DATA PROCESSING AGREEMENT (DPA) Astroworld Chat Last updated: 2026-05-22 This Data Processing Agreement ("DPA") forms part of the agreement between the business customer ("Customer", the data controller) and Astroworld ("Processor", the data processor) for the use of Astroworld Chat. 1. ROLES The Customer is the data controller for personal data processed through Astroworld Chat (including data of the Customer's own website visitors). Astroworld acts solely as data processor and processes personal data only on the Customer's documented instructions. 2. SUBJECT MATTER AND DURATION The Processor provides an AI chat widget and dashboard. Processing lasts for the duration of the subscription and until data is deleted under section 8. 3. NATURE AND PURPOSE OF PROCESSING Hosting, storing, and processing chatbot configuration, knowledge base content, and visitor conversations in order to answer visitor questions on the Customer's behalf. 4. CATEGORIES OF DATA SUBJECTS AND DATA Data subjects: the Customer's staff (account users) and the Customer's website visitors. Personal data: account name and email, and the content of visitor conversations (which may contain personal data the visitor chooses to type). 5. PROCESSOR OBLIGATIONS The Processor will: (a) process personal data only on documented instructions; (b) ensure persons authorised to process data are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist the Customer with data subject requests and security obligations; (e) make available information needed to demonstrate compliance. 6. SUB-PROCESSORS The Customer authorises the Processor to engage the sub-processors listed in the Privacy Policy. The current list is: - Anthropic (United States): AI model that generates chatbot answers - Hetzner Online GmbH (Germany (EU)): Primary application and database hosting - Strato AG (Germany (EU)): Secondary hosting and backups - Stripe (United States / EU): Subscription billing and payment processing - Resend (United States / EU): Transactional email delivery The Processor will inform the Customer of intended changes and give the Customer the opportunity to object. 7. SECURITY MEASURES All data is hosted in the European Union (Germany). Traffic is encrypted in transit with TLS (HTTPS). Access to production systems is restricted and key-based. Payment card data is handled entirely by Stripe; Astroworld never stores card numbers. 8. DELETION AND RETURN On request, or on account deletion, the Processor deletes all personal data associated with the Customer's account. The Customer can export their data at any time from the dashboard. Conversation data is retained for the configured retention period and then deleted. 9. DATA SUBJECT REQUESTS The Processor will, taking into account the nature of processing, assist the Customer in responding to requests to exercise data subject rights (access, rectification, erasure, portability, restriction, objection). 10. PERSONAL DATA BREACH The Processor will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data. 11. INTERNATIONAL TRANSFERS Primary hosting is in the EU. Where a sub-processor processes data outside the EU, appropriate safeguards (such as Standard Contractual Clauses) apply. 12. AUDIT The Processor will make available information reasonably necessary to demonstrate compliance with this DPA. 13. GOVERNING LAW This DPA is governed by the laws applicable to the main service agreement and the GDPR. To countersign this DPA, contact privacy@astroworldmc.com.