Data Processing Addendum

Effective date: July 10, 2026.

This Data Processing Addendum ("DPA") forms part of the agreement between Stand Chat, Inc., a Delaware corporation with primary operations in California, United States ("Stand"), and the business or other entity on whose behalf a Stand Chat organization account is created ("Customer") for the Stand Chat service (the "Service"). This DPA applies only to the extent Stand processes Customer Personal Data on Customer's behalf as a Processor or Service Provider under Applicable Data Protection Law.

This DPA is effective when Customer accepts the Terms of Service. If this DPA conflicts with the rest of the agreement, this DPA controls only with respect to Customer Personal Data.

The general processing terms in this DPA apply without a separate signature. A completed, signed copy that includes the party and supervisory-authority details required for the international-transfer terms in section 10 is available with a Business subscription.

1. Definitions

  • Applicable Data Protection Law means any privacy or data-protection law that applies to Stand's processing of Customer Personal Data under this DPA.
  • Customer Personal Data means personal information or personal data contained in Customer Content that Stand processes on Customer's behalf to provide the Service, as described in Annex 1.
  • Customer Content has the meaning given in the Terms and includes data submitted to the Service by Customer, its users, or its visitors.
  • Subprocessor means a third party Stand engages to process Customer Personal Data on Customer's behalf.
  • Usage Data has the meaning given in the Terms.

Terms such as Controller, Processor, Service Provider, Personal Data, Personal Information, Process, and Data Subject have the meanings given by Applicable Data Protection Law.

2. Roles, scope, and instructions

Customer is the Controller or business responsible for Customer Personal Data, and Stand is Customer's Processor or Service Provider.

Customer instructs Stand to process Customer Personal Data only as necessary to provide, secure, support, and maintain the Service; follow Customer's documented use and configuration of the Service; and comply with applicable law. The agreement, this DPA, and Customer's use and configuration of the Service are Customer's documented instructions.

This DPA does not apply to Stand's processing of account, billing, or Usage Data in its own capacity as described in the Privacy Policy, except to the extent that information is included in Customer Content.

Stand will inform Customer if Stand reasonably believes an instruction violates Applicable Data Protection Law and may suspend the affected processing while the parties address the issue. Customer is responsible for the lawfulness of Customer Personal Data and its instructions, including required notices, rights, and consents.

Customer will not submit sensitive or regulated data, including passwords, payment-card details, national identification numbers, healthcare information, or regulated customer records, unless Stand agrees to that processing in writing.

3. Stand's obligations

Stand will:

  1. process Customer Personal Data only on Customer's documented instructions or as required by law; if law requires other processing, Stand will notify Customer first unless legally prohibited;
  2. ensure that people authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;
  3. maintain reasonable technical and organizational security measures appropriate to the nature and risk of the processing, as summarized in Annex 2;
  4. provide assistance required by Applicable Data Protection Law, taking into account the nature of the processing and information available to Stand; and
  5. provide the compliance information and audit cooperation in section 7.

Customer must first use available Service functionality and standard documentation. Stand may charge reasonable fees for additional manual assistance requested under this DPA, except where the assistance is required to correct Stand's breach of this DPA or charging is prohibited by Applicable Data Protection Law. Stand does not provide legal advice or undertake to monitor or interpret laws applicable to Customer.

4. Limits on use

Stand processes Customer Content only for the purposes described in section 2 and will not use Customer Content for general product improvement.

Stand will not:

  1. sell or share Customer Personal Data for cross-context behavioral advertising or another purpose unrelated to providing the Service;
  2. retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for a purpose other than the purposes stated in this DPA;
  3. combine Customer Personal Data with personal data received from another customer or collected from Stand's own interaction with an individual, except where permitted by Applicable Data Protection Law and necessary to provide the Service; or
  4. use Customer Content, or permit a Subprocessor to use Customer Content, to train, fine-tune, or improve any machine-learning or artificial-intelligence model. Processing Customer Content at inference time to generate requested responses, embeddings, or other Service outputs is not model training.

Stand may use Usage Data as described in the Terms and Privacy Policy. Stand does not intentionally include Customer Content in Usage Data. If Stand becomes aware that Usage Data contains Customer Content, Stand will treat that portion as Customer Content.

5. Subprocessors

Customer gives Stand general authorization to use the Subprocessors listed at stand.chat/subprocessors.

