Data Processing Agreement

Section 1

Overview

This Data Processing Agreement (DPA) forms part of the contract between WeblyChat and each client. It sets out how WeblyChat processes personal data on behalf of clients in compliance with GDPR Article 28.

When you use the WeblyChat service, you (the client) are the data controller for the personal data of your own website visitors and end users. WeblyChat acts as your data processor — we process that data only on your instructions and in accordance with this DPA.

This DPA is incorporated by reference into the WeblyChat Terms & Conditions. By accepting the Terms & Conditions, you also accept this DPA. No separate signature is required.

For information about how WeblyChat processes data for its own purposes (i.e. your account data), please refer to our Privacy Policy and GDPR Compliance page — in that context WeblyChat is the data controller.

Section 2

Definitions

In this DPA the following terms have the meanings given below. Terms not defined here have the meaning given in the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" has the meaning given in Article 4(2) GDPR.
"Controller" means the client — the natural or legal person who determines the purposes and means of processing personal data.
"Processor" means WeblyChat (WeblyChat) — processing personal data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Data Subject" means the individual to whom the Personal Data relates.
"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Section 3

Roles of the Parties

The parties acknowledge and agree that:

The client is the Controller of any personal data relating to the client's own website visitors and end users that passes through or is stored on the website built and maintained by WeblyChat.
WeblyChat is the Processor in respect of such personal data, acting only on the documented instructions of the Controller.
WeblyChat is the Controller in respect of its own client account data (names, email addresses, billing information, Telegram IDs). That processing is governed by the WeblyChat Privacy Policy, not this DPA.

The nature of the WeblyChat service means that the personal data of the client's visitors is typically limited to what the client's website itself collects (e.g. contact form submissions, analytics data). WeblyChat does not independently collect visitor data on the client's behalf beyond what is technically necessary to serve the website.

Section 4

Subject Matter & Scope

