Templates Pricing Integrations

Features

AI Training
Customization
Inbox & Live Chat
API & Tools
Lead Capture
Analytics
Languages

Industries

SaaS
Ecommerce
Healthcare
Education
Manufacturing
Finance
Travel & Tourism

Use Cases

Service Businesses
Veterinary
Law Firms
Showit & Photography
Internal Knowledge Base

Data Processing Agreement

Effective date: June 3, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Espresso Dev (Pty) Ltd, trading as SiteSpeakAI ("SiteSpeakAI", "Processor", "we", "us"), and the customer that uses our services ("Customer", "Controller", "you"), under our Terms of Service (the "Agreement"). It governs our processing of personal data on your behalf when you use SiteSpeakAI.

This DPA is incorporated into and forms part of the Agreement. It takes effect when you accept the Agreement or use the services, and applies for as long as we process personal data on your behalf. A counter-signed copy is available on request from privacy@sitespeak.ai.

Where there is any conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails.

1. Definitions

  • "Data Protection Laws" means all laws applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), and South Africa's Protection of Personal Information Act ("POPIA").
  • "Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means personal data that we process on your behalf under the Agreement.
  • "Subprocessor" means any third party we engage to process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries set out in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

2. Roles and scope

For Customer Personal Data, you are the Controller and we are the Processor. Where you are yourself acting as a processor for another controller, we are a subprocessor, and this DPA applies accordingly.

We process Customer Personal Data only to provide the services, and only on your documented instructions, including those given through the dashboard and the configuration of your chatbots. Your use of the services, and this DPA, are your complete and final processing instructions. If we are required by law to process Customer Personal Data otherwise, we will inform you first unless the law prohibits it.

The subject matter, nature, purpose, and duration of the processing, the types of personal data, and the categories of data subjects are set out in Annex I.

3. Our obligations as Processor

We will:

  1. Process Customer Personal Data only on your documented instructions, including for transfers, unless required otherwise by law.
  2. Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality.
  3. Implement appropriate technical and organisational measures to protect Customer Personal Data, as described in Annex II, in accordance with Article 32 of the GDPR.
  4. Respect the conditions in Section 5 for engaging Subprocessors.
  5. Assist you, taking into account the nature of the processing, in responding to requests from data subjects (Section 6).
  6. Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR, taking into account the information available to us.
  7. At your choice, delete or return Customer Personal Data at the end of the services, as described in Section 9.
  8. Make available the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in Section 8.

We will inform you if, in our opinion, an instruction infringes Data Protection Laws.

4. Your obligations as Controller

You will:

  1. Comply with your obligations as a Controller under Data Protection Laws, including having a lawful basis for the processing and for providing Customer Personal Data to us.
  2. Provide instructions that are lawful and consistent with Data Protection Laws.
  3. Be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired it, including any content you index and any data your chatbots collect from your website visitors.
  4. Provide any required notices to, and obtain any required consents from, your data subjects.

5. Subprocessors

You give us general authorisation to engage Subprocessors to process Customer Personal Data. Our current Subprocessors, their purpose, location, and the safeguard used for any international transfer, are listed in our Trust Center.

We will:

  • Impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, including appropriate security measures.
  • Remain responsible to you for each Subprocessor's performance of its obligations.
  • Give you notice of any intended addition or replacement of a Subprocessor by updating the list in our Trust Center. You may object on reasonable data-protection grounds within 30 days by contacting privacy@sitespeak.ai. If we cannot reasonably resolve your objection, you may terminate the affected services.

6. Data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection). You can fulfil many of these requests directly through the dashboard, including exporting and deleting data. If we receive a request directly from one of your data subjects, we will direct them to you and will not respond except on your instructions or as required by law.

