Data Processing Agreement

Parties

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service, Master Services Agreement, or equivalent commercial agreement (the “Agreement”) entered into between:

AGARON TECHNOLOGIES LLC, a limited liability company organized under the laws of the State of Florida, United States, with principal place of business at W Pine St, Office 324, Orlando, Florida 32801 (“Agaron” or “Processor”);

and the Customer identified in the Agreement (“Customer” or “Controller”), each a “Party” and collectively the “Parties.”

The Parties agree that this DPA shall govern the Processing of Personal Data by Agaron on behalf of Customer in connection with the Omnichat platform and related services (the “Services”), and shall prevail over any conflicting terms of the Agreement with respect to data protection matters.

1. Definitions

For the purposes of this DPA, the following capitalized terms shall have the meanings set forth below. Terms not defined herein shall have the meaning ascribed to them in the Agreement or in Applicable Data Protection Laws.

• 1.1 "Applicable Data Protection Laws" means all privacy, data protection, and information security laws applicable to the Processing of Personal Data under this DPA, including without limitation: (a) CCPA / CPRA; (b) VCDPA; (c) CPA-CO; (d) any other U.S. federal or state privacy law applicable to the Processing; and (e) to the extent Customer's use of the Services involves Personal Data of individuals located in Brazil, the Brazilian General Data Protection Law ("LGPD", Federal Law No. 13,709/2018).
• 1.2 "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined under applicable law.
• 1.3 "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, sale, sharing, or deletion.
• 1.4 "Controller" means the Customer, which determines the purposes and means of the Processing of Personal Data.
• 1.5 "Processor" means Agaron, which Processes Personal Data on behalf of the Controller.
• 1.6 "Consumer" means a natural person who is a resident of a U.S. state with applicable data protection laws, acting in a personal or household context.
• 1.7 "Subprocessor" means any third party engaged by Agaron to Process Personal Data on behalf of Customer, pursuant to Section 9 of this DPA.
• 1.8 "Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Agaron.
• 1.9 "Service Provider" has the meaning ascribed to it under CCPA Section 1798.140(ag), and Agaron acts as a Service Provider with respect to Personal Data of California residents.

2. Scope and Roles of the Parties

2.1 Customer acts as Controller and is responsible for determining the purposes and means of the Processing. Agaron acts as Processor and Processes Personal Data exclusively on behalf of and under the documented instructions of Customer.

2.2 Agaron shall Process Personal Data solely for the purposes set forth in the Agreement and in this DPA, and shall not use Personal Data for its own purposes, including: (i) commercial marketing to Consumers; (ii) profiling; (iii) the training of artificial intelligence models; or (iv) cross-context behavioral advertising, except where expressly instructed in writing by Customer or required by law.

2.3 Agaron shall promptly inform Customer if, in its reasonable opinion, an instruction from Customer infringes any Applicable Data Protection Law.

3. Nature and Purpose of Processing

3.1 Agaron provides an omnichannel communication platform (the Omnichat platform) enabling Customer to manage communications with its end users through the following channels:

• WhatsApp Cloud API;
• Facebook Messenger;
• Instagram Direct Messages;
• Line;
• SMS;
• Email;
• Telegram Bots;
• Webchat;
• Twilio and Bandwidth integrations;
• API / SDK integrations;
• AI Chatbots (optional feature).

3.2 Processing activities include customer communication management, AI chatbot automation, customer support workflows, sales automation, message routing, and storage of messages and related metadata.

3.3 The duration of the Processing shall correspond to the term of the Agreement, plus any additional period strictly necessary for deletion or return of Personal Data in accordance with Section 14.

4. Categories of Personal Data

4.1 The categories of Personal Data Processed under this DPA may include:

• names;
• email addresses;
• phone numbers;
• IP addresses and connection logs;
• chat messages and conversational content;
• Customer metadata;
• location data (where provided by Consumers or derived from IP addresses);
• cookies and similar identifiers;
• files uploaded by Consumers, including images, PDFs, and audio recordings.

4.2 Sensitive Personal Data. Agaron does not intentionally Process sensitive personal information (as defined under the CCPA or other applicable law). Customer acknowledges that free-text chat content and uploaded files may incidentally contain such information. Customer is solely responsible for determining whether its use case involves sensitive personal information and for implementing any heightened safeguards or consent mechanisms required by law.

4.3 Payment Data. Agaron does not store or Process payment card data, bank account numbers, or other financial account credentials. Payment-related Personal Data is collected and Processed exclusively by Stripe, Inc. (see Section 9), which acts as an independent Controller for such data.

