Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Avatarmy on behalf of the Customer
• "Processing" has the meaning given in the GDPR
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party appointed by Avatarmy to process Personal Data
• "Data Protection Laws" means GDPR and any applicable national data protection laws

2. Scope and Role of Parties

Data Controller Responsibilities

As the Data Controller, you:

• Determine the purposes and means of processing Personal Data
• Ensure you have a lawful basis for processing under GDPR
• Provide clear instructions to Avatarmy regarding data processing
• Are responsible for responding to Data Subject requests
• Ensure Personal Data transferred to Avatarmy is accurate and lawfully collected

Data Processor Responsibilities

As the Data Processor, Avatarmy:

• Processes Personal Data only on documented instructions from you
• Ensures authorized personnel are bound by confidentiality
• Implements appropriate technical and organizational security measures
• Assists with Data Subject rights requests and compliance obligations
• Deletes or returns Personal Data upon termination of services

3. Nature and Purpose of Processing

Types of Personal Data

Avatarmy may process the following categories of Personal Data:

• Contact information (names, email addresses, phone numbers)
• Professional information (business names, job titles, real estate licenses)
• Conversation data (WhatsApp messages, queries, preferences)
• Property information (addresses, descriptions, prices)
• Client data (lead information, appointment details)
• Usage data (interaction patterns, feature usage)

Categories of Data Subjects

• Real estate brokers (Avatarmy users)
• Real estate clients and leads
• Property owners and tenants

Purpose of Processing

Personal Data is processed to:

• Provide AI-powered conversational avatar services via WhatsApp
• Facilitate lead generation, client communication, and sales support
• Improve AI models and service quality
• Provide customer support and account management

4. Processing Instructions

Avatarmy shall process Personal Data only:

• In accordance with your documented instructions
• As necessary to provide the AI avatar services
• As required by applicable law (with notice to you where legally permitted)

If Avatarmy believes an instruction violates Data Protection Laws, we will inform you immediately and may suspend processing until the instruction is confirmed or modified.

5. Security Measures

Avatarmy implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

• Encryption of Personal Data in transit and at rest
• End-to-end encryption for WhatsApp communications
• Regular security testing and vulnerability assessments
• Secure authentication and access controls
• Data backup and disaster recovery procedures

Organizational Measures

• Confidentiality agreements with all personnel
• Data protection training for employees
• Access limited to personnel who need it for service delivery
• Regular review and update of security policies
• Incident response and breach notification procedures

6. Sub-processors

Avatarmy may engage the following categories of sub-processors:

• WhatsApp Business API (Meta): Message delivery and communication
• Cloud Hosting Providers: Data storage and infrastructure
• Payment Processors: Billing and subscription management
• AI Model Providers: Natural language processing and AI services

By accepting this DPA, you provide general authorization for Avatarmy to engage sub-processors. Avatarmy will:

• Maintain a current list of sub-processors on our website
• Notify you at least 30 days before adding or replacing sub-processors
• Ensure sub-processors are bound by data protection obligations equivalent to this DPA
• Remain fully liable for any sub-processor's acts or omissions

7. Data Subject Rights

Avatarmy will assist you in responding to Data Subject requests to exercise their rights under GDPR:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

If a Data Subject contacts Avatarmy directly, we will forward the request to you without undue delay. Avatarmy may charge reasonable fees for assistance beyond our standard obligations.

8. Data Breach Notification

In the event of a Personal Data breach, Avatarmy will:

• Notify you without undue delay and, where feasible, within 72 hours of becoming aware
• Provide sufficient information to allow you to meet GDPR notification obligations
• Include details of the nature of the breach, affected categories of data, and likely consequences
• Describe measures taken or proposed to address the breach and mitigate harm
• Cooperate with you in any investigation and provide reasonable assistance

9. Data Protection Impact Assessment

Avatarmy will provide reasonable assistance to you in conducting Data Protection Impact Assessments (DPIAs) where required by GDPR, including providing information about our processing activities, security measures, and technical documentation.

10. International Data Transfers

Avatarmy is based in Estonia (EU). If Personal Data is transferred outside the EU/EEA, we will ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for transfers to approved countries
• Binding Corporate Rules where applicable
• Other legally recognized transfer mechanisms under GDPR

11. Audit Rights

You have the right to audit Avatarmy's compliance with this DPA, subject to:

• Providing at least 30 days' written notice
• Conducting audits no more than once per year (unless required by law)
• Executing a confidentiality agreement
• Limiting disruption to Avatarmy's business operations

Avatarmy may provide third-party audit reports (e.g., SOC 2, ISO 27001) in lieu of on-site audits where appropriate.

12. Data Retention and Deletion

Upon termination of services, Avatarmy will:

• Return or delete all Personal Data within 30 days, as you instruct
• Certify in writing that all data has been deleted or returned
• Delete existing copies unless EU or Member State law requires storage

Avatarmy may retain Personal Data in anonymized form for legitimate business purposes (e.g., AI model improvement) provided it cannot be re-identified.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set out in the Terms and Conditions. However, nothing in this DPA shall limit either party's liability for:

• Breaches of Data Protection Laws
• Gross negligence or willful misconduct
• Data breaches caused by failure to implement appropriate security measures

14. Term and Termination

This DPA remains in effect for the duration of the Terms and Conditions and any processing of Personal Data thereafter. Provisions regarding data deletion, confidentiality, and liability survive termination.