Data Processing Agreement

This Data Processing Agreement («DPA») is entered into between Verbox Technologies LLC, a limited liability company incorporated in Dubai, United Arab Emirates («Processor» or «Verbox»), and the customer entity that has accepted the Verbox Terms of Service («Controller» or «Customer»). Together, the parties are referred to as the «Parties».

This DPA governs the processing of personal data by Verbox on behalf of the Customer in connection with the provision of the Verbox AI chatbot platform and related services (the «Services») as described in the Verbox Terms of Service. This DPA forms an integral part of and is incorporated into the Terms of Service by reference.

This DPA takes effect from the date on which the Customer accepted the Terms of Service, or — if a separately executed DPA addendum is signed — from the date of last signature. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 («GDPR»), Article 28 of the UK GDPR, and the data processor obligations under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data («UAE PDPL»), and any other applicable data protection legislation in force during the term of the Services.

«Controller» means the Customer entity that determines the purposes and means of processing personal data transmitted to or collected through the Verbox platform on behalf of that Customer.

«Processor» means Verbox Technologies LLC, which processes personal data on behalf of the Controller in accordance with documented instructions under this DPA.

«Personal Data» means any information relating to an identified or identifiable natural person («Data Subject»), as defined in GDPR Article 4(1) and UAE PDPL Article 1. This includes names, email addresses, conversation content, behavioral data, and any other data that enables identification of a natural person either directly or indirectly.

«Special Categories of Personal Data» means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person's sex life or sexual orientation, as defined in GDPR Article 9.

«Sub-processor» means any third-party entity engaged by Verbox to process personal data on behalf of the Controller in connection with the Services.

«Processing» means any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

«Data Breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

«Standard Contractual Clauses» or «SCCs» means the clauses approved by the European Commission under Decision 2021/914 for the transfer of personal data to third countries.

«DIFC» means the Dubai International Financial Centre.

Nature of Processing: Verbox processes personal data to operate and deliver the Services, which include: storing and retrieving training documents and knowledge base content; generating vector embeddings for AI retrieval; processing conversational inputs and outputs in real time; computing analytics aggregations; transmitting data to configured integration channels (e.g., WhatsApp, Telegram, Slack, custom APIs); performing live agent handoff; logging audit trails; and managing billing and account operations.

Purpose of Processing: The sole purpose of Verbox's processing of personal data under this DPA is to provide, maintain, secure, and support the Services as contracted by the Controller. Verbox does not process personal data for any purpose beyond the documented instructions of the Controller except where required by applicable law.

Categories of Personal Data: Depending on the Controller's use of the Platform, the categories of personal data processed may include: identity data (names, email addresses, usernames); contact data; conversation transcripts and message content; device and technical identifiers (IP addresses, browser/device type); behavioral and usage data; professional data (job titles, company information); and, if the Controller's end users provide them within conversations, any other category of personal data.

Special Categories: This DPA does not authorize the processing of Special Categories of Personal Data unless expressly agreed in a separate addendum and subject to appropriate safeguards. The Controller is solely responsible for ensuring that their chatbot configurations do not solicit or collect Special Category data without the required legal bases and safeguards.

Data Subjects: The categories of data subjects whose personal data is processed under this DPA include: the Controller's end users who interact with deployed chatbots; the Controller's team members who access the platform dashboard; and any individuals whose personal data is contained in documents or content uploaded by the Controller.

Duration: The processing of personal data under this DPA commences on the effective date and continues for the duration of the Services contract. Upon termination, processing is limited to fulfilling deletion and export obligations as specified in this DPA.

The Controller represents and warrants that it has established and will maintain a valid legal basis under applicable data protection law for all personal data it provides to Verbox for processing. This includes, where required, obtaining valid and documented consent from data subjects prior to initiating conversations or collecting their personal data through the Platform.

The Controller is responsible for implementing and maintaining a lawful, fair, and transparent privacy notice that informs end users about the processing of their personal data through AI-powered chatbots, the purposes of processing, data retention periods, and their rights as data subjects.

The Controller shall provide Verbox with documented instructions governing the processing of personal data and shall promptly notify Verbox of any changes to those instructions. The Controller acknowledges that Verbox's configuration options within the Platform constitute the primary mechanism for giving such instructions.

The Controller is responsible for conducting any required Data Protection Impact Assessments (DPIAs) in connection with the deployment of the Platform and for carrying out prior consultation with supervisory authorities where DPIAs identify high residual risks.

