soy.chat

Data Processing Agreement (DPA)

Effective Date: 11/01/2025 (November 1, 2025)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Marcelo Vicente Guimarães Cardoso LTDA ("Owner," "We," "Processor") and the User ("You," "Controller") for the use of SoyChat.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

For the purposes of this DPA:

"Controller" means the User who determines the purposes and means of processing Personal Data through the Service.

"Processor" means the Owner (Marcelo Vicente Guimarães Cardoso LTDA) who processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller, including AI providers.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Service.

"Processing" has the meaning given in applicable Data Protection Laws.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • Brazilian General Data Protection Law (LGPD) - Lei Geral de Proteção de Dados (Lei 13.709/2018)
  • UK Data Protection Act 2018 and UK GDPR
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Any other applicable data protection legislation

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Service" means the SoyChat platform and all related services as described in the Terms of Service.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

1.2 Interpretation

  • References to "including" or "includes" mean "including without limitation."
  • Headings are for convenience only and do not affect interpretation.
  • In case of conflict between this DPA and the Terms of Service, this DPA prevails regarding data protection matters.

2. SCOPE AND APPLICABILITY

2.1 Scope of Processing

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the Service, including but not limited to:

Personal Data from Users (where User is the Controller):

  • Contact information of Visitors who interact with User's chat interfaces
  • Chat messages and conversation data from Visitors
  • Any Personal Data contained in documents uploaded by the User
  • Usage data and analytics related to the User's chat interfaces
  • IP addresses and technical data from Visitors

Personal Data categories:

  • Identity data (names, usernames)
  • Contact data (email addresses, phone numbers if provided)
  • Technical data (IP addresses, browser information, device information)
  • Usage data (chat messages, queries, timestamps)
  • Content data (any Personal Data contained in uploaded documents)
  • Professional data (if contained in uploaded materials)

Categories of Data Subjects:

  • Visitors who interact with User's chat interfaces
  • Individuals whose Personal Data is contained in User-uploaded documents
  • End users of the User's services

2.2 Nature and Purpose of Processing

The Processor will process Personal Data for the following purposes:

  • Providing the AI chat interface functionality
  • Generating AI responses based on uploaded documents (RAG processing)
  • Creating vector embeddings of uploaded content
  • Storing and retrieving chat history
  • Providing analytics and usage statistics
  • Maintaining and improving the Service
  • Providing customer support
  • Complying with legal obligations

2.3 Duration of Processing

Processing will continue for the duration of the Service Agreement and for any retention period required by law or specified in the Privacy Policy, unless earlier termination occurs in accordance with Section 9.

3. CONTROLLER AND PROCESSOR OBLIGATIONS

3.1 Controller Obligations and Warranties

The Controller represents, warrants, and undertakes that:

a) Lawful Basis:

  • It has a valid lawful basis under Data Protection Laws for all processing of Personal Data through the Service
  • It has obtained all necessary consents, provided all required notices, and established all necessary legal grounds for the processing

b) Instructions:

  • It will only provide processing instructions that comply with Data Protection Laws
  • The Terms of Service and this DPA constitute the Controller's complete and final instructions for processing
  • Any additional instructions must be agreed in writing

c) Data Subject Rights:

  • It is responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection)
  • It will not instruct the Processor to take any action that would violate Data Protection Laws

d) Data Accuracy:

  • It is responsible for ensuring the accuracy of Personal Data it provides
  • It will not upload Personal Data it is not authorized to process

e) Visitor Notices:

  • It will provide appropriate privacy notices to Visitors and data subjects
  • It will inform Visitors that they are interacting with an AI system
  • It will obtain necessary consents from Visitors where required

f) Sensitive Data:

  • It will not upload Special Categories of Personal Data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation) or Personal Data relating to criminal convictions without prior written agreement
  • If such data must be processed, Controller will implement additional safeguards

g) International Transfers:

  • It acknowledges that processing may involve international data transfers as described in Section 7
  • It has authority to authorize such transfers

3.2 Processor Obligations

The Processor undertakes to:

a) Process Only on Instructions:

  • Process Personal Data only on documented instructions from the Controller (except where required by law)
  • Inform the Controller if, in its opinion, an instruction violates Data Protection Laws

b) Confidentiality:

  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

c) Security Measures:

  • Implement appropriate technical and organizational measures as described in Section 4

d) Sub-processing:

  • Only engage Sub-processors in accordance with Section 5

e) Assistance:

  • Assist the Controller in responding to Data Subject requests as described in Section 6
  • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations

f) Deletion or Return:

  • Delete or return all Personal Data to the Controller after the end of the provision of services, unless required to retain it by law

g) Audits:

  • Make available to the Controller all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits as described in Section 8

h) Breach Notification:

  • Notify the Controller without undue delay after becoming aware of a Security Incident

