Back to Home

Data Processing Agreement

Last updated: May 12, 2026

This DPA is incorporated by reference into the Bhotforge AI Terms of Service and applies to all customers who process personal data of their end users through the Bhotforge AI platform.

1. Definitions

  • Controller: You (the customer) — the entity that determines the purposes and means of processing personal data via chatbots deployed through Bhotforge AI.
  • Processor: Bhotforge AI — processes personal data on behalf of the Controller.
  • Data Subject: Any individual whose personal data is processed through your chatbots (e.g., your end users).
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
  • Sub-processor: A third party engaged by Bhotforge AI to process personal data on behalf of the Controller.

2. Scope and Purpose

This DPA governs the processing of personal data that you, as Controller, submit to the Bhotforge AI platform through your chatbots. Processing occurs solely for the purpose of providing the Bhotforge AI service as described in the Terms of Service — specifically:

  • Storing and processing chatbot conversation messages
  • Generating AI responses using your selected provider
  • Maintaining conversation history per session
  • Providing analytics on chatbot usage

3. Processor Obligations

As your data processor, Bhotforge AI commits to:

  • Process personal data only on documented instructions from you (the Controller)
  • Ensure all personnel with access to personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (Article 32, GDPR)
  • Not engage sub-processors without your prior written consent (or general authorization via this DPA)
  • Assist you in fulfilling data subject rights requests (access, erasure, portability, rectification)
  • Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach
  • Delete or return all personal data upon termination of the service, at your election
  • Make available all information necessary to demonstrate compliance with GDPR Article 28

4. Controller Obligations

As the data Controller, you are responsible for:

  • Having a valid legal basis for collecting and processing your end users' personal data
  • Providing your end users with appropriate privacy notices
  • Ensuring that personal data submitted to Bhotforge AI is necessary and proportionate
  • Not submitting special category data (health, biometric, etc.) unless you have explicit safeguards in place
  • Responding to data subject requests using the tools provided by Bhotforge AI

5. Security Measures

Bhotforge AI implements the following technical and organizational measures:

  • AES-256-GCM encryption for sensitive data at rest
  • TLS 1.3 for all data in transit
  • Row-level security (RLS) ensuring strict data isolation between customers
  • Role-based access controls with principle of least privilege
  • Audit logging for all administrative data access
  • Regular security reviews and penetration testing
  • SOC 2 compliant infrastructure (via Supabase)

6. Sub-processors

Bhotforge AI uses the following sub-processors to deliver the Service. By agreeing to this DPA you grant general authorization for their use:

SupabaseDatabase, authentication, and file storageEU (eu-west-1)
OpenAIAI response generation and embeddings (if selected)United States
AnthropicAI response generation (if selected)United States
Google (Gemini)AI response generation and embeddings (if selected)United States
ResendTransactional email deliveryUnited States
StripePayment processingUnited States

We will notify you at least 14 days before adding new sub-processors. You may object to the addition of a sub-processor within that period.

7. International Data Transfers

Some sub-processors are located outside the EEA (European Economic Area). Where personal data is transferred outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where applicable

8. Data Subject Rights Assistance

Bhotforge AI provides the following tools to assist you in responding to data subject requests:

  • Data export: Download all personal data associated with your account via Settings → Download My Data
  • Account deletion: Permanently delete your account and all associated data via Settings
  • Conversation management: Delete individual conversations via your dashboard

For end-user data subject requests that require our direct involvement, contact privacy@bhotforge.ai.

9. Data Breach Notification

In the event of a personal data breach, Bhotforge AI will:

  • Notify the affected Controller without undue delay and within 72 hours of becoming aware
  • Provide information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken
  • Assist the Controller in notifying the relevant supervisory authority if required

10. Termination and Data Deletion

Upon termination of your Bhotforge AI account or upon your written request:

  • All personal data in your account will be deleted within 30 days
  • Encrypted backups containing your data will be purged within 90 days
  • You may request a full data export before deletion
  • Bhotforge AI will provide written confirmation of deletion upon request

11. Governing Law

This DPA is governed by the laws applicable to the underlying Terms of Service. For EU/EEA customers, GDPR applies. For South African customers, POPIA applies. For California residents, CCPA applies.

12. Contact

For questions about this DPA or to request a countersigned copy for your records:

Email: privacy@bhotforge.ai

Subject line: DPA Request — [your company name]