Stand will notify all organization owners at the email addresses associated with Customer's organization account at least 14 days before adding or replacing a Subprocessor. Customer is responsible for keeping those addresses current. Customer must submit any objection on reasonable data-protection grounds within the notice period.

The parties will work in good faith to resolve a timely objection. If they cannot, Customer may stop using the affected feature or terminate the affected Service. To the extent permitted by Applicable Data Protection Law, those are Customer's exclusive remedies for the objection.

Stand will contractually require each Subprocessor to protect Customer Personal Data to a standard materially consistent with this DPA. Subject to the limitations in the agreement, Stand remains responsible to Customer for a Subprocessor's performance of those obligations.

6. Individual requests

Customer is responsible for responding to requests from individuals concerning Customer Personal Data. If Stand receives such a request directly, Stand will direct the individual to the website operator or other Customer that collected the information. Stand will not search or review Customer Content to identify or verify the individual and will not disclose Customer Content to the individual, except on Customer's documented instructions or as required by law.

Stand will provide Customer reasonable assistance with such requests through available Service functionality or other reasonable means as required by Applicable Data Protection Law.

7. Compliance information and audits

Stand's standard compliance information consists of this DPA, the Terms, the Privacy Policy, the Subprocessor List, and other security or product documentation and written responses Stand makes available. Customer must review those materials before requesting additional assistance.

Where required by Applicable Data Protection Law and that information is insufficient, Stand will allow and contribute to a reasonable audit. Audits must use the least intrusive means, be subject to reasonable advance notice and confidentiality requirements, avoid unreasonable disruption, and occur no more than once annually unless a regulator, applicable law, or a confirmed Personal Data breach requires otherwise. Customer is responsible for audit costs, and Stand may charge reasonable fees as described in section 3.

8. Return, retention, and deletion

Customer may select the chat-content retention options available under its plan. Stand applies the selected period through automated deletion or de-identification of Customer Personal Data in expired chat content. Customer is responsible for selecting a period appropriate for its use. While Customer's account is active, Customer may use the History screen to export chat transcripts that remain within the configured retention period. Technical limits may require Customer to export a large set in smaller date ranges.

Cancelling a paid subscription does not itself delete Customer's account or Customer Content. Before deleting its organization account, Customer is responsible for exporting any transcripts it wants to retain. When Customer deletes its organization account, or otherwise requests deletion as part of ending the Service, Stand will promptly delete Customer Personal Data from active systems.

Residual copies may remain until removed through Stand's ordinary backup-retention cycle. Stand may retain limited information where required by law or reasonably necessary to establish, exercise, or defend legal claims. Any retained information will remain protected, will not be used for another purpose, and will be deleted when the applicable reason for retention ends.

9. Personal Data breaches

Stand will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data. Stand will provide information reasonably available to it that Customer needs to meet its notification obligations, including the nature and likely consequences of the breach and measures taken or proposed to address it. Stand may provide information in phases as it becomes available. A notification is not an admission of fault or liability.

10. International processing and transfers

Stand stores and processes Customer Personal Data in the United States. Subprocessors may process Customer Personal Data in the locations identified on the Subprocessor List.

The following transfer terms apply only when Customer and Stand execute a completed copy of this DPA or another written instrument that identifies the parties, their required contact and registration details, the competent supervisory authority, and the applicable transfer terms. Stand provides a completed, signed copy with a Business subscription when the transfer is governed by the relevant law and is not covered by an adequacy decision or another legally recognized transfer mechanism:

  1. EEA transfers. The standard contractual clauses in the Annex to European Commission Implementing Decision (EU) 2021/914 ("EU SCCs") are incorporated into the completed DPA by reference. Module Two applies. Customer is the controller and data exporter, and Stand is the processor and data importer. Clause 7 does not apply; in Clause 9, Option 2 applies with at least 14 days' advance notice; the optional language in Clause 11 does not apply; and Ireland is the governing Member State and forum under Clauses 17 and 18. The completed party and signature page completes Annex I.A; Annex 1 completes Annex I.B; the competent supervisory authority identified in the completed party and signature page completes Annex I.C; Annex 2 completes Annex II; and Annex 3 identifies the authorized Subprocessors for Clause 9.
  2. UK transfers. The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, version B1.0 in force on 21 March 2022 and revised as permitted by its Section 18 ("UK Addendum"), is incorporated into the completed DPA by reference. Its Part 1 tables are completed using the completed party and signature page, the selections above, and Annexes 1–3. Either party may end the UK Addendum as permitted by its Section 19.
  3. Swiss transfers. The EU SCCs apply to transfers governed by the Swiss Federal Act on Data Protection with these adaptations: references to the GDPR include that Act; references to the EU, Union, and Member States include Switzerland where required; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and Clauses 17 and 18 are governed by Swiss law and the competent courts of Switzerland. The term "Member State" will not prevent a data subject in Switzerland from enforcing rights in Switzerland.

