Skip to Main Content
ABC Sales AI - Turn Every Missed Lead Into a Paying Customer logo

Data Processing Agreement

                    
Data Processing Agreement (DPA)


This Data Processing Agreement (“Agreement”) forms part of the Terms of Use or other contract (“Principal Agreement”) between:


    

  • ABC Salesbot Sdn Bhd (“Processor”, “we”, “our”, “us”), and
    • 

  • The customer entity agreeing to the Principal Agreement (“Controller”, “you”, “your”).
    • 



Together, the “Parties.”




1. Subject Matter and Duration


1.1 Subject matter: Processor will process personal data on behalf of Controller in connection with the provision of the Services.


1.2 Duration: This Agreement applies for as long as Processor processes personal data on behalf of Controller under the Principal Agreement.




2. Nature and Purpose of Processing


Processor will process personal data solely to:


    

  • Provide and improve the Services.
    • 

  • Enable chatbot interactions with End-Users.
    • 

  • Host and manage lead/contact databases.
    • 

  • Process uploaded media, including voice recordings.
    • 

  • Handle integration credentials (API keys, tokens).
    • 

  • Review Client usage and chat transcripts for proactive support and optimization (if enabled).
    • 

  • Provide customer support and troubleshooting.
    • 

  • Develop general best practices without reusing Client-specific content.
    • 

  • Comply with legal obligations.
    • 





3. Categories of Data and Data Subjects


    

  • Data subjects: Controller’s employees, contractors, End-Users, customers, and prospects.
    • 

  • Categories of data: account data, lead/contact data, chat transcripts, API credentials, chatbot scripts, uploaded media (including voice recordings), and technical identifiers (IP addresses, logs).
    • 



Processor does not intentionally process special categories of personal data unless specifically provided by Controller.




4. Controller Instructions


Processor shall process personal data only in accordance with Controller’s documented instructions, including this Agreement, the Principal Agreement, and Controller configurations in the Services.




5. Confidentiality and General Know-How


5.1 Confidential Information: Processor shall treat all Client-specific data as confidential, including lead databases, contact lists, scripts, chat transcripts, API credentials, uploaded media, and voice recordings.


5.2 No disclosure: Processor will not disclose Confidential Information to third parties except as required to provide the Services or by law.


5.3 General Know-How: Processor may apply general best practices developed across industries, provided this does not involve reusing or disclosing Client-specific content.


Examples:


    

  • ❌ Confidential (cannot reuse): “Mention our partner [Company X] and apply discount code ‘GROWTH2025’.”
    • 

  • ❌ Confidential (cannot reuse): “When the bot detects keyword Y, escalate directly to team lead via WhatsApp number 12345.”
    • 

  • ✅ General Know-How (may reuse): Using discount codes can increase conversion (each Client provides their own).
    • 

  • ✅ General Know-How (may reuse): Keyword-triggered escalation improves service (each Client provides their own keywords/contacts).
    • 





6. Marketing Use


Processor will never use Client data (including chats, results, or media) for marketing without the Client’s explicit written consent.


    

  • Any case studies, testimonials, or screenshots require prior approval from Controller.
    • 

  • All screenshots or transcripts used for marketing will be censored or anonymized.
    • 





7. Security


7.1 Hosting: Services are hosted on Amazon Web Services (AWS) Singapore, certified under ISO 27001, SOC 2, and MTCS.


7.2 In Transit: Data is encrypted using TLS.


7.3 At Rest: Data is stored in plain text with strict access controls, monitoring, and organizational safeguards.


7.4 LLM Processing: Client Data may be sent in plain text to third-party large language model (LLM) providers (such as OpenAI or others engaged by Processor) for natural language processing. Such data is encrypted in transit, not retained beyond processing, and not used to train the providers’ models. Processor ensures that all such providers are bound by contractual obligations consistent with this Agreement.


7.5 Staff Access: Only authorized staff may access data, subject to confidentiality obligations.




8. Sub-Processors


Controller authorizes Processor to use sub-processors to provide the Services, including:


    

  • Amazon Web Services (AWS) — hosting in Singapore.
    • 

  • LLM providers (e.g., OpenAI, Anthropic, Cohere, or others) — language model processing.
    • 

  • Payment providers (e.g., Stripe) — billing.
    • 



Processor ensures sub-processors are bound by data protection obligations no less protective than this Agreement.




9. International Transfers


    

  • GDPR: Transfers outside the EEA/UK (to AWS Singapore or OpenAI) are made under Standard Contractual Clauses (SCCs) or equivalent safeguards.
    • 

  • Singapore PDPA: Transfers outside Singapore are subject to comparable protection requirements.
    • 

  • Malaysia PDPA: By using the Services, Controller consents to the transfer of personal data to Singapore for hosting and processing.
    • 





10. Assistance with Rights and Compliance


Processor assists Controller in:


    

  • Responding to data subject requests (access, correction, deletion, objection).
    • 

  • Complying with GDPR obligations (Articles 32–36).
    • 

  • Meeting equivalent obligations under Singapore PDPA and Malaysia PDPA.
    • 





11. Personal Data Breach


Processor will notify Controller without undue delay after becoming aware of a personal data breach and provide information reasonably required for Controller to comply with applicable law.




12. Proactive Support


12.1 Processor may access Client account data, including chat transcripts, to provide proactive support, training, or feature adoption guidance.


12.2 Such access is logged, restricted, and never used for marketing or resale.


12.3 Controller may opt out of proactive support by notice to Processor.




13. Return or Deletion of Data


Upon termination of Services, Processor will return or delete all Client data within [30–90] days, unless retention is required by law.




14. Audits


Processor will provide information reasonably necessary to demonstrate compliance and allow audits, subject to reasonable notice and confidentiality.




15. Liability


Liability under this Agreement is governed by the Principal Agreement, except as required by applicable data protection law.




16. Governing Law


This Agreement is governed by the laws stated in the Principal Agreement, subject to mandatory provisions of GDPR, Singapore PDPA, and Malaysia PDPA.




17. Miscellaneous


If any provision is invalid, the remainder remains in effect. In case of conflict, this Agreement prevails over the Principal Agreement with respect to data protection.




18. Signatures


For self-serve customers ($97/month), this DPA is binding through acceptance of the Terms of Use.
WhatsApp Chat with us
⚡ Powered by ABC Sales.ai