Data Processing Agreement
1. Definitions
In this Agreement:
- "Controller" means the client who determines the purposes and means of processing personal data.
- "Processor" means Latynex Trade OÜ, processing personal data on behalf of the Controller.
- "Personal Data" has the meaning given in GDPR Article 4(1).
- "Processing" has the meaning given in GDPR Article 4(2).
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Services" means the AI, website, and automation services provided under the applicable service agreement.
2. Subject Matter and Duration
This DPA governs the processing of personal data by Latynex (as Processor) on behalf of the client (as Controller) in connection with the provision of Services. The duration of processing corresponds to the term of the applicable service agreement, unless otherwise agreed.
3. Nature and Purpose of Processing
The nature and purpose of processing is to provide AI-powered website and automation services, including:
- Deploying and operating AI assistants that interact with end-users visiting the Controller's website
- Processing visitor messages and contact data to qualify leads and route enquiries
- Integrating with the Controller's CRM, communication platforms, and business tools
- Storing and processing conversation data for AI training and system improvement as agreed
4. Types of Personal Data Processed
Depending on the services provided, processing may involve the following categories of personal data:
- Name, email address, phone number, and company name of website visitors and enquirers
- Message content submitted via AI chat or web forms
- Business information provided during qualification conversations
- Technical identifiers (IP addresses, session identifiers) where applicable
We do not process special categories of personal data (as defined in GDPR Article 9) unless explicitly agreed in writing.
5. Obligations of the Processor (Latynex)
As Processor, Latynex agrees to:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that authorised personnel are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures (GDPR Article 32)
- Assist the Controller in meeting its obligations regarding data subject rights requests
- Assist with data protection impact assessments (DPIAs) where required
- Delete or return all personal data upon termination of services, as instructed by the Controller
- Make available all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting Controller data
6. Sub-processors
Latynex uses the following categories of sub-processors in the delivery of its Services:
- AI model providers (e.g. Anthropic, Inc.) — for processing natural language inputs in AI assistant features
- Cloud hosting providers — for server infrastructure and data storage
- CDN and security providers (e.g. Cloudflare) — for content delivery and DDoS protection
- Communication platforms — where integrations with Telegram, WhatsApp, or email are part of the agreed service
Latynex will notify the Controller of any intended changes to sub-processors and provide an opportunity to object. All sub-processors are bound by data processing agreements that impose obligations equivalent to those in this DPA.
7. International Data Transfers
Where personal data is transferred outside the European Economic Area, Latynex ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or other valid transfer mechanisms under GDPR Chapter V.
8. Security Measures
Latynex implements the following technical and organisational measures:
- Encryption of data in transit (TLS/SSL) and at rest where applicable
- Access controls and role-based permissions limiting data access to authorised personnel
- Regular security testing and vulnerability assessments
- Incident response procedures and breach notification protocols
- Staff awareness and training on data protection
9. Data Subject Rights
Latynex will assist the Controller in responding to requests from data subjects exercising their rights under GDPR (Articles 15–22). Where Latynex receives a data subject request directly, it will forward it to the Controller without responding independently, unless required by law.
10. Data Breach Notification
In the event of a personal data breach affecting Controller data, Latynex will notify the Controller without undue delay (and where feasible, within 72 hours of becoming aware), providing information to enable the Controller to fulfil its obligations under GDPR Article 33.
11. Termination and Return of Data
Upon expiry or termination of the service agreement, Latynex will, at the Controller's choice, return or securely delete all personal data processed on the Controller's behalf, unless applicable law requires retention.
12. Governing Law
This DPA is governed by the laws of Estonia. Disputes arising from this DPA shall be subject to the jurisdiction of Estonian courts.
13. Contact and Signed DPA Requests
For a project-specific, countersigned DPA or questions regarding data processing:
Latynex Trade OÜ
Estonia, European Union
Email: info@latynextrade.com
Telegram: @latynextrade