Marketing AI Agent

Data Processing Agreement (DPA)

Last Updated: August 1, 2024

This Data Processing Agreement ("DPA") is incorporated into our Terms of Service and applies to all customers ("Controller" or "Customer") of Toffu AI, Inc. ("Processor" or "Toffu"). By using our services, you agree to the terms of this DPA.

1. Definitions

  • "Applicable Data Protection Law" means all laws and regulations, including GDPR, applicable to the Processing of Personal Data under the Main Agreement.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings given to them in GDPR.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Services" means the services provided by the Processor to the Controller under the Main Agreement.

2. Subject Matter and Scope of Processing

2.1. Nature and Purpose of Processing: The Processor will process Personal Data as necessary to provide the Services under the Main Agreement. The purpose of the Processing is to enable the Controller to use Toffu's AI-powered marketing platform to manage marketing strategies, create content, and engage customers.

2.2. Duration of Processing: The Processor will process Personal Data for the duration of the Main Agreement, unless otherwise agreed upon in writing.

2.3. Categories of Data Subjects: Data Subjects may include the Controller's employees, contractors, customers, and end-users.

2.4. Types of Personal Data:

  • Account Data: Names, email addresses.
  • Chat Data: User prompts, conversation history.
  • Content Data: Marketing content, website content, files, or other materials provided by the Controller.
  • Usage Data: IP addresses, device information, analytics data.
  • Any other Personal Data the Controller chooses to process through the Services.

3. Obligations of the Processor

The Processor agrees to:

  • 3.1. Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
  • 3.2. Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • 3.3. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption and regular security testing.
  • 3.4. Sub-processing: Not engage any other processor ("Sub-processor") without the Controller's prior authorization. We maintain an up-to-date list of our Sub-processors here. We ensure any Sub-processor is bound by data protection obligations at least as protective as those in this DPA.
  • 3.5. Data Subject Rights: Assist the Controller with appropriate measures to fulfill the Controller's obligation to respond to requests for exercising Data Subject's rights.
  • 3.6. Personal Data Breaches: Notify the Controller without undue delay after becoming aware of a Personal Data Breach and provide sufficient information to allow the Controller to meet its notification obligations.
  • 3.7. Data Protection Impact Assessments: Assist the Controller in ensuring compliance with its obligations regarding DPIAs and prior consultation with supervisory authorities.
  • 3.8. Deletion or Return of Data: Upon termination of the Main Agreement, at the choice of the Controller, delete or return all Personal Data, unless law requires storage.
  • 3.9. Audits: Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Obligations of the Controller

The Controller warrants that it has complied and will continue to comply with all Applicable Data Protection Laws in its use of the Services and that it has a valid legal basis for the Processing of Personal Data by the Processor.

5. Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) without an adequate level of data protection, unless appropriate safeguards (such as Standard Contractual Clauses) are in place.

6. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement.

7. Governing Law

This DPA shall be governed by the laws of the jurisdiction specified in the Main Agreement.