4. TECHNICAL AND ORGANIZATIONAL MEASURES

4.1 Security Measures

The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

a) Access Control:

  • User authentication and authorization systems
  • Role-based access controls
  • Multi-factor authentication for administrative accounts
  • Regular access reviews and privilege management
  • Secure password policies

b) Data Encryption:

  • Encryption of Personal Data in transit (TLS 1.2 or higher)
  • Encryption of Personal Data at rest
  • Encrypted backups
  • Secure key management

c) Network Security:

  • Firewall protection
  • Intrusion detection and prevention systems
  • Regular security monitoring
  • DDoS protection
  • Secure network architecture

d) Application Security:

  • Secure software development practices
  • Regular security testing and vulnerability assessments
  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)
  • Security patches and updates

e) Data Integrity and Availability:

  • Regular automated backups
  • Disaster recovery procedures
  • Business continuity planning
  • Redundant infrastructure
  • System monitoring and alerting

f) Organizational Measures:

  • Information security policies and procedures
  • Employee security training and awareness
  • Background checks for personnel with access to Personal Data
  • Incident response procedures
  • Vendor security assessments

g) Physical Security:

  • Data centers with physical access controls
  • Environmental controls (fire suppression, climate control)
  • 24/7 monitoring and surveillance
  • Secure disposal of hardware

4.2 Sub-processor Security

The Processor ensures that all Sub-processors implement security measures that meet or exceed those described in Section 4.1.

4.3 Review and Updates

The Processor will regularly review and update security measures to address evolving threats and maintain compliance with Data Protection Laws.

5. SUB-PROCESSORS

5.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Current Sub-processors:

Sub-processorService ProvidedLocationPrivacy Policy
Groq, Inc.AI model inferenceUnited Stateshttps://groq.com/privacy-policy/
OpenRouter AIAI model routingUnited Stateshttps://openrouter.ai/privacy
Google LLC (Gemini)AI model inferenceUnited Stateshttps://policies.google.com/privacy
CerebrasAI model inferenceUnited Stateshttps://cerebras.ai/privacy-policy
HetznerInfrastructure hostingGermanyhttps://www.hetzner.com/legal/privacy-policy
Stripe, Inc.Payment processingUnited Stateshttps://stripe.com/privacy
Fastmail Pty LtdEmail deliveryAustraliahttps://www.fastmail.com/about/privacy/
Bunny.net (BunnyWay d.o.o.)DNS resolution and nameserversSlovenia (EU)https://bunny.net/privacy/

Note: An updated list of Sub-processors is maintained at https://soy.chat/sub-processors and in the Terms of Service.

5.2 Sub-processor Requirements

The Processor ensures that:

a) Contracts:

  • All Sub-processors are bound by written contracts that impose data protection obligations equivalent to those in this DPA
  • Sub-processor contracts include obligations regarding security, confidentiality, data subject rights, deletion, and audits

b) Liability:

  • The Processor remains fully liable to the Controller for the performance of any Sub-processor's obligations

c) Compliance:

  • Sub-processors comply with Data Protection Laws and maintain appropriate security measures

5.3 Changes to Sub-processors

a) Notice of New Sub-processors: The Processor will:

  • Update the Sub-processor list at https://soy.chat/sub-processors within 5 business days of engaging a new Sub-processor
  • Notify active Controllers via email at least 30 days before a new Sub-processor processes their Personal Data (where required by Data Protection Laws)

b) Controller's Right to Object:

  • The Controller has 14 days from notification to object to the engagement of a new Sub-processor on reasonable grounds relating to data protection
  • If Controller objects, the parties will work together in good faith to find a resolution
  • If no resolution is possible, Controller may terminate the affected Service without penalty

c) Emergency Sub-processors:

  • In emergency situations (security incident, service outage), Processor may engage temporary Sub-processors with less notice
  • Processor will notify Controller within 48 hours and follow normal objection procedures

5.4 Sub-processor Due Diligence

Before engaging any Sub-processor, the Processor will:

  • Conduct appropriate due diligence
  • Verify the Sub-processor's security measures and compliance with Data Protection Laws
  • Ensure appropriate data transfer mechanisms are in place for international transfers

6. DATA SUBJECT RIGHTS

6.1 Controller Responsibility

The Controller is primarily responsible for responding to Data Subject requests. The Processor will assist the Controller as described below.