7. International transfers

Where our processing of Customer Personal Data involves a transfer out of the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, that transfer is governed by an appropriate safeguard:

  • For transfers to us, the Standard Contractual Clauses are incorporated into this DPA by reference and apply as follows: Module Two (controller to processor) where you are a controller, and Module Three (processor to processor) where you are a processor. For UK transfers, the UK Addendum applies. For transfers subject to Swiss law, the SCCs apply with the amendments required by the Swiss Federal Data Protection and Information Commissioner. The annexes to the SCCs are populated by Annex I (parties and processing), Annex II (security measures), and Annex III (subprocessors) of this DPA. Where Clause 9 of the SCCs offers options, Option 2 (general written authorisation) applies, with the notice period set out in Section 5.
  • For onward transfers to our Subprocessors, we rely on the safeguard shown for each Subprocessor in our Trust Center, which is the EU-US Data Privacy Framework, Standard Contractual Clauses (with the UK Addendum where relevant), or an adequacy decision.

If the Standard Contractual Clauses or any other transfer mechanism is invalidated or changed, we will work with you in good faith to put an alternative safeguard in place.

8. Audits

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications and reports where we have them. Where you reasonably require further information to meet your audit obligations under Data Protection Laws, you may request an audit no more than once per year, on reasonable prior written notice, during business hours, and without disrupting our operations, subject to confidentiality.

9. Deletion or return of data

On termination of the services, we will, at your choice, delete or return Customer Personal Data, and delete existing copies, within a reasonable period not exceeding the retention periods described in our Privacy Policy, except to the extent we are required by law to retain it. On request, we will confirm in writing that we have done so.

10. Personal data breach

We will notify you without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed. We will take reasonable steps to mitigate the breach and assist you with your own notification obligations to supervisory authorities and data subjects. We provide this assistance at no additional cost.

11. Liability and governing law

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the law and subject to the jurisdiction stated in the Agreement, except where Data Protection Laws or the Standard Contractual Clauses require otherwise (in which case those clauses and their stated governing law and forum apply to the relevant transfer).

12. Contact

For any question relating to this DPA, or to exercise any right or request under it, contact privacy@sitespeak.ai.

Annex I - Description of processing

A. Parties

  • Data exporter (Controller): the Customer identified in the Agreement, using SiteSpeakAI.
  • Data importer (Processor): Espresso Dev (Pty) Ltd, trading as SiteSpeakAI, a company registered in South Africa. Contact: privacy@sitespeak.ai.

B. Description of the processing

  • Subject matter: provision of the SiteSpeakAI AI chatbot services, including chatbot creation, content indexing, response generation, conversation handling, and analytics.
  • Duration: for the term of the Agreement, plus the retention periods described in our Privacy Policy.
  • Nature and purpose: processing Customer Personal Data to provide and support the services on the Customer's instructions.
  • Categories of data subjects: the Customer's authorised users, and the end users (website visitors) who interact with the Customer's chatbots or whose data appears in the Customer's indexed content.
  • Categories of personal data: account and contact details of the Customer's users; the content of conversations between end users and chatbots; identifiers such as a randomly generated visitor ID and approximate country; and any name, email address, phone number, or other details that end users provide or that the Customer chooses to collect through lead-capture or user-identification features, together with any personal data contained in content the Customer indexes.
  • Special category data: not requested by the services. The Customer should not submit special category data except where strictly necessary and lawful; any such processing is on the Customer's instruction and responsibility.
  • Frequency: continuous, for the duration of the Agreement.

C. Competent supervisory authority

The supervisory authority of the data exporter (or its EU/UK representative) as determined under Data Protection Laws.

Annex II - Technical and organisational measures

We maintain measures appropriate to the risk, including:

  • Encryption: data encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Access control: role-based access, multi-factor authentication for administrative access, and the principle of least privilege.
  • Confidentiality: personnel bound by confidentiality obligations.
  • Resilience and backups: automated backups and monitoring of the production environment.
  • Network and application security: firewalling, DDoS protection, and regular security updates.
  • Data minimisation and segregation: customer data is logically segregated so that one customer's data cannot be accessed by another.
  • Special protections: masking of certain identifiers (such as ID numbers, payment card numbers, and bank account numbers) detected in visitor messages, before they reach AI providers or storage.
  • Monitoring and incident response: logging, monitoring, and documented incident-response procedures.

Annex III - Subprocessors

The current list of Subprocessors, including each Subprocessor's purpose, location, and the safeguard relied on for any international transfer, is published and kept up to date in our Trust Center. That list forms part of this DPA.