logs are kept only as long as necessary for debugging and abuse investigation.
• Personnel. Personnel with access to production credentials are bound by confidentiality and use individual credentials with multi-factor authentication where supported by the provider.
• Incident response. Internal process for triaging, containing, and notifying on Personal Data Breaches within the timeframes set in Section 10.

Chatporch may update these measures from time to time provided the level of protection is not materially decreased.

Annex III — Sub-processors

The following Sub-processors are engaged by Chatporch:

Chatporch will update this Annex when Sub-processors change, in accordance with Section 7.