6.2 Processor Assistance

Upon receiving a Data Subject request, the Processor will:

a) Forward Requests:

  • Forward any Data Subject requests received directly to the Controller within 2 business days

b) Provide Assistance:

  • Provide reasonable assistance to help the Controller respond to requests, including:
    • Access requests: Providing copies of Personal Data in the Processor's systems
    • Rectification requests: Correcting inaccurate Personal Data upon Controller's instruction
    • Erasure requests: Deleting Personal Data upon Controller's instruction (subject to legal retention obligations)
    • Restriction requests: Limiting processing upon Controller's instruction
    • Portability requests: Providing Personal Data in a structured, commonly used, machine-readable format
    • Objection requests: Ceasing processing upon Controller's instruction

c) Timeframe:

  • Respond to Controller's assistance requests within 5 business days, or sooner if required to meet legal deadlines

d) Technical Measures:

  • Maintain systems and processes that enable timely responses to Data Subject requests
  • Provide self-service tools where feasible (e.g., account deletion, data export)

6.3 Fees

Assistance with Data Subject requests is included in the Service fee. However, the Processor may charge reasonable fees for:

  • Manifestly unfounded or excessive requests (as permitted by GDPR Article 12(5))
  • Requests requiring significant custom development or manual effort
  • Requests from Controllers who have exceeded reasonable request volumes

Fees will be agreed in advance.

6.4 Direct Requests to Processor

If a Data Subject contacts the Processor directly, the Processor will:

  • Redirect them to the Controller where appropriate
  • Only respond directly if required by law
  • Notify the Controller of any such direct response

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Mechanisms

a) Current Transfers: Personal Data may be transferred to and processed in the following locations:

  • United States: AI providers (Groq, OpenRouter, Google) and cloud infrastructure
  • Brazil: Owner's registered location
  • Other locations: As specified in the Sub-processor list

b) Adequacy Decisions: Where the European Commission has determined that a country ensures an adequate level of protection, transfers to that country are permitted.

c) Standard Contractual Clauses (SCCs): For transfers not covered by adequacy decisions:

  • The parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) approved by European Commission Decision 2021/914
  • The SCCs are incorporated into this DPA by reference and form Annex A
  • In case of conflict between this DPA and the SCCs, the SCCs prevail

d) UK Transfers: For transfers from the UK:

  • The parties agree to be bound by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs
  • These terms are incorporated by reference

e) Brazilian Transfers: For transfers from Brazil:

  • Transfers comply with LGPD Articles 33 and related provisions
  • Standard Contractual Clauses approved by Brazilian ANPD (when available) will be incorporated

7.2 Additional Safeguards

In addition to SCCs, the Processor implements:

  • Encryption of data in transit and at rest
  • Strict access controls and authentication
  • Regular security assessments
  • Contractual restrictions on Sub-processor access to data
  • Transparency regarding government access requests

7.3 Government Access Requests

a) Notification: If the Processor receives a legally binding request from a government authority for access to Personal Data:

  • The Processor will notify the Controller unless prohibited by law
  • The Processor will challenge overly broad or unlawful requests where possible
  • The Processor will provide transparency reports (where permitted)

b) Data Minimization: The Processor will only disclose the minimum Personal Data necessary to comply with the request.

7.4 Sub-processor Transfers

All Sub-processors engaged for international transfers:

  • Are bound by equivalent data transfer mechanisms (SCCs, adequacy decisions, etc.)
  • Implement appropriate safeguards
  • Are listed in Section 5.1 with their locations

8. SECURITY INCIDENTS AND BREACH NOTIFICATION

8.1 Security Incident Response

a) Detection and Assessment: The Processor maintains systems to detect and assess Security Incidents promptly.

b) Notification to Controller: Upon becoming aware of a Security Incident, the Processor will:

  • Notify the Controller without undue delay and in any event within 48 hours
  • Provide the following information (to the extent available):
    • Description of the nature of the Security Incident
    • Categories and approximate number of Data Subjects affected
    • Categories and approximate number of Personal Data records affected
    • Likely consequences of the Security Incident
    • Measures taken or proposed to address the Security Incident
    • Measures taken or proposed to mitigate potential adverse effects
    • Contact point for more information

c) Follow-up Information: If not all information is available within 48 hours, the Processor will provide:

  • Initial notification with available information
  • Follow-up notifications with additional information as it becomes available

d) Documentation: The Processor will document all Security Incidents, including:

  • Facts relating to the incident
  • Effects of the incident
  • Remedial actions taken

8.2 Controller's Notification Obligations

The Controller is responsible for:

  • Notifying supervisory authorities (where required by law, e.g., GDPR Article 33 - within 72 hours)
  • Notifying affected Data Subjects (where required by law, e.g., GDPR Article 34)
  • Determining whether the Security Incident must be notified

8.3 Processor Cooperation

The Processor will:

  • Cooperate with the Controller in investigating Security Incidents
  • Provide reasonable assistance for Controller's notifications to authorities and Data Subjects
  • Implement measures to prevent recurrence
  • Provide post-incident reports upon request

8.4 No Admission of Liability

Notification of a Security Incident does not constitute an admission of fault or liability by the Processor.

