Data Processing
Agreement.

Parties

This Data Processing Agreement (the "DPA") forms part of the service agreement between:

• Client (the Controller), as named in the main service agreement;
• S.R.L. „MEGA PROMOTING" (the Processor), registered at MD-6800, s. Dănceni, r-ul Ialoveni, Republic of Moldova, IDNO 1019600021765, Moldova IT Park resident.

Scope & purpose

The Processor will process Personal Data on behalf of the Controller solely to provide the agreed service. This includes, depending on the specific engagement:

• Hosting and operating chatbot instances on the aichat.md platform.
• Hosting and operating voice agents on the Kallina platform.
• Developing, deploying and maintaining custom applications.
• Providing SEO and growth services involving access to analytics.

Categories of data & subjects

• Data subjects — the Controller's end-users, customers, employees, or website visitors.
• Data categories — contact details, message content, voice recordings, transcripts, IP addresses, device/session identifiers, analytics events.
• Special categories — processed only if explicitly agreed in writing (e.g. health data for medical-clinic clients).

Obligations of the Processor

1. Process data only on the Controller's documented instructions.
2. Ensure personnel are bound by appropriate confidentiality undertakings.
3. Implement appropriate technical and organisational measures (Art. 32 GDPR). See our GDPR statement for the measures currently in place.
4. Notify the Controller within 24 hours of becoming aware of a personal-data breach. Full post-mortem within 10 working days.
5. Assist the Controller in responding to data-subject requests, including access, rectification, erasure, and portability.
6. Return or delete all Personal Data on termination, at the Controller's choice. Default: 30-day deletion window.

Sub-processors

The Controller grants general written authorisation for the Processor to engage sub-processors. We maintain a current list and will notify the Controller at least 14 days before adding or replacing a sub-processor. The Controller may object within that window.

Current sub-processors include (non-exhaustive): OVH Cloud, Google Cloud, OpenAI, Anthropic, ElevenLabs, Deepgram, Twilio, Stripe, Supabase, Vercel. Full list available on request.

International transfers

Transfers to countries outside the EU / EEA are covered by:

• EU Standard Contractual Clauses (SCCs) 2021/914 where applicable;
• EU-US Data Privacy Framework for US-based sub-processors that participate.

The Processor will conduct a Transfer Impact Assessment on request.

Audit rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, on 30 days' written notice, during normal business hours, at the Controller's expense. The Processor will provide reasonable assistance and make available SOC 2 / ISO 27001 attestations where held by sub-processors.

Liability & indemnity

Liability under this DPA is subject to the limitation-of-liability provisions in the main service agreement. Each party indemnifies the other for damages arising from its own non-compliance with the GDPR.

Term & termination

This DPA takes effect on the date both parties sign and remains in force as long as the Processor processes Personal Data on behalf of the Controller. On termination, the Processor will return or delete all Personal Data within 30 days, at the Controller's instruction.

Governing law

This DPA is governed by Moldovan law where the main agreement is Moldovan, otherwise by the law of the Controller's habitual residence within the EU.