The Controller shall ensure that any personal data provided to Verbox is accurate, relevant, and limited to what is necessary for the intended chatbot use case, consistent with the principle of data minimization.

Verbox shall process personal data solely on the documented instructions of the Controller, including with respect to transfers of personal data to third countries. Verbox shall immediately notify the Controller in writing if, in its opinion, an instruction infringes applicable data protection law, and shall suspend execution of that instruction pending resolution.

Verbox shall ensure that all personnel and contractors authorized to process personal data are bound by enforceable contractual confidentiality obligations and have received adequate data protection training. Access to personal data is granted on a strict need-to-know basis.

Verbox shall implement and maintain the technical and organizational security measures described in Section 7 (Security Measures) of this DPA, which represent an appropriate level of security given the nature, scope, context, and purposes of the processing and the associated risks.

Verbox shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in this DPA and shall cooperate fully with audits and inspections conducted in accordance with Section 9 (Audit Rights).

Verbox shall assist the Controller, to the extent technically feasible given the nature of the processing, in fulfilling the Controller's obligations to respond to data subject requests, conduct DPIAs, implement security measures, and notify supervisory authorities of data breaches.

Verbox shall promptly notify the Controller — and in no event later than 48 hours after becoming aware — of any confirmed or reasonably suspected Data Breach involving the Controller's personal data, and shall cooperate fully in incident investigation and notification as described in Section 8.

Verbox shall maintain comprehensive written records of all categories of processing activities carried out on behalf of Controllers, as required by GDPR Article 30(2). These records are available to the Controller and to supervisory authorities upon request.

General Authorization: By entering into this DPA, the Controller grants Verbox a general authorization to engage sub-processors from the approved sub-processor list maintained by Verbox, subject to the terms of this section.

Current Sub-processors: Verbox maintains and publishes an up-to-date list of all sub-processors engaged in the processing of Customer personal data. This list, which includes the name of each sub-processor, their country of establishment, and the nature of the processing they perform, is available to Controllers upon request and is updated at least quarterly.

Current sub-processor categories include: cloud infrastructure and managed database providers (compute, storage, networking); AI language model API providers (for NLP inference); transactional email delivery services; payment processors; security monitoring and logging services; and customer support tooling (for support interactions, not for customer data).

Change Notification: Verbox shall provide the Controller with at least 30 calendar days' prior written notice of any intended addition of, or material change to, a sub-processor (a «Sub-processor Change Notice»). The notice shall include sufficient detail to allow the Controller to assess any data protection implications of the change.

Objection Right: If the Controller has a legitimate, documented data protection reason to object to a new or changed sub-processor, it must submit its written objection to Verbox within 14 calendar days of the Sub-processor Change Notice. Verbox shall work in good faith with the Controller to address the concern. If the Parties are unable to resolve the objection, the Controller may terminate the affected Services without penalty, provided that such termination is exercised within 30 days of the original notice.

Sub-processor Obligations: Verbox shall impose on all sub-processors data protection obligations that are materially equivalent to those imposed on Verbox under this DPA, including with respect to security, confidentiality, sub-processing restrictions, and audit rights. Verbox remains fully liable to the Controller for the performance of sub-processor obligations.

Encryption: All personal data is encrypted in transit using TLS 1.3 (minimum) with strong forward-secrecy cipher suites. All personal data is encrypted at rest using AES-256-GCM. Database encryption keys are stored in a dedicated hardware security module (HSM) with role-separated key management, automatic annual rotation, and full key access audit logging.

Access Control: Access to systems processing personal data is governed by a documented role-based access control (RBAC) policy implementing the principle of least privilege. All privileged access requires multi-factor authentication. Privilege elevation is logged and subject to peer review. All production system access is conducted via hardened, audited jump hosts, not direct internet access.

Network Security: Production environments are isolated in private virtual networks with strict ingress/egress controls. Web application firewalls (WAF) protect all public endpoints. DDoS mitigation is active at both the network and application layer. Network traffic is monitored continuously by automated intrusion detection systems.

Physical Security: Data center facilities housing Verbox's production infrastructure maintain ISO 27001 certification and operate with biometric access control, 24/7 CCTV monitoring, redundant power and cooling, and locked cage/server controls. Physical media containing personal data is destroyed using NIST 800-88-compliant methods.