9. AUDITS AND INSPECTIONS

9.1 Audit Rights

The Processor will allow the Controller (or a third-party auditor appointed by the Controller) to:

  • Audit the Processor's compliance with this DPA
  • Inspect relevant facilities, systems, and documentation
  • Review security certifications and audit reports

9.2 Audit Process

a) Frequency:

  • Controllers may request audits once per year
  • Additional audits may be requested after a Security Incident or if required by supervisory authorities

b) Notice:

  • Controller must provide at least 30 days' written notice
  • Notice must specify scope, duration, and auditor details

c) Scope:

  • Audits must be reasonable in scope and duration
  • Audits must not unreasonably interfere with Processor's operations
  • Audits must be limited to matters relevant to this DPA

d) Timing:

  • Audits conducted during business hours
  • Processor may require auditor to sign confidentiality agreement

e) Alternative Compliance Evidence: The Processor may satisfy audit requirements by providing:

  • SOC 2 Type II reports
  • ISO 27001 certifications
  • Other independent third-party audit reports
  • Sub-processor audit reports

9.3 Audit Costs

a) Controller-Initiated Audits:

  • First annual audit: Controller bears its own costs
  • Additional audits: Processor may charge reasonable fees for staff time and resources

b) Post-Incident Audits:

  • Audits following a Security Incident caused by Processor: Processor bears costs

c) Regulatory Audits:

  • Audits required by supervisory authorities: Costs shared reasonably

9.4 Remediation

If an audit reveals non-compliance:

  • Processor will provide a remediation plan within 14 days
  • Processor will implement remediation measures within agreed timeframes
  • Controller may conduct follow-up audits to verify remediation

10. DATA DELETION AND RETURN

10.1 Deletion Upon Termination

Upon termination or expiration of the Service Agreement, the Processor will:

a) Timeframe:

  • Delete or return all Personal Data within 30 days unless:
    • Controller requests a different timeframe
    • Law requires retention

b) Method of Deletion:

  • Securely delete Personal Data from all systems (production, backup, development)
  • Use industry-standard secure deletion methods
  • Delete data from Sub-processor systems

c) Certification:

  • Provide written certification of deletion upon Controller's request
  • Certification will include date of deletion and description of systems from which data was deleted

10.2 Return of Data

If Controller requests return instead of deletion:

a) Format:

  • Data provided in commonly used, structured, machine-readable format (CSV, JSON, or as agreed)
  • Processor will use reasonable efforts to provide data in Controller's requested format

b) Secure Transfer:

  • Data transferred via secure, encrypted method
  • Controller responsible for securely receiving and storing returned data

c) Deletion After Return:

  • After successful return, Processor will delete all remaining copies (subject to legal retention)

10.3 Legal Retention

If law requires the Processor to retain certain Personal Data:

  • Processor will notify Controller of retention requirement
  • Processor will retain only the minimum data required by law
  • Processor will continue to protect retained data in accordance with this DPA
  • Processor will delete data when retention period expires

10.4 User-Initiated Deletion

Users may delete their own data at any time through:

  • Account settings ("Delete Account")
  • Specific data deletion tools within the Service
  • Contacting hello@soy.chat

Upon user-initiated deletion:

  • Data deleted within 7 days from active systems
  • Backup copies deleted within 90 days
  • Some aggregated, anonymized data may be retained for analytics (if fully anonymized)

11. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

11.1 DPIA Assistance

The Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) when:

  • Required by Data Protection Laws (e.g., GDPR Article 35)
  • Processing is likely to result in high risk to Data Subjects

11.2 Information Provided

The Processor will provide:

  • Description of processing operations and purposes
  • Categories of Personal Data processed
  • Technical and organizational security measures
  • Sub-processor information
  • International transfer mechanisms
  • Data retention periods
  • Security incident history (if relevant)

11.3 Prior Consultation

If a DPIA indicates high risk and Controller must consult with a supervisory authority, the Processor will:

  • Provide information reasonably necessary for consultation
  • Cooperate with Controller and supervisory authority
  • Implement any changes required by supervisory authority (if reasonable and agreed)

12. RECORDS OF PROCESSING ACTIVITIES

12.1 Processor's Records

The Processor maintains records of processing activities in accordance with Data Protection Laws (e.g., GDPR Article 30(2)), including:

  • Name and contact details of Processor and Controller
  • Categories of processing carried out on behalf of Controller
  • International transfers and safeguards
  • Description of technical and organizational security measures

12.2 Availability

Records will be made available to supervisory authorities upon request and to the Controller for audit purposes.

