Data Processing Agreement
Effective Date: 09.02.2026
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between Advanced AI s.r.o., with its principal place of business at Příčná 1892/4, 110 00 Prague, Czech Republic ("Processor", "we", "us") and the customer using the Asyntai service ("Controller", "you").
This DPA applies where and only to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Asyntai AI chat agent service ("Service").
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates, typically the end users who interact with the Controller's AI chat widget.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Roles and Scope of Processing
When you embed the Asyntai chat widget on your website, your end users may submit Personal Data through chat conversations. In this context:
a) You (the Controller) determine the purposes and means of processing the Personal Data of your end users.
b) Asyntai (the Processor) processes Personal Data solely on your behalf and in accordance with your documented instructions, as described in this DPA and the Agreement.
Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of AI-powered chat agent service |
| Duration | For the term of the Agreement plus the period until deletion of all Personal Data |
| Nature and purpose | Processing chat conversations to generate AI responses, store conversation history, and provide analytics |
| Types of Personal Data | Chat messages, names, email addresses, IP addresses, browser information, and any other personal data end users voluntarily provide during chat conversations |
| Categories of Data Subjects | End users who interact with the Controller's chat widget on their website |
3. Controller Obligations
As the Controller, you are responsible for:
a) Ensuring that you have a lawful basis for collecting and processing Personal Data through the chat widget (e.g., legitimate interest, consent);
b) Providing appropriate privacy notices to your end users informing them that their chat data will be processed, including disclosure of AI-powered responses;
c) Responding to Data Subject requests (access, rectification, erasure, portability) with our reasonable assistance as described in Section 7;
d) Ensuring that any instructions you give us regarding the processing of Personal Data comply with applicable data protection laws.
4. Processor Obligations
As the Processor, we shall:
a) Process Personal Data solely for the purpose of providing the Service as described in the Agreement;
b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6;
d) Ensure that any sub-processors engaged to assist in providing the Service are bound by data protection obligations no less protective than those set out in this DPA;
e) Assist you in responding to requests from Data Subjects exercising their rights under the GDPR;
f) Provide reasonable assistance regarding breach notification obligations where applicable;
g) At your choice, delete or return all Personal Data to you after the end of the provision of the Service, and delete existing copies unless EU or Member State law requires storage;
h) Make available to you information reasonably necessary to demonstrate compliance with our obligations under this DPA upon written request.
5. Sub-processors
By agreeing to this DPA, you provide general authorization for us to engage sub-processors to assist in providing the Service. All sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
A current list of sub-processors is available to customers upon request by contacting hello@asyntai.com.
6. Security Measures
We implement appropriate technical and organizational measures to protect Personal Data, including but not limited to:
a) Encryption of data in transit using TLS/SSL;
b) Access controls and authentication mechanisms to limit access to Personal Data to authorized personnel only;
c) Security updates and patching of systems as appropriate;
d) Secure backup procedures;
e) Measures to monitor and protect systems containing Personal Data.
7. Data Subject Rights
We will assist you in fulfilling your obligations to respond to Data Subject requests under the GDPR, including requests for:
a) Access to their Personal Data;
b) Rectification of inaccurate Personal Data;
c) Erasure of their Personal Data ("right to be forgotten");
d) Restriction of processing;
e) Data portability;
f) Objection to processing.
We will promptly notify you if we receive a request from a Data Subject directly and will not respond to such requests without your prior authorization, unless legally required to do so.
8. Data Breach Notification
In the event of a Data Breach involving Personal Data processed on your behalf, we will:
a) Notify you without undue delay after becoming aware of the breach;
b) Provide you with sufficient information to enable you to meet your obligations to report the breach to the relevant supervisory authority and to notify affected Data Subjects, including:
i. The nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
ii. The likely consequences of the breach;
iii. The measures taken or proposed to address the breach and mitigate its effects;
c) Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:
a) Transfers to countries recognized by the European Commission as providing an adequate level of data protection (adequacy decisions);
b) Standard Contractual Clauses (SCCs) approved by the European Commission;
c) Other lawful transfer mechanisms as applicable.
Where we use sub-processors located outside the EEA, we ensure they provide adequate data protection safeguards in accordance with their own terms and data processing commitments.
10. Data Retention and Deletion
a) We will retain Personal Data processed on your behalf for as long as you maintain an active account with us.
b) Upon deletion of your account, we will delete all Personal Data within 30 days, unless retention is required by applicable law. You may request account deletion by contacting us at hello@asyntai.com.
c) You may request export of your data (including chat conversation history) at any time by contacting us at hello@asyntai.com.
11. Compliance Verification
Upon your written request (no more than once per year), we will provide you with information reasonably necessary to demonstrate our compliance with this DPA.
12. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement (Terms and Conditions).
13. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. It shall automatically terminate upon termination or expiration of the Agreement, subject to the data deletion obligations set out in Section 10.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Czech Republic, without regard to its conflict of laws principles. For the avoidance of doubt, where the GDPR applies, this DPA shall be interpreted in a manner consistent with the GDPR.
If you have any questions about this Data Processing Agreement, please contact us at hello@asyntai.com.