5. Categories of Data Subjects

5.1 Personal Data Processed under this DPA relates to:

• employees, contractors, and authorized users of Customer;
• end users of Customer (including customers, prospects, and other third parties who interact with Customer through the Services).

6. Artificial Intelligence Processing

6.1 The Services may include optional artificial intelligence features (“AI Features”) that rely on third-party AI providers, specifically OpenAI, L.L.C. and Google LLC.

6.2 AI Features are disabled by default and may be enabled or disabled by Customer at any time through the platform configuration.

6.3 When AI Features are enabled by Customer, Personal Data contained in messages and prompts may be transmitted to the selected AI provider for the sole purpose of generating the requested output. Agaron shall configure such transmissions, to the maximum extent supported by the relevant AI provider, to exclude the use of Customer data for the training of foundation models.

6.4 Customer acknowledges that the use of AI Features may involve the transfer of Personal Data to servers located in the United States operated by the respective AI provider.

7. Data Storage and Retention

7.1 Storage Location

As of the effective date of this DPA, Personal Data is stored on Agaron's dedicated servers physically located in the Federative Republic of Brazil (on-premises / colocation infrastructure). Agaron intends to establish United States–based infrastructure and will notify Customer when U.S. storage becomes available. Customer acknowledges and consents to the current storage location.

7.2 Retention Periods

• Platform data (account, configuration, aggregate records): twelve (12) months from collection or last interaction, unless a longer retention is required by law or expressly instructed by Customer.
• Chat history and conversational content: thirty (30) days from the date of the message, or until the storage limit of Customer's plan is reached, whichever occurs first.
• Backups: retained for up to thirty (30) days after the deletion of the underlying record and thereafter overwritten in the ordinary course of backup rotation.

8. Technical and Organizational Security Measures

8.1 Agaron shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. The measures currently implemented are described in Annex B.

8.2 Agaron shall review such measures periodically and may update them from time to time, provided that the overall level of protection is not materially diminished.

8.3 Agaron represents that all personnel authorized to Process Personal Data are bound by written confidentiality obligations and receive appropriate training on data protection matters.

8.4 Certifications

As of the effective date of this DPA, Agaron does not hold formal ISO 27001 or SOC 2 certifications. Agaron intends to seek controls aligned with ISO/IEC 27001 and SOC 2 Type II. Customer acknowledges that certification status does not affect Agaron's obligations under this DPA.

9. Subprocessors

9.1 Customer hereby grants Agaron general written authorization to engage Subprocessors for the Processing of Personal Data, subject to the conditions of this Section 9.

9.2 Current Subprocessors. As of the effective date of this DPA, Agaron engages the Subprocessors listed below:

9.3 Infrastructure clarification. Primary data storage is performed on Agaron's servers located in Brazil. Subprocessors listed above are engaged only for the specific functions described (payment processing, messaging-channel delivery, and optional AI processing). Agaron does not use third-party cloud infrastructure providers (such as AWS, GCP, or Azure) for primary storage of Customer Personal Data.

9.4 Flow-down obligations. Agaron shall enter into a written agreement with each Subprocessor that imposes data protection obligations substantially equivalent to, and no less protective than, those set forth in this DPA.

9.5 Updates to the Subprocessor list. Agaron maintains an updated list of Subprocessors and shall provide Customer with at least thirty (30) days' prior written notice of any intended addition or replacement of a Subprocessor.

9.6 Right to object. Customer may object, on reasonable data protection grounds, to the appointment of a new Subprocessor within fifteen (15) days of such notice. If the Parties are unable to resolve the objection in good faith within thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services upon written notice, without penalty.

9.7 Liability for Subprocessors. Agaron remains liable to Customer for the acts and omissions of its Subprocessors with respect to the Processing of Personal Data, to the same extent that Agaron would be liable if performing such Processing directly, subject to the limitations set forth in Section 16.

10. Data Storage Outside the United States

10.1 Customer acknowledges that, as of the effective date of this DPA, Personal Data is stored on Agaron's servers in Brazil. Agaron intends to establish U.S.-based infrastructure and will notify Customer when U.S. storage becomes available.

10.2 Agaron represents that it maintains appropriate safeguards for Personal Data stored outside the United States, including the security measures described in Annex B, and that it shall not transfer Personal Data to any jurisdiction other than Brazil and the United States without Customer's prior written consent.