Vulnerability Management: Automated dependency and container image scanning runs continuously with daily reports. Penetration tests are conducted by independent qualified third parties at least annually. Identified vulnerabilities are prioritized by CVSS score and remediated within documented SLAs (Critical: 24 hours; High: 7 days; Medium: 30 days).

Availability and Resilience: Production databases are replicated in real time to a geographically separate standby with automatic failover. Encrypted backups are taken daily and stored in a separate region. Recovery Time Objective (RTO) is less than 4 hours; Recovery Point Objective (RPO) is less than 1 hour. Disaster recovery is tested semi-annually.

Personnel Measures: All personnel with access to personal data undergo background verification prior to engagement. Mandatory data protection and security training is delivered at induction and annually thereafter. All personnel are bound by contractual confidentiality obligations that survive termination of their engagement.

Monitoring and Logging: A comprehensive SIEM system aggregates and correlates security logs from all platform components in real time. Automated alerts trigger incident response workflows for anomalous access patterns, privilege escalation attempts, and exfiltration indicators. Logs are retained in immutable storage for 24 months.

Detection and Assessment: Verbox operates continuous security monitoring and maintains a documented Incident Response Plan (IRP) that categorizes security events, defines escalation paths, and specifies notification obligations. All security events are triaged within 4 hours of detection by our security team.

Initial Notification: Verbox shall notify the Controller by email to the security contact address on file — without undue delay and in no event later than 48 hours after Verbox becomes aware of a confirmed Data Breach involving the Controller's personal data. Where the full details of the breach are not yet available at the time of initial notification, Verbox shall provide a preliminary notice and supplement it with further information as it becomes available.

Breach Notification Content: The notification shall include, to the extent then known: (i) a description of the nature of the breach including the categories and approximate number of affected data subjects and records; (ii) the name and contact details of the Data Protection Officer or other security contact; (iii) a description of the likely consequences of the breach; (iv) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Cooperation: Verbox shall cooperate fully with the Controller in investigating and remediating the breach, provide all information and documentation reasonably requested by the Controller, and take all technically feasible steps to contain and mitigate the breach in accordance with the Controller's instructions.

Internal Documentation: Verbox documents all suspected and confirmed Data Breaches, regardless of whether the applicable notification threshold is met, including the facts relating to the breach, its effects, and the remedial action taken. These records are available to the Controller and supervisory authorities upon request.

Controller's Obligations: The Controller is solely responsible for determining its own notification obligations to supervisory authorities (e.g., within 72 hours under GDPR Article 33) and to data subjects (GDPR Article 34), using the information provided by Verbox. Verbox's notification to the Controller does not constitute an acknowledgment of fault or liability.

Verbox shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Chapter III (including access, rectification, erasure, restriction, portability, and objection), the UAE PDPL, and any other applicable data protection law. Assistance is provided to the extent that the processing is carried out by Verbox and is technically feasible.

Self-Service Tools: Verbox provides dashboard tools that enable Controllers to: export all conversation logs and account data in JSON or CSV format; delete individual conversations or all data for a specific end user; configure automated data retention and deletion rules; and view a complete audit trail of all administrative actions on their account.

Forwarding of Requests: If a data subject submits a request directly to Verbox (e.g., by contacting privacy@verbox.com) in relation to personal data processed on behalf of a Controller, Verbox shall promptly forward the request to the Controller without undue delay, and shall not respond directly to the data subject on the Controller's behalf unless expressly authorized to do so.

Response Assistance: Verbox shall provide the Controller with technical information necessary to respond to data subject requests — such as confirmation of what data is held, its format, and its location within the platform — within 5 business days of the Controller's request for such information.

Erasure: Upon receiving a verified data erasure instruction from the Controller in respect of a specific data subject, Verbox shall delete all personal data identifiable to that data subject from active storage within 30 calendar days and shall confirm completion in writing. Deletion from backup media occurs within the applicable backup rotation cycle.

Data Residency: By default, Controller personal data is stored and processed in the UAE and the European Union. Verbox does not transfer personal data to sub-processors outside these regions without implementing appropriate transfer mechanisms as described in this section.

Transfers from the EEA: For any transfer of personal data from the European Economic Area to a third country not covered by an adequacy decision of the European Commission, Verbox relies on the Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by Commission Implementing Decision 2021/914. The SCCs are incorporated by reference into this DPA and are available in full upon request.