13. LIABILITY AND INDEMNIFICATION

13.1 GDPR Liability Framework

Under GDPR Article 82:

  • Controller and Processor are jointly and severally liable for damages caused by processing
  • Processor is liable only if it has not complied with GDPR obligations specifically directed at processors OR has acted outside or contrary to lawful instructions
  • Processor is exempt from liability if it proves it is not in any way responsible for the damage

13.2 Limitation of Liability

To the maximum extent permitted by Data Protection Laws:

a) Processor's Liability Cap:

  • Processor's total aggregate liability under this DPA (excluding gross negligence or willful misconduct) is limited to the amounts paid by Controller to Processor in the 12 months preceding the claim

b) Excluded Damages:

  • Neither party is liable for indirect, consequential, special, or punitive damages (except as required by Data Protection Laws)

c) Exceptions: Limitations do not apply to:

  • Violations caused by Processor's gross negligence or willful misconduct
  • Liability that cannot be limited under Data Protection Laws
  • Fines or penalties imposed by supervisory authorities
  • Indemnification obligations under Section 13.3

13.3 Indemnification

a) By Controller: Controller will indemnify Processor against claims arising from:

  • Controller's violation of Data Protection Laws
  • Controller's unlawful processing instructions
  • Controller's breach of warranties in Section 3.1

b) By Processor: Processor will indemnify Controller against claims arising from:

  • Processor's violation of this DPA
  • Processor's failure to comply with Data Protection Laws
  • Security Incidents caused by Processor's negligence

13.4 Defense and Settlement

a) Notice: Indemnified party must promptly notify indemnifying party of any claim

b) Control: Indemnifying party has right to control defense and settlement (with indemnified party's reasonable cooperation)

c) No Settlement Without Consent: No settlement without indemnified party's consent (not to be unreasonably withheld)

14. TERM AND TERMINATION

14.1 Term

This DPA takes effect on the date the Controller accepts the Terms of Service and continues until:

  • Termination of the Service Agreement, OR
  • All Personal Data has been deleted or returned as per Section 10

14.2 Termination by Controller

Controller may terminate this DPA:

  • Upon termination of the Service Agreement
  • If Processor materially breaches this DPA and fails to remedy within 30 days of written notice
  • If Controller objects to a new Sub-processor and no resolution is reached (Section 5.3)

14.3 Termination by Processor

Processor may terminate this DPA:

  • Upon termination of the Service Agreement
  • If Controller materially breaches payment obligations
  • If Controller issues unlawful processing instructions and fails to withdraw them after notice

14.4 Effect of Termination

Upon termination:

  • Processor will cease all processing of Personal Data (except as required for deletion/return)
  • Data deletion/return procedures in Section 10 apply
  • Provisions that by their nature should survive will survive (confidentiality, liability, audit rights for past period, etc.)

14.5 Survival

The following sections survive termination:

  • Section 3.1 (Controller warranties for past processing)
  • Section 8 (Security Incidents - for incidents during the term)
  • Section 9 (Audits - for the prior term)
  • Section 10 (Data Deletion and Return)
  • Section 13 (Liability and Indemnification)
  • Section 16 (Confidentiality - indefinitely)
  • Section 18 (Dispute Resolution)

15. INSTRUCTIONS AND LAWFUL PROCESSING

15.1 Processing Instructions

a) Documented Instructions: The Processor will process Personal Data only on the Controller's documented instructions, which consist of:

  • This DPA
  • The Terms of Service
  • The Service's intended functionality as described in documentation
  • Specific written instructions from Controller via:
    • The Service interface (account settings, configurations)
    • Email to hello@soy.chat
    • Other written communications

b) Unlawful Instructions: If Processor believes an instruction violates Data Protection Laws:

  • Processor will promptly inform Controller
  • Processor may suspend compliance with the instruction until Controller confirms or withdraws it
  • Processor is not liable for non-compliance with unlawful instructions

c) Additional Instructions: Any instructions beyond those in subsection (a) must be:

  • Agreed in writing
  • Reasonable and feasible
  • Documented as amendments to this DPA

15.2 Processing by Legal Requirement

If Processor is required by EU, Member State, or Brazilian law to process Personal Data beyond Controller's instructions:

  • Processor will inform Controller before processing (unless prohibited by law)
  • Processor will process only to the extent legally required
  • Such processing does not breach this DPA

16. CONFIDENTIALITY

16.1 Confidentiality Obligations

The Processor will:

  • Keep all Personal Data confidential
  • Ensure that personnel authorized to process Personal Data:
    • Have committed to confidentiality, OR
    • Are under appropriate statutory obligations of confidentiality
  • Not disclose Personal Data to third parties except:
    • Sub-processors authorized under Section 5
    • As required by law
    • With Controller's prior written consent

16.2 Personnel Training

The Processor will:

  • Provide regular data protection training to personnel
  • Ensure personnel understand their obligations under Data Protection Laws and this DPA
  • Maintain records of training completion

16.3 Background Checks

For personnel with access to Personal Data, the Processor will conduct:

  • Background checks appropriate to the role
  • Verification of identity
  • Screening in accordance with applicable laws

17. RELATIONSHIP WITH TERMS OF SERVICE

17.1 Incorporation

This DPA is incorporated into and forms part of the Terms of Service.