10.3 Customer acknowledges that the messaging channels operated by Meta, Twilio, and LinkedIn, as well as the AI Features operated by OpenAI and Google, process data within the United States.

11. Consumer and Data Subject Rights

11.1 Agaron shall, taking into account the nature of the Processing, provide reasonable assistance to Customer, through appropriate technical and organizational measures, to enable Customer to respond to requests from Consumers exercising their rights under Applicable Data Protection Laws, including rights of:

• access;
• deletion;
• correction;
• portability;
• opt-out of sale or sharing (to the extent applicable);
• restriction of processing;
• information about categories of data collected and disclosed.

11.2 If Agaron receives a request directly from a Consumer, Agaron shall, unless legally prohibited, promptly forward such request to Customer and shall not respond directly to the Consumer except to confirm receipt and redirect them to Customer.

12. Security Incidents

12.1 Agaron shall notify Customer without undue delay, and in any event within forty-eight (48) hours of confirmed discovery, of any Security Incident affecting Customer Personal Data.

12.2 The notification shall include, to the extent then known, and shall be supplemented as further information becomes available:

• the nature of the Security Incident, including the categories and approximate number of Consumers and records affected;
• the likely consequences of the Security Incident;
• the measures taken or proposed to address the Security Incident and mitigate its effects;
• the contact details of Agaron's privacy contact.

12.3 Agaron shall provide Customer with reasonable assistance in fulfilling Customer's obligations to notify affected individuals and applicable regulatory authorities under state breach-notification laws.

12.4 Nothing in this Section shall be construed as an acknowledgement by Agaron of any fault or liability with respect to the Security Incident.

13. Audits and Demonstrations of Compliance

13.1 Agaron shall make available to Customer, upon reasonable written request, documentation reasonably necessary to demonstrate compliance with this DPA, which may include summaries of security policies, penetration-testing reports (in redacted form), and third-party audit reports, if any.

13.2 Customer may, at its own expense and no more than once per calendar year (except following a Security Incident or where required by a regulatory authority), conduct or mandate an independent third-party auditor, subject to written confidentiality obligations reasonably acceptable to Agaron, to audit Agaron's compliance with this DPA.

13.3 Any audit shall: (i) be preceded by at least thirty (30) days' prior written notice; (ii) be conducted during regular business hours; (iii) not unreasonably interfere with Agaron's business operations; and (iv) respect the confidentiality of other customers' data.

14. Data Return and Deletion

14.1 Upon termination or expiration of the Agreement, or at any time upon Customer's written request, Agaron shall:

• cease Processing Personal Data, other than for the purpose of deletion or return;
• provide Customer, upon prior written request, with an export of Customer Personal Data in a commonly used and machine-readable format;
• permanently delete Personal Data from production systems within thirty (30) days;
• permanently delete or render irretrievable Personal Data from backups within thirty (30) days.

14.2 Agaron may retain Personal Data to the extent required by applicable law, provided that Agaron shall continue to protect such Personal Data in accordance with this DPA and shall limit Processing to the purposes necessitating such retention.

14.3 Upon Customer's written request, Agaron shall certify the deletion of Personal Data.

15. Confidentiality

15.1 Agaron shall treat all Personal Data as confidential information and shall ensure that any person authorized to Process Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality.

16. Liability

16.1 Each Party's aggregate liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Where no such limitation is set forth in the Agreement, each Party's aggregate liability shall be capped at the total fees paid by Customer to Agaron under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

16.2 The foregoing limitations shall not apply to: (i) liability that cannot be excluded or limited under Applicable Data Protection Laws; (ii) willful misconduct or gross negligence; or (iii) breach of confidentiality obligations.

16.3 Neither Party shall be liable for indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, or business opportunity, except where such exclusion is prohibited by law.

17. Governing Law and Jurisdiction

17.1 This DPA shall be governed by and construed in accordance with the laws of the State of Florida, United States of America, without regard to its conflict-of-laws provisions.

17.2 Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the state and federal courts located in Orange County, Florida.

18. Open-Source Components

18.1 The Services incorporate open-source software components, including a forked and modified version of Chatwoot, originally licensed under the MIT License.

18.2 Agaron maintains such fork for purposes of research, development, and product improvement. Open-source components remain subject to their respective licenses, a copy of which shall be made available to Customer upon written request.

19. Privacy Contact

19.1 Customer, Consumers, and regulatory authorities may contact Agaron's privacy team through the following channel:

• Email: privacy@agaron.com
• Postal address: W Pine St, Office 324, Orlando, Florida 32801, United States.

