Data Processing Addendum
When you run the SimpledAId widget on your store, you are the controller of the shopper data and we are the processor. UK and EU GDPR Art 28 require a written contract between controller and processor setting out the processing. This Data Processing Addendum ("DPA") is that contract.
We offer a DPA to every customer. For most customers it is incorporated by reference into the Terms of Service and accepted at sign-up. If your organisation requires a separately countersigned DPA (for example for enterprise procurement or regulatory reasons), please contact us at [email protected] and we will provide a signable version for review.
1. Definitions and roles
Customer means the business that has accepted the Terms of Service, acting as controller (or as the controller's processor, where the Customer itself processes data on behalf of another controller). Simpled Tech means Simpled Tech Limited, acting as processor (or sub-processor). Customer Personal Data means the personal data of shoppers and end-users that is processed through the SimpledAId widget as part of delivering the Service.
2. Subject-matter, duration, nature and purpose
Simpled Tech processes Customer Personal Data to provide the AI chatbot service as described in the Terms of Service. Processing continues for the duration of the contract and ceases on termination as described in §8 below.
3. Types of personal data and categories of data subjects
The personal data processed comprises identifiers and contact data (such as names and email addresses), order and transaction references, and free-text messages, relating to the Customer's shoppers and end-users. Customers must not submit special-category personal data (health, biometric data, etc.) or full payment-card numbers through the widget — this is prohibited by the Terms of Service.
4. Processor obligations (Art 28(3))
Simpled Tech will:
- process Customer Personal Data only on documented instructions from the Customer (the Terms of Service and in-product configuration constitute those instructions);
- ensure that persons authorised to process Customer Personal Data are under appropriate confidentiality obligations;
- implement the technical and organisational measures (TOMs) described in §6 (Art 32);
- engage sub-processors only under the terms described in §5 and the Sub-processor list, with advance notice of changes and a Customer right to object;
- assist the Customer with data-subject requests, data-protection impact assessments (DPIAs) and breach-notification obligations, to the extent reasonably possible given the nature of the processing;
- notify the Customer of a personal-data breach affecting Customer Personal Data without undue delay after becoming aware (see §7);
- on termination, delete or return all Customer Personal Data at the Customer's choice, and delete copies, except where law requires retention;
- make available information to demonstrate compliance and support audits — typically by providing compliance documentation; on-site audit is available on reasonable notice, no more than once per year unless required by a regulator.
5. Sub-processors
Simpled Tech engages sub-processors as listed in the Sub-processor list, which is kept up to date. We give Customers advance notice of any new sub-processor, with an opportunity to object. Each sub-processor is engaged under written data-processing terms providing equivalent protections to those in this DPA.
6. Technical and organisational measures (TOMs)
Simpled Tech implements and maintains the following measures:
- Encryption in transit and at rest (TLS for all data in transit; encryption at rest on our database infrastructure).
- Multi-tenant isolation: every record in the database carries a
tenant_id; reads are filtered by it and enforced by Postgres row-level security. Theanonandauthenticatedroles are revoked on sensitive tables; access requires a service key. - Least-privilege access: credentials and API keys are stored in a secrets manager and are never hard-coded.
- Reputable, certified infrastructure providers (SOC 2 and/or ISO 27001 where available — see the Sub-processor list).
- Logging, monitoring and abuse detection; regular backups.
- A documented breach-response runbook with controller-notification commitment (see §7).
7. Breach notification
If Simpled Tech becomes aware of a personal-data breach affecting Customer Personal Data, we will notify the affected Customer without undue delay, providing the information the Customer needs to meet its own obligations under GDPR Art 33 and Art 34. This includes: the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address it.
As controller of its own account and website data, Simpled Tech will separately notify the ICO within 72 hours where a breach meets the risk threshold.
8. International transfers
Transfers of Customer Personal Data outside the UK or EEA are made only with an appropriate mechanism in place: the UK International Data Transfer Addendum (IDTA), EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision 2021/914), and/or the EU-US / UK Extension Data Privacy Framework where the recipient is certified. This DPA incorporates the EU SCCs (Module Three — processor to sub-processor) and the UK IDTA/Addendum. Details of the mechanisms used by each sub-processor are in the Sub-processor list.
9. AI-specific commitment
Customer Personal Data is not used to train AI models. Our LLM sub-processors (OpenAI and/or Anthropic) are engaged under business/API terms that prohibit using inputs or outputs to train or fine-tune foundation models, and apply limited or zero-data-retention arrangements. This commitment mirrors Privacy Policy §6.
10. Liability and precedence
DPA liability is subject to the aggregate liability cap in the Terms of Service. Where the EU SCCs or UK IDTA conflict with this DPA on matters relating to international transfers, the SCCs or IDTA prevail.
How to request a countersigned DPA
If your organisation requires a separately executed DPA, contact [email protected]. Please include your company name and the name and role of the signatory. We will provide a signable document for your legal review.
Related: Privacy Policy · Terms of Service · Sub-processor list.