17.2 Precedence

In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails.

17.3 Multiple Agreements

If Controller has multiple agreements with Processor for different Services:

  • This DPA applies to all such agreements
  • Processing activities may be governed by one consolidated DPA
  • Parties may execute service-specific DPA amendments as needed

18. GENERAL PROVISIONS

18.1 Governing Law

This DPA is governed by the same law as the Terms of Service:

  • Brazilian Users: Brazilian law
  • EU Users: Brazilian law, but Controller retains all rights under EU Data Protection Laws
  • Other Users: Brazilian law

Data Protection Laws apply regardless of governing law choice.

18.2 Dispute Resolution

a) Good Faith Negotiations: Parties will attempt to resolve disputes through good faith negotiations for 30 days.

b) Supervisory Authority Complaints: Data Subjects and Controllers have the right to lodge complaints with supervisory authorities:

  • EU: Relevant Data Protection Authority in Controller's country
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
  • UK: Information Commissioner's Office (ICO)

c) Jurisdiction: Subject to supervisory authority jurisdiction, disputes will be resolved in accordance with the Terms of Service.

18.3 Amendments

a) By Agreement: This DPA may be amended only by written agreement signed by both parties.

b) For Legal Compliance: Processor may amend this DPA to comply with changes in Data Protection Laws by:

  • Providing 30 days' notice to Controllers
  • Posting updated DPA at https://soy.chat/dpa
  • Continued use of Service after notice constitutes acceptance

c) SCCs Updates: If Standard Contractual Clauses are updated by the European Commission, ANPD, or other regulators:

  • The updated SCCs automatically replace prior versions
  • Processor will notify Controllers of the update

18.4 Assignment

Neither party may assign this DPA without the other party's consent, except:

  • Processor may assign to an affiliate or in connection with a merger, acquisition, or sale
  • Any assignee must assume all obligations under this DPA

18.5 Severability

If any provision is found invalid or unenforceable:

  • It will be severed from this DPA
  • Remaining provisions remain in full force
  • Parties will negotiate a replacement provision that achieves the original intent

18.6 Waiver

Failure to enforce any provision does not waive the right to enforce it later.

18.7 Entire Agreement (Data Processing)

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding Personal Data processing and supersedes all prior agreements.

18.8 Language

a) English Version: This DPA is executed in English.

b) Translations: Translations may be provided for convenience, but in case of conflict, the English version prevails (unless local law requires otherwise).

18.9 Counterparts

This DPA may be executed in counterparts, each of which is an original and all of which constitute one agreement.

18.10 Notices

All notices under this DPA must be sent to:

To Controller: Email address associated with Controller's account

To Processor:
Marcelo Vicente Guimarães Cardoso LTDA
Email: hello@soy.chat
Address: Avenida Tancredo Neves, 2539, Sala 2609 - CEO Salvador Shopping Torre Londres, Caminho das Árvores, Salvador - BA, 41820-021, Brazil

19. CONTACT AND DPO

19.1 Data Protection Contacts

For data protection inquiries:

  • Email: hello@soy.chat
  • Subject line: "Data Protection Inquiry - [Your Company Name]"

19.2 Data Protection Officer (if applicable)

If Processor appoints a Data Protection Officer (DPO):

  • Contact details will be published at https://soy.chat/dpo
  • DPO contact: [To be updated when appointed]

19.3 EU Representative (if applicable)

If Processor appoints an EU Representative under GDPR Article 27:

ANNEX A: STANDARD CONTRACTUAL CLAUSES

[The Standard Contractual Clauses approved by European Commission Decision 2021/914 (Module Two: Controller to Processor) are incorporated here by reference and can be found at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en]

Specific information for SCCs:

MODULE TWO: Controller to Processor

Clause 7 – Docking clause: ☐ Not applicable

Clause 9(a) – Use of sub-processors: ☑ The controller has authorised the use of sub-processors listed in Section 5.1 and according to the procedures in Section 5.3.

Clause 11 – Redress: ☑ The optional language is used (data subjects may lodge complaints with independent dispute resolution body).

