Product

Pricing

About Us

FAQS

Sign Up

Log in

Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") is entered into between:

  1. The Client (acting as the "Data Controller"), the entity or individual that has subscribed to the ChatKYC Service under the Oganiru Advisory Ltd Terms of Service.

  2. Oganiru Advisory Ltd, a company registered in England and Wales, with its registered office at 124 City Road, London, England, EC1V 2NX (acting as the "Data Processor").

This DPA is incorporated into and forms an integral part of the Oganiru Advisory Ltd Terms of Service (the "Main Agreement") and prevails over any conflicting terms in the Main Agreement relating to the processing of Personal Data.

WHEREAS:

(A) The Data Controller is a user of the ChatKYC service (the "Service"). (B) The provision of the Service requires the Data Processor to process Personal Data on behalf of the Data Controller. (C) This DPA is intended to ensure such processing is conducted in accordance with applicable Data Protection Laws and to satisfy the requirements of Article 28(3) of the EU GDPR and UK GDPR.

1. Definitions

  • "Data Controller" has the meaning set out in the GDPR. For the purposes of this DPA, it is the Client.

  • "Data Processor" has the meaning set out in the GDPR. For the purposes of this DPA, it is Oganiru Advisory Ltd.

  • "Data Protection Laws" means all applicable data protection and privacy legislation, including the EU GDPR, the UK GDPR, and any other national implementing laws, regulations, and secondary legislation.

  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

  • "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

  • "Personal Data" means any information relating to a Data Subject that is processed by the Data Processor on behalf of the Data Controller as part of the Service.

  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

  • "Processing" means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by the European Commission Decision 2021/914.

  • "Sub-processor" means any third-party data processor engaged by the Data Processor to process Personal Data.

  • "UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office.

2. Details of the Data Processing

2.1. Subject-Matter, Duration, Nature, and Purpose The Data Processor will process Personal Data as necessary to provide the ChatKYC Service to the Data Controller as initiated by the Data Controller and its authorised users. The processing will continue for the duration of the Main Agreement.

2.2. Categories of Data Subjects and Personal Data The specific categories of Data Subjects and types of Personal Data processed are detailed in Appendix 1 of this DPA. The Data Controller is solely responsible for ensuring that it does not input or upload any special categories of data or other sensitive data into the Service beyond what is described in Appendix 1.

3. Obligations of the Data Processor

The Data Processor agrees and warrants that it shall:

3.1. Processing on Documented Instructions: Process the Personal Data only on the documented instructions of the Data Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State or UK law to which the Processor is subject. The Data Controller's use of the Service constitutes its primary documented instruction.

3.2. Confidentiality: Ensure that all personnel authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security of Processing: Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in detail in Appendix 3.

3.4. Engagement of Sub-processors:

  • The Data Controller provides a general written authorisation for the Data Processor to engage Sub-processors to support the provision of the Service.

  • The Data Processor shall maintain an up-to-date list of its Sub-processors, which is provided in Appendix 2.

  • The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Data Controller the opportunity to object to such changes. Such notification will be provided via email or through the Service's administrative interface at least 30 days in advance.

  • Where the Data Processor engages a Sub-processor, it will do so by way of a written contract which imposes on the Sub-processor the same data protection obligations as set out in this DPA.

3.5. Data Subject Rights: Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising Data Subject rights.

3.6. Assistance to the Data Controller: The Data Processor shall assist the Data Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Data Breach Notifications, and Data Protection Impact Assessments), taking into account the nature of processing and the information available to the Data Processor.

3.7. Return or Deletion of Personal Data: Upon termination of the Main Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless Union or Member State or UK law requires storage of the Personal Data.

3.8. Audits and Inspections: The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Such audits shall be subject to reasonable notice, scope, and confidentiality obligations.

4. International Data Transfers

4.1. Processing Locations: The Data Processor's primary processing facilities are located in the UK and the European Economic Area (EEA).

4.2. Transfers to Third Countries: The Data Controller acknowledges and agrees that, in connection with the provision of the Service, it is necessary to use Sub-processors located in third countries, primarily the United States. Such transfers shall be governed by a valid data transfer mechanism.

4.3. Transfer Mechanism: By entering into this DPA, the Data Controller and Data Processor agree that transfers of Personal Data from the EEA or the UK to a third country shall be governed by the following mechanisms:

  • For transfers subject to the EU GDPR, the parties are deemed to have entered into the Standard Contractual Clauses (SCCs), Module Two (Controller to Processor).

  • For transfers subject to the UK GDPR, the parties are deemed to have entered into the UK Addendum, which modifies the SCCs for UK data transfers.

The execution of this DPA shall constitute the execution of the SCCs and the UK Addendum.