20. Term

20.1 This DPA shall take effect on the date of execution of the Agreement (or such later date on which Customer accepts the then-current version of this DPA) and shall remain in force for so long as Agaron Processes Personal Data on behalf of Customer.

20.2 The obligations of Agaron under Sections 11 (Consumer Rights), 12 (Security Incidents), 14 (Data Return and Deletion), 15 (Confidentiality), and 16 (Liability) shall survive the termination of this DPA for as long as Agaron retains any Personal Data.

21. General Provisions

21.1 Order of precedence. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection matters.

21.2 Amendments. This DPA may be amended only by written agreement of the Parties, except that Agaron may unilaterally update this DPA from time to time to reflect changes in Applicable Data Protection Laws, provided that such updates do not materially reduce the level of protection afforded to Personal Data.

21.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

21.4 Entire agreement. This DPA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements relating to such subject matter.

22. CCPA Service Provider Addendum

This Section 22 applies to the extent that Agaron Processes Personal Data of California residents on behalf of Customer, and is intended to satisfy the requirements of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”).

22.1 Service Provider Status

Agaron is a “Service Provider” as defined in CCPA Section 1798.140(ag). Customer discloses Personal Data to Agaron solely for the limited and specified business purposes set forth in this DPA and the Agreement.

22.2 Restrictions on Use

Agaron shall not:

• sell or share (as those terms are defined by the CCPA) Personal Data received from or on behalf of Customer;
• retain, use, or disclose Personal Data for any commercial purpose other than providing the Services as specified in the Agreement;
• retain, use, or disclose Personal Data outside of the direct business relationship between Agaron and Customer;
• combine Personal Data received from or on behalf of Customer with Personal Data that Agaron receives from or on behalf of another person or persons, or collects from its own interaction with Consumers, except as expressly permitted by the CCPA.

22.3 Compliance Certification

Agaron certifies that it understands and will comply with the restrictions set forth in this Section 22 and in the CCPA. Agaron further certifies that it will not retain, use, or disclose Personal Data in a manner inconsistent with its obligations as a Service Provider under the CCPA.

22.4 Right to Monitor

Customer has the right to take reasonable and appropriate steps to ensure that Agaron uses Personal Data in a manner consistent with Customer's obligations under the CCPA. Customer may exercise this right through the audit provisions set forth in Section 13 of this DPA.

22.5 Consumer Requests

Agaron shall assist Customer in responding to verifiable consumer requests under the CCPA, including requests to know, requests to delete, and requests to correct, by providing Customer with the technical means to retrieve or delete the relevant Personal Data, or by performing such retrieval or deletion at Customer's documented instruction.

22.6 De-identification

If Agaron de-identifies any Personal Data, it shall maintain and use such data in de-identified form and shall not attempt to re-identify the data, except to verify the de-identification process.

22.7 Subcontractor Flow-Down

To the extent Agaron engages any Subprocessor to assist in the Processing of Personal Data subject to the CCPA, Agaron shall ensure that such Subprocessor is contractually bound by obligations no less restrictive than those applicable to Service Providers under the CCPA.

Annex A — Processing Details

Annex B — Technical and Organizational Security Measures

Agaron implements the following technical and organizational measures to protect Personal Data. These measures are reviewed periodically and may be updated, provided that the overall level of protection is not materially diminished.

B.1 Encryption

Encryption at rest for stored Personal Data using industry-standard algorithms.

B.2 Access Control

• Role-based access control (RBAC) for all administrative and operational access;
• Multi-factor authentication (MFA) required for all administrative access;
• Principle of least privilege applied to internal personnel.

B.3 Authentication

• Strong password requirements;
• Secure session management;
• Logging of authentication events.

B.4 Backups and Business Continuity

• Automated backups every three (3) hours;
• Backup integrity verification.

B.5 Monitoring and Logging

• Infrastructure monitoring and alerting;
• Security event logging;
• Retention of logs for a period reasonably necessary for investigative purposes.

B.6 Personnel

• Written confidentiality obligations for all personnel with access to Personal Data;
• Periodic data protection and information security training;
• Revocation of access upon termination or change of role.

B.7 Physical Security

• Restricted access to colocation / server facilities;
• Environmental controls (fire suppression, power redundancy, climate control) at colocation facility.

B.8 Certification Roadmap

Agaron intends to seek controls aligned with ISO/IEC 27001 and SOC 2 Type II.