Data Processing Agreement
Last updated: 2026-05-22
This DPA documents how Astroworld processes personal data on behalf of business customers. The business is the data controller and Astroworld is the data processor. Download a copy for your records.
Sign in to one-click accept this DPA for your company.
DATA PROCESSING AGREEMENT (DPA)
Astroworld Chat
Last updated: 2026-05-22
This Data Processing Agreement ("DPA") forms part of the agreement between the
business customer ("Customer", the data controller) and Astroworld ("Processor",
the data processor) for the use of Astroworld Chat.
1. ROLES
The Customer is the data controller for personal data processed through
Astroworld Chat (including data of the Customer's own website visitors). Astroworld
acts solely as data processor and processes personal data only on the Customer's
documented instructions.
2. SUBJECT MATTER AND DURATION
The Processor provides an AI chat widget and dashboard. Processing lasts for the
duration of the subscription and until data is deleted under section 8.
3. NATURE AND PURPOSE OF PROCESSING
Hosting, storing, and processing chatbot configuration, knowledge base content,
and visitor conversations in order to answer visitor questions on the Customer's
behalf.
4. CATEGORIES OF DATA SUBJECTS AND DATA
Data subjects: the Customer's staff (account users) and the Customer's website
visitors. Personal data: account name and email, and the content of visitor
conversations (which may contain personal data the visitor chooses to type).
5. PROCESSOR OBLIGATIONS
The Processor will: (a) process personal data only on documented instructions;
(b) ensure persons authorised to process data are bound by confidentiality;
(c) implement appropriate technical and organisational security measures;
(d) assist the Customer with data subject requests and security obligations;
(e) make available information needed to demonstrate compliance.
6. SUB-PROCESSORS
The Customer authorises the Processor to engage the sub-processors listed in the
Privacy Policy. The current list is:
- Anthropic (United States): AI model that generates chatbot answers
- Hetzner Online GmbH (Germany (EU)): Primary application and database hosting
- Strato AG (Germany (EU)): Secondary hosting and backups
- Stripe (United States / EU): Subscription billing and payment processing
- Resend (United States / EU): Transactional email delivery
The Processor will inform the Customer of intended changes and give the Customer
the opportunity to object.
7. SECURITY MEASURES
All data is hosted in the European Union (Germany). Traffic is encrypted in
transit with TLS (HTTPS). Access to production systems is restricted and
key-based. Payment card data is handled entirely by Stripe; Astroworld never
stores card numbers.
8. DELETION AND RETURN
On request, or on account deletion, the Processor deletes all personal data
associated with the Customer's account. The Customer can export their data at
any time from the dashboard. Conversation data is retained for the configured
retention period and then deleted.
9. DATA SUBJECT REQUESTS
The Processor will, taking into account the nature of processing, assist the
Customer in responding to requests to exercise data subject rights (access,
rectification, erasure, portability, restriction, objection).
10. PERSONAL DATA BREACH
The Processor will notify the Customer without undue delay after becoming aware
of a personal data breach affecting the Customer's data.
11. INTERNATIONAL TRANSFERS
Primary hosting is in the EU. Where a sub-processor processes data outside the
EU, appropriate safeguards (such as Standard Contractual Clauses) apply.
12. AUDIT
The Processor will make available information reasonably necessary to
demonstrate compliance with this DPA.
13. GOVERNING LAW
This DPA is governed by the laws applicable to the main service agreement and
the GDPR.
To countersign this DPA, contact [email protected].