5. Personal Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach. The notification shall, at a minimum: (a) Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned. (b) Communicate the name and contact details of the Data Protection Officer or other contact point. (c) Describe the likely consequences of the Personal Data Breach. (d) Describe the measures taken or proposed to be taken to address the breach.

6. General Provisions

  • Governing Law and Jurisdiction: This DPA and any disputes or claims arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction.

  • Severability: If any provision of this DPA is found to be unenforceable, the remainder shall be enforced as fully as possible and the unenforceable provision shall be deemed modified to the limited extent required to permit its enforcement in a manner most closely representing the parties' intentions.

  • Notices: All notices shall be in writing and sent to the contact details specified in the Main Agreement.

Appendix 1: Details of the Processing

Categories of Data Subjects

The Data Controller's authorised users and any other individuals whose Personal Data is submitted to the Service by the Data Controller (e.g., in user-generated prompts).

Categories of Personal Data

*  User Account Data: Name, email address, job title, company name.

  • Authentication Data: Hashed passwords, OAuth tokens.

  • Payment and Billing Data: Billing contact name, billing address, and transaction identifiers. Oganiru does not directly store or process full credit card information; this is handled by our third-party payment processor (Stripe).

  • Customer Support Data: Name, email address, and the content of communications submitted via the live chat support service.

  • Technical Data: IP addresses, browser information, device identifiers, logs.

  • User-Generated Content: Any Personal Data contained within the prompts, queries, or documents uploaded to the ChatKYC Service by the Data Controller's users. The Controller is responsible for ensuring the lawfulness of processing this data. | | Special Categories of Data (if any) | The Service is not designed to process special categories of Personal Data as defined in Article 9 of the GDPR. The Data Controller agrees not to upload or input such data into the Service. | | Nature and Purpose of the Processing | To provide, maintain, secure, and improve the ChatKYC Service. This includes user authentication, providing AI-generated responses to user queries, monitoring for security and performance, providing customer support, and fulfilling all contractual obligations under the Main Agreement. | | Duration of the Processing | For the term of the Main Agreement, unless otherwise instructed by the Data Controller for earlier deletion. |

Appendix 2: List of Sub-processors

The Data Controller provides general authorisation for the use of the following Sub-processors.

Sub-processor

Service Provided

Location of Processing

Google Cloud Platform (via Railway)

Backend hosting and infrastructure

United States / EEA

Vercel Inc.

Frontend hosting and deployment

United States / EEA

MongoDB, Inc.

Cloud database services (MongoDB Atlas)

United States / EEA

Google LLC

Large Language Model processing (Gemini LLM)

United States / Global

LangChain, Inc.

AI application observability (LangSmith)

United States

Google LLC

User Authentication (via OAuth 2.0, if used by Client)

United States / Global

Stripe, Inc.

Payment Processing

United States / Global

Intercom, Inc.

Customer Support and Live Chat Platform

United States / Global

Appendix 3: Technical and Organisational Security Measures

The Data Processor has implemented the following measures to protect Personal Data:

  1. Encryption:

    • Data in Transit: All data is encrypted in transit using industry-standard TLS 1.2 or higher.

    • Data at Rest: All data stored in the production database (MongoDB Atlas) is encrypted at rest.

    • Password Encryption: All user passwords are not stored in plaintext and are securely hashed using the bcrypt hashing algorithm.

  2. Access Control:

    • Access to Personal Data is restricted to authorised personnel on a strict need-to-know basis.

    • Authentication is managed via JSON Web Tokens (JWT), signed with HS256, for secure API access.

    • Optional multi-factor authentication (MFA) can be enabled for user accounts.

  3. Application Security:

    • Authentication: Secure authentication is enforced for all access to the Service. OAuth 2.0 (via Google Sign-In with OpenID Connect) is offered as a secure sign-in option.

    • Secure Cookies: All session cookies are configured with HttpOnly and Secure flags and use SameSite policies to protect against Cross-Site Request Forgery (CSRF).

    • Input Validation: All API inputs are strictly validated against Pydantic schemas to prevent common injection attacks and ensure data integrity.

  4. Confidentiality, Integrity, Availability, and Resilience:

    • The Service is deployed on resilient cloud infrastructure (Vercel and Railway) designed for high availability.

    • Regular backups of data are taken to ensure recoverability in case of an incident.

    • The infrastructure is designed to be scalable and resilient to failures.

  5. Testing and Monitoring:

    • The infrastructure and applications are continuously monitored for security threats and performance issues.

    • LangSmith is used for tracing and observability of the AI components to ensure proper functioning and detect anomalies.

    • Regular security assessments are conducted.