If these transfer terms conflict with another provision of this DPA or the agreement, the EU SCCs control for EEA transfers and the UK Addendum controls for UK transfers. The signatures on the completed party and signature page constitute the signatures required for the incorporated transfer terms; separate signatures within the incorporated EU SCCs or UK Addendum are not required.

11. General

This DPA remains in effect while Stand processes Customer Personal Data. The governing law and venue are those in the agreement, except where Applicable Data Protection Law requires otherwise. If a provision is unenforceable, the remainder stays in effect.

To the maximum extent permitted by law, the exclusions and limitations of liability in the Terms apply to this DPA. Nothing limits liability for data subject rights under the EU SCCs or where limitation is prohibited by applicable law. Except for rights granted by the EU SCCs or required by applicable law, this DPA does not create third-party beneficiary rights.

Stand may update this online DPA prospectively. Stand will update the effective date and provide additional notice of material changes when appropriate. Continued use of the Service after an update becomes effective constitutes acceptance of the updated DPA. A separately signed version controls over a later online version unless the parties agree otherwise in writing.

Annex 1 — Description of processing

Subject matter and purpose. Providing, securing, supporting, and maintaining the Service, including messaging between Customer's website visitors and Customer's users or AI agents; knowledge and agent configuration; history; and customer-facing analytics.

Nature of processing. Hosting, transmission, storage, retrieval, organization, display, generation of requested Service outputs, and deletion.

Duration. While Customer's account remains active, plus the deletion and limited-retention periods described in section 8.

People whose data may be processed. Customer's website visitors who interact with the Service, Customer's users whose information is included in Customer Content, and individuals identified in Customer Content.

Categories of Personal Data. Chat content and transcripts; visitor contact and intake fields; uploaded files and knowledge materials; prompts, instructions, and configuration; and related session metadata such as timestamps, page URL, session identifiers, and user-agent information.

Sensitive data. None expected or permitted unless Stand agrees in writing. The Service is intended for ordinary business inquiries and is not designed for sensitive personal data or regulated customer records.

Frequency. As initiated by Customer, its users, or its visitors while the Service is in use.

Retention. Chat content according to Customer's configured retention period and plan limits; other Customer Personal Data until deleted by Customer or with the organization account, subject to section 8.

Annex 2 — Technical and organizational security measures

Stand maintains reasonable measures appropriate to the Service and the risks of processing, including:

  1. hosting the production Service in Google Cloud's United States infrastructure and storing Customer Personal Data using Google Cloud managed database and storage services;
  2. encryption in transit and Google-managed encryption at rest for production database and object-storage data;
  3. authenticated access to the Service, organization-scoped application authorization, dedicated service identities, and production access limited to authorized personnel with an operational need;
  4. separate production and non-production Google Cloud projects; network access controls, including default-deny workload ingress and private database connectivity; and runtime secrets managed through Google Cloud Secret Manager;
  5. automated daily database backups, point-in-time recovery, logging, uptime and service monitoring, and operational alerting;
  6. automated dependency-vulnerability scanning, automated tests before deployment, and incident-response processes appropriate to Stand's operations;
  7. automated chat-content retention controls, self-service transcript export, and deletion of raw uploaded files after successful knowledge-base ingestion while the extracted Customer Content used by the Service remains subject to Customer's deletion controls; and
  8. confidentiality obligations and written data-protection terms with relevant personnel and Subprocessors.

Stand may update these measures as its systems evolve, provided it does not materially reduce the overall protection of Customer Personal Data.

Annex 3 — Approved Subprocessors

The current Subprocessor List, including each provider's purpose and processing location, is published at stand.chat/subprocessors and incorporated into this DPA. Changes are handled under section 5.

Questions about this DPA? Email privacy@stand.chat.