Legal

Data Processing Agreement

Last updated: March 25, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AnswerMind AI, Inc. ("AnswerMind AI," "Processor") and the Customer ("Controller") and governs the processing of personal data by AnswerMind AI on behalf of the Customer in connection with the AnswerMind AI Service. This DPA is effective as of the date the Customer accepts the Terms of Service.

1. Definitions

In this DPA:

  • "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data;
  • "Processor" means AnswerMind AI, which processes Personal Data on behalf of the Controller;
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by AnswerMind AI as part of providing the Service;
  • "Data Subject" means the individual to whom Personal Data relates;
  • "Processing" has the meaning given to it under applicable Data Protection Law;
  • "Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection legislation;
  • "Sub-processor" means any third-party processor engaged by AnswerMind AI to process Personal Data in connection with the Service;
  • "Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles and Responsibilities

The Customer acts as the Controller with respect to all Personal Data uploaded to, submitted to, or generated by the Service in connection with Customer's account. AnswerMind AI acts as the Processor and will process Personal Data only on documented instructions from the Customer (as set out in this DPA and the Terms of Service) and for no other purpose.

Where AnswerMind AI processes Personal Data related to its own customers (such as account holders' names and email addresses) for the purposes of managing the customer relationship, it acts as a Controller in respect of such data, governed by the Privacy Policy.

3. Scope and Nature of Processing

AnswerMind AI processes Personal Data as necessary to provide the Service, which may include:

  • Storing Customer Data uploaded by the Customer (documents, FAQs, website content);
  • Processing end-user conversation data generated when the Customer's chatbot interacts with visitors;
  • Processing lead capture data (names, email addresses, phone numbers) collected through chatbot forms;
  • Transmitting queries to underlying AI model API providers for inference;
  • Providing analytics and reporting on chatbot performance.

Categories of data subjects: The Customer's website visitors, prospective customers, and end users who interact with the Customer's deployed chatbot.

Types of personal data: Name, email address, phone number, chat messages, IP addresses, and any other data submitted by end users through the chatbot.

4. Customer Instructions

AnswerMind AI will process Personal Data only in accordance with the Customer's documented instructions, which are provided through use of the Service (including configuration settings, integrations activated, and features enabled). The Terms of Service and this DPA constitute the Customer's instructions as of the effective date.

AnswerMind AI will inform the Customer if it believes any instruction infringes applicable Data Protection Law, in which case AnswerMind AI is entitled to refuse to carry out the relevant processing until the Customer has clarified or amended the instruction.

5. Confidentiality

AnswerMind AI will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to AnswerMind AI personnel who require such access to provide the Service.

6. Security Measures

AnswerMind AI will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at a minimum:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
  • Role-based access controls and least-privilege principles;
  • Regular security vulnerability assessments;
  • Logging and monitoring of access to Personal Data;
  • Procedures for regularly testing and evaluating the effectiveness of security measures;
  • Employee security awareness training.

7. Sub-processors

The Customer hereby grants AnswerMind AI general authorization to engage Sub-processors to assist in providing the Service. AnswerMind AI currently engages the following categories of Sub-processors:

  • Cloud infrastructure: For hosting, storage, and compute (servers located in the USA and/or EU);
  • AI model API providers: To process customer queries for inference (e.g., OpenAI, Anthropic, or similar); queries do not include Customer account information;
  • Email delivery services: For transactional and notification emails;
  • Payment processing: Paddle (Paddle.com Market Ltd.) for subscription billing.

AnswerMind AI will: (a) impose data protection obligations on Sub-processors that are no less stringent than those set out in this DPA; (b) notify the Customer of any intended addition or replacement of Sub-processors by updating this DPA or by email notification with at least 10 days' notice; and (c) remain fully liable to the Customer for the acts and omissions of its Sub-processors.

8. Data Subject Rights

AnswerMind AI will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law. If AnswerMind AI receives a request from a Data Subject directly, AnswerMind AI will promptly forward the request to the Customer.

9. Security Incident Notification

In the event of a Security Incident involving Personal Data, AnswerMind AI will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the incident. The notification will include, to the extent available at the time:

  • A description of the nature of the Security Incident;
  • The categories and approximate number of Data Subjects affected;
  • The categories and approximate volume of Personal Data records concerned;
  • The likely consequences of the Security Incident;
  • Measures taken or proposed to address the Security Incident and to mitigate its possible adverse effects.

10. Data Protection Impact Assessments

AnswerMind AI will provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities where required under Data Protection Law, having regard to the nature of the processing and information available to AnswerMind AI.

11. Deletion and Return of Personal Data

Upon termination of the Service, AnswerMind AI will, at the Customer's choice and to the extent technically feasible, either: (a) return all Personal Data to the Customer in a machine-readable format; or (b) delete all Personal Data. Unless legally required to retain certain data, AnswerMind AI will complete deletion within 30 days of the termination date and, upon request, provide written confirmation of deletion.

12. Audit Rights

AnswerMind AI will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. AnswerMind AI will allow for and contribute to audits or inspections conducted by the Customer or a mandated third-party auditor, provided that: (a) the Customer gives at least 30 days' prior written notice; (b) audits are conducted during business hours with minimal disruption; and (c) the Customer bears the cost of the audit unless the audit reveals a material breach of this DPA.

13. International Data Transfers

Where AnswerMind AI transfers Personal Data from the EEA, UK, or Switzerland to a third country, such transfer will be made: (a) to a country recognized as providing adequate protection; (b) pursuant to Standard Contractual Clauses (SCCs) or binding corporate rules; or (c) another lawful transfer mechanism under applicable Data Protection Law. The Customer authorizes AnswerMind AI to make such transfers on the basis set out in this clause.

14. Governing Law

This DPA is governed by the same governing law as the Terms of Service between the parties.

15. Contact

For questions about this DPA or to make a data processing request, contact us at [email protected].