Clause 13 – Supervision:

  • EU Supervisory Authority: The supervisory authority in the Controller's EU Member State of establishment or habitual residence
  • Brazilian Supervisory Authority: Autoridade Nacional de Proteção de Dados (ANPD)

Clause 17 – Governing law: ☑ Option 1: The law of an EU Member State that allows for third-party beneficiary rights (to be specified by Controller based on their location)

Clause 18 – Choice of forum and jurisdiction: ☑ The courts of the Controller's EU Member State of establishment or habitual residence

Annex I to SCCs: Description of Processing

A. LIST OF PARTIES

Data exporter (Controller):

  • Name: [Controller's legal name]
  • Address: [Controller's address]
  • Contact: [Controller's email]
  • Role: Controller

Data importer (Processor):

  • Name: Marcelo Vicente Guimarães Cardoso LTDA
  • Address: Avenida Tancredo Neves, 2539, Sala 2609, Salvador - BA, 41820-021, Brazil
  • Contact: hello@soy.chat
  • Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects:

  • Visitors who interact with Controller's chat interfaces
  • Individuals whose Personal Data is contained in documents uploaded by Controller
  • End users of Controller's services

Categories of personal data:

  • Identity data (names, usernames)
  • Contact data (email addresses, phone numbers)
  • Technical data (IP addresses, browser information, device identifiers)
  • Usage data (chat messages, queries, interaction history, timestamps)
  • Content data (any Personal Data contained in uploaded documents)
  • Professional data (if included in uploaded materials)

Sensitive data (if applicable): Special Categories of Personal Data as defined in GDPR Article 9, only if explicitly authorized by Controller in writing.

Frequency of transfer: Continuous during the term of the Service Agreement.

Nature of processing:

  • Storage and hosting of documents and data
  • AI processing and generation of responses
  • Creation of vector embeddings for RAG functionality
  • Retrieval and display of information
  • Analytics and usage monitoring
  • Customer support

Purpose of processing: Provision of the SoyChat AI-powered chat interface platform as described in the Terms of Service.

Retention period:

  • Active data: Duration of Service Agreement
  • Backup data: Up to 90 days after deletion request
  • As specified in Privacy Policy or as required by law

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority in the Controller's EU Member State of establishment or habitual residence, or as designated by Controller.

Annex II to SCCs: Technical and Organizational Measures

See Section 4 of this DPA for complete technical and organizational measures.

Summary of key measures:

Technical measures:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access control and authentication (including MFA)
  • Network security (firewalls, intrusion detection)
  • Regular security monitoring and logging
  • Secure software development practices
  • Regular backups and disaster recovery

Organizational measures:

  • Information security policies
  • Employee training and confidentiality agreements
  • Background checks for personnel
  • Incident response procedures
  • Vendor management and Sub-processor oversight
  • Regular security assessments and audits

Annex III to SCCs: List of Sub-processors

See Section 5.1 of this DPA for the current list of authorized Sub-processors.

ANNEX B: UK INTERNATIONAL DATA TRANSFER ADDENDUM

[The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) is incorporated here by reference and can be found at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/]

Specific information for UK Addendum:

Table 1: Parties

  • As specified in Annex A above

Table 2: Selected SCCs, Modules and Selected Clauses

  • Addendum EU SCCs: Module Two (Controller to Processor)
  • As incorporated in Annex A

Table 3: Appendix Information

  • As specified in Annexes I, II, and III above

Table 4: Ending this Addendum when the Approved Addendum Changes

  • ☑ Importer may end this Addendum as set out in Section 19 of the Addendum

ANNEX C: BRAZILIAN DATA TRANSFER CLAUSES

For transfers subject to LGPD (Lei Geral de Proteção de Dados - Lei 13.709/2018):

C.1 Legal Basis for Transfer

Transfers of Personal Data from Brazil are conducted under the following LGPD provisions:

Article 33, I - Adequacy Decision: Where the receiving country has been deemed adequate by the Brazilian National Data Protection Authority (ANPD).

Article 33, VIII - Controller Guarantees: Controller provides specific contractual guarantees regarding data protection, privacy, and data subject rights through this DPA.

Article 33, IX - Standard Contractual Clauses: Upon approval by ANPD of standard contractual clauses for international transfers, those clauses will be incorporated into this DPA.

C.2 Processor Obligations Under LGPD

The Processor guarantees compliance with LGPD, including:

a) Data Subject Rights (LGPD Articles 17-22):

  • Confirmation of processing and access to data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of data
  • Portability to another service provider
  • Deletion of data processed with consent
  • Information about data sharing
  • Information about the possibility of denying consent
  • Revocation of consent

b) Security Measures (LGPD Article 46): Technical and administrative measures to protect Personal Data from unauthorized access, accidental or unlawful destruction, loss, alteration, communication, or any form of improper or unlawful processing.

c) Security Incidents (LGPD Article 48): Notification to Controller and ANPD in case of security incidents that may create risk or relevant damage to Data Subjects.

d) Data Protection Impact Assessment (LGPD Article 38): Cooperation with Controller in preparing reports on data protection impact when processing operations present high risk.

e) Data Protection Officer (LGPD Article 41): If required, appointment of a DPO and publication of contact information.

