logo

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Use or other written agreement between EchoWiseAI ("Processor") and the customer ("Controller") that governs Controller’s use of the EchoWiseAI services (the "Services"). This DPA reflects the parties’ agreement regarding the processing of personal data on Controller’s behalf in connection with the Services.

  1. Definitions

    Terms such as "personal data", "processing", "processor", "controller", and "data subject" have the meanings given in applicable data protection laws (including the GDPR and UK GDPR, as applicable).

  2. Scope and roles

    Controller is the controller of personal data and appoints EchoWiseAI as a processor to process such personal data solely to provide and support the Services in accordance with the Controller’s documented instructions and this DPA.

  3. Controller instructions

    EchoWiseAI will process personal data only on Controller’s documented instructions, including as specified in the agreement, this DPA, and Controller’s configuration of the Services’ features and integrations. If EchoWiseAI is required by law to process personal data beyond these instructions, EchoWiseAI will inform Controller (unless legally prohibited).

  4. Confidentiality

    EchoWiseAI will ensure that personnel authorized to process personal data are subject to confidentiality obligations and receive appropriate training on data protection and security.

  5. Security measures

    EchoWiseAI implements appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and risk‑based safeguards designed to ensure a level of security appropriate to the risk.

  6. Sub‑processors

    Controller authorizes EchoWiseAI to engage sub‑processors to support the delivery of the Services. EchoWiseAI will impose data protection obligations on sub‑processors that are no less protective than those set out in this DPA, and will remain responsible for sub‑processors’ obligations. For a current list of sub‑processor categories, see the Privacy Policy and this DPA page; we avoid naming specific vendors in public materials.

  7. International transfers

    If EchoWiseAI transfers personal data internationally, it will ensure an adequate level of protection through appropriate transfer mechanisms as required by applicable law (e.g., SCCs where applicable).

  8. Data subject requests

    Taking into account the nature of the processing, EchoWiseAI will provide reasonable assistance to Controller, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller’s obligations to respond to requests from data subjects to exercise their rights under applicable data protection laws.

  9. Cooperation and audits

    EchoWiseAI will make available to Controller information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Controller or an auditor mandated by Controller (subject to reasonable notice, scope, and confidentiality).

  10. Personal data breach notification

    EchoWiseAI will notify Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on Controller’s behalf. Such notification may include information available at the time and may be supplemented as further details become available.

  11. Return or deletion of data

    Upon termination or expiration of the Services, EchoWiseAI will, at Controller’s choice and subject to applicable law, delete or return personal data processed on Controller’s behalf, unless storage is required by law or for legitimate business purposes such as fraud prevention or dispute resolution.

  12. Use of the Services and responsibility

    Controller is responsible for its configuration and use of the Services, including determining the categories of personal data processed, enabling security features, and managing end‑user access. Controller will not use the Services to process personal data where prohibited by law or where a lawful basis is not established.

  13. Nature and purpose of processing

    The processing includes hosting, storage, retrieval, transmission, inference to generate responses, and other processing necessary to provide and improve the Services as configured by Controller.

  14. Categories of data and data subjects

    Depending on Controller’s use of the Services, categories of personal data may include account identifiers, contact details, conversation content, and usage/technical data. Data subjects may include Controller’s administrators, end users, customers, and other individuals whose personal data is provided by Controller.

  15. Term

    This DPA remains in effect for as long as EchoWiseAI processes personal data on behalf of Controller under the agreement.

  16. Contact

    Questions about this DPA? Please reach out via our Contact page.

    Last updated: 8/28/2025