Data Processing Agreement (DPA)
Last updated: 4 May 2026
This Data Processing Agreement ("Agreement") forms part of the General Terms of Service or other contract ("Service Agreement") between:
- ABC Salesbot Sdn Bhd ("Processor", "we", "our", "us"), and
- The client entity agreeing to the Service Agreement ("Controller", "you", "your").
Together, the "Parties."
1. Subject Matter and Duration
1.1 Subject matter: Processor will process personal data on behalf of Controller in connection with the provision of the Services.
1.2 Duration: This Agreement applies for as long as Processor processes personal data on behalf of Controller under the Principal Agreement.
2. Nature and Purpose of Processing
Processor will process personal data solely to:
- Provide and improve the Services;
- Enable AI System interactions with End-Users;
- Host and manage lead/contact databases;
- Process uploaded media, including voice recordings;
- Handle integration credentials (API keys, tokens);
- Review Client usage and chat transcripts for proactive support and optimization (if enabled);
- Provide customer support and troubleshooting;
- Develop general best practices without reusing Client-specific content; and
- Comply with legal obligations.
3. Categories of Data and Data Subjects
3.1 Data subjects: Controller's employees, contractors, End-Users, customers, and prospects.
3.2 Categories of data: account data, lead/contact data, chat transcripts, API credentials, AI System scripts, uploaded media (including voice recordings), and technical identifiers (IP addresses, logs).
3.3 Processor does not intentionally process special categories of personal data unless specifically provided by Controller.
4. Controller Instructions
Processor shall process personal data only in accordance with Controller's documented instructions, including this Agreement, the Principal Agreement, and Controller configurations in the Services.
5. Confidentiality and General Know-How
5.1 Confidential Information: Processor shall treat all Client-specific data as confidential, including lead databases, contact lists, scripts, chat transcripts, API credentials, uploaded media, and voice recordings.
5.2 No disclosure: Processor will not disclose Confidential Information to third parties except as required to provide the Services or by law.
5.3 General Know-How: Processor may apply general best practices developed across industries, provided this does not involve reusing or disclosing Client-specific content.
Examples:
- ❌ Confidential (cannot reuse): "Mention our partner [Company X] and apply discount code 'GROWTH2025'."
- ❌ Confidential (cannot reuse): "When the bot detects keyword Y, escalate directly to team lead via WhatsApp number 12345."
- ✅ General Know-How (may reuse): Using discount codes can increase conversion (each Client provides their own).
- ✅ General Know-How (may reuse): Keyword-triggered escalation improves service (each Client provides their own keywords/contacts).
6. Marketing Use
6.1 Processor will never use Client data (including chats, results, or media) for marketing without the Client's explicit consent.
6.2 Any case studies, testimonials, or screenshots require prior approval from Controller.
6.3 All screenshots or transcripts used for marketing will be censored or anonymized if requested by the Controller.
7. Security
7.1 Hosting and certifications: Services are hosted on Amazon Web Services (AWS) in the Singapore region. AWS maintains certifications including ISO 27001 and SOC 2 for its infrastructure. ABC Sales AI does not currently hold these certifications directly but builds on top of AWS-certified infrastructure.
7.2 In Transit: Data is encrypted using TLS.
7.3 At Rest: Data is stored with strict access controls and security safeguards. Encryption at rest is implemented across core infrastructure services and is being standardized across all production systems.
7.4 LLM Processing: Client Data may be sent to third-party large language model (LLM) providers (such as OpenAI, Anthropic, or others engaged by Processor) for natural language processing. Such data is encrypted in transit, not retained beyond processing, and not used to train the providers' models.
7.5 Staff Access: Only authorized staff may access data, subject to confidentiality obligations. Access is internally controlled, logged, and used solely for support, troubleshooting, and service improvement - never for marketing or training of external AI models.
8. Sub-Processors
Controller authorizes Processor to use sub-processors to provide the Services, including hosting, AI/LLM, payments, messaging, and customer-enabled integrations.
A current list of sub-processors is maintained at /subprocessors. Sub-processors may be updated from time to time, and Processor will provide reasonable notice of material changes where required. Processor ensures sub-processors are bound by data protection obligations no less protective than this Agreement.
9. International Transfers
9.1 GDPR: Transfers outside the EEA/UK (to AWS Singapore or to LLM providers) are made under Standard Contractual Clauses (SCCs) or equivalent safeguards.
9.2 Singapore PDPA: Transfers outside Singapore are subject to comparable protection requirements.
9.3 Malaysia PDPA: By using the Services, Controller consents to the transfer of personal data to Singapore for hosting and processing.
10. Assistance with Rights and Compliance
Processor assists Controller in:
- Responding to data subject requests (access, correction, deletion, objection);
- Complying with GDPR obligations (Articles 32–36); and
- Meeting equivalent obligations under Singapore PDPA and Malaysia PDPA.
Data subject requests may be submitted to privacy@abcsalesbot.com and are handled manually by our team, typically within 30 days, subject to verification and applicable legal requirements.
11. Personal Data Breach
Processor will notify Controller without undue delay after becoming aware of a personal data breach and provide information reasonably required for Controller to comply with applicable law.
12. Proactive Support
12.1 Processor may access Client account data, including chat transcripts, to provide proactive support, training, or feature adoption guidance.
12.2 Such access is logged, restricted, and never used for marketing or resale, and is not used for training of external AI models.
12.3 Controller may opt out of proactive support by notice to Processor.
13. Return or Deletion of Data
Upon termination of Services, Processor will return or delete all Client data within 30–90 days, unless retention is required by law.
14. Audits
Processor will provide information reasonably necessary to demonstrate compliance and allow audits, subject to reasonable notice and confidentiality.
15. Liability
Liability under this Agreement is governed by the Principal Agreement, except as required by applicable data protection law.
16. Governing Law
This Agreement is governed by the laws stated in the Principal Agreement, subject to mandatory provisions of GDPR, Singapore PDPA, and Malaysia PDPA.
17. Miscellaneous
If any provision is invalid, the remainder remains in effect. In case of conflict, this Agreement prevails over the Principal Agreement with respect to data protection.
18. Signatures
For self-serve customers, this DPA is binding through acceptance of the Service Agreement.