C.3 Controller Warranties Under LGPD

Controller warrants that:

a) Lawful Basis: All processing has a lawful basis under LGPD Article 7 (for general Personal Data) or Article 11 (for sensitive Personal Data), including:

  • Consent of the Data Subject
  • Compliance with legal or regulatory obligation
  • Execution of contract or preliminary procedures
  • Exercise of rights in judicial, administrative, or arbitration proceedings
  • Protection of life or physical safety
  • Protection of health (by health professionals or entities)
  • Legitimate interests of Controller or third party
  • Protection of credit
  • Other lawful bases as applicable

b) Consent (where applicable): Where consent is the lawful basis:

  • Consent obtained in a free, informed, and unambiguous manner
  • Consent is specific for clearly defined purposes
  • Controller maintains records of consent
  • Data Subjects can easily revoke consent

c) Sensitive Data: If processing sensitive Personal Data (LGPD Article 11):

  • Specific consent obtained or other lawful basis under Article 11
  • Additional security measures implemented
  • Purpose is clearly defined and necessary

d) Children's Data: If processing data of children and adolescents:

  • Best interests of the child considered
  • Parental consent obtained (where required)
  • Information provided in clear and accessible language

C.4 ANPD Authority

Both parties acknowledge the authority of the Autoridade Nacional de Proteção de Dados (ANPD) to:

  • Investigate potential violations
  • Request information and documentation
  • Conduct audits
  • Issue guidance and determinations
  • Apply administrative sanctions

C.5 Updates for ANPD Regulations

As ANPD issues regulations regarding international data transfers (expected under LGPD Article 33):

  • Processor will notify Controller within 30 days
  • This Annex will be updated to incorporate required provisions
  • Continued processing constitutes acceptance of updates

EXECUTION AND ACCEPTANCE

This Data Processing Agreement is executed and becomes binding as follows:

Data Importer (Processor):

Marcelo Vicente Guimarães Cardoso LTDA
CNPJ: 48.374.051/0001-00
Avenida Tancredo Neves, 2539, Sala 2609, Salvador - BA, 41820-021, Brazil

Executed by: Marcelo Vicente Guimarães Cardoso, Legal Representative
Effective Date: 11/01/2025

Data Exporter (Controller):

This DPA is automatically executed and becomes binding upon the Controller when:

  • The Controller creates a SoyChat account, AND
  • The Controller accepts the Terms of Service (which incorporates this DPA by reference)

The following information is automatically recorded at the time of acceptance:

  • Controller's legal name (as registered in account)
  • Controller's email address (as registered in account)
  • Date and time of Terms acceptance
  • IP address of acceptance (for verification purposes)

No additional signature is required. Electronic acceptance through the SoyChat platform constitutes a legally binding agreement under applicable electronic signature laws (EU eIDAS Regulation, U.S. E-SIGN Act, Brazilian MP 2.200-2/2001).

DOCUMENT CONTROL

Version: 1.0
Effective Date: 11/01/2025
Last Updated: 11/01/2025
Next Review: 11/01/2026

Document Location:
https://soy.chat/dpa

Change History:

VersionDateChangesApproved By
1.011/01/2025Initial versionMarcelo Vicente Guimarães Cardoso

APPENDIX: DEFINITIONS OF DATA PROTECTION TERMS

Adequacy Decision: A decision by the European Commission, ANPD, or other competent authority that a country, territory, or sector ensures an adequate level of data protection.

Anonymization: Processing of Personal Data in such a way that it can no longer be attributed to a specific Data Subject without the use of additional information.

Consent: Any freely given, specific, informed, and unambiguous indication of a Data Subject's wishes by which they signify agreement to the processing of their Personal Data.

Data Breach: See "Security Incident"

Data Minimization: The principle that Personal Data collected and processed should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Data Protection Laws: See Section 1.1

Data Retention: The continued storage of Personal Data for a specified period.

Data Subject Request (DSR): A request from a Data Subject to exercise their rights under Data Protection Laws.

Lawful Basis: A legal ground for processing Personal Data under Data Protection Laws (e.g., consent, contract, legal obligation, legitimate interests).

Personal Data Breach: See "Security Incident"

Profiling: Automated processing of Personal Data to evaluate, analyze, or predict personal aspects concerning a Data Subject.

Pseudonymization: Processing of Personal Data in such a way that it can no longer be attributed to a specific Data Subject without additional information, kept separately and subject to technical and organizational measures.

Security Incident: See Section 1.1

Sensitive Personal Data / Special Categories: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation (GDPR Article 9); or sensitive data as defined under other Data Protection Laws.

Supervisory Authority: An independent public authority established by an EU Member State or Brazil (ANPD) to monitor and enforce Data Protection Laws.

Third Country: For GDPR purposes, any country outside the European Economic Area (EEA). For LGPD purposes, any country outside Brazil.