UK Transfers: For transfers of UK personal data to third countries, Verbox relies on the UK IDTA (International Data Transfer Agreement) as approved by the UK Information Commissioner's Office, or the UK Addendum to the EU SCCs, as applicable.

UAE Cross-Border Transfers: For personal data subject to the UAE PDPL that is transferred outside the UAE, Verbox ensures that the destination country provides an adequate level of protection as recognised by the UAE data protection authority, or implements contractual safeguards equivalent to those required under the UAE PDPL.

Supplementary Measures: In addition to the contractual safeguards above, Verbox implements supplementary technical measures (including end-to-end encryption, pseudonymization, and contractual restrictions on sub-processor sub-processing) in accordance with the guidance of the European Data Protection Board (EDPB) to ensure that transferred data receives essentially equivalent protection.

Data Localization Requests: Enterprise Controllers with strict data localization requirements may request that all processing be restricted to a single geographic region (UAE or EU). Verbox will assess the feasibility of such requests and, where technically possible, implement region-locked infrastructure arrangements under a separate addendum.

Information Provision: Verbox shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, including this DPA itself, the sub-processor list, the description of security measures in Section 7, and any relevant certifications.

Third-Party Audit Reports: Verbox makes its annual SOC 2 Type II audit report, penetration test executive summaries, and relevant certification attestations (ISO 27001, etc.) available to Controllers under appropriate non-disclosure terms upon written request. Provision of these reports satisfies the Controller's audit rights for the matters covered therein.

Controller-Directed Audits: The Controller has the right, or may appoint a qualified independent third-party auditor, to conduct an audit of Verbox's processing activities under this DPA. Audit requests must be submitted in writing with at least 30 calendar days' notice, must specify the scope and objectives of the audit, and must be carried out during normal UAE business hours (Sunday to Thursday, 09:00–17:00 GST) in a manner that minimizes disruption to Verbox's operations.

Audit Costs: Verbox will cooperate with audits at no charge for reasonable document review and interviews. If the Controller requires physical access to data center facilities, dedicated personnel time exceeding 8 hours per audit, or more than one audit per 12-month period, reasonable costs for such access and support may be charged to the Controller at Verbox's standard professional services rates.

Confidentiality of Audit Findings: The Controller shall treat all information obtained during an audit as Verbox's Confidential Information. Audit findings must not be disclosed to any third party without Verbox's prior written consent, unless required by a supervisory authority.

Upon Termination: Upon expiry or termination of the Services for any reason, Verbox shall, at the Controller's election, either return or delete all personal data processed under this DPA, within 30 calendar days of the effective termination date. The Controller must notify Verbox of its election within the 30-day window.

Self-Service Export: Verbox provides automated self-service data export tools within the dashboard that allow Controllers to download a complete export of their data in JSON and CSV formats at any time during the Services and during the 30-day post-termination window.

Deletion Confirmation: Upon completion of deletion, Verbox shall provide written confirmation to the Controller that all personal data (including data held by sub-processors on behalf of Verbox) has been deleted, except as required by applicable law.

Legal Retention Obligations: Certain data (such as billing records and security logs) may be retained beyond termination where required by applicable UAE law, EU law, or other mandatory legal requirements. Verbox will notify the Controller of any such retention obligations and the data categories affected.

Backup Deletion: Personal data in encrypted backup media is deleted within the applicable backup retention cycle (maximum 30 days) following the deletion of the primary data. Verbox confirms the completion of backup deletion in the overall deletion confirmation.

Survival: Obligations under this section, and all other obligations in this DPA relating to data protection, confidentiality, and security, survive the termination of the Services for as long as Verbox retains any Controller personal data.

Each Party's liability to the other under this DPA is subject to the limitations and exclusions set out in the Verbox Terms of Service, which are incorporated by reference. Nothing in this DPA shall operate to limit either Party's liability for death, personal injury, fraud, or any liability that cannot be excluded or limited by applicable law.

In the context of data protection claims by data subjects, Verbox and the Controller shall each be responsible only for that portion of the damage attributable to their respective fault. Where a data subject obtains a judgment against one Party for the full amount of damages arising from a joint breach of this DPA, that Party is entitled to recover from the other Party the portion of the damages attributable to the other Party's fault.

The Controller shall indemnify and hold harmless Verbox against all claims, fines, penalties, and costs arising from the Controller's breach of this DPA or the Controller's violation of applicable data protection law in connection with the Services, to the extent that such claims arise from the Controller's failure to comply with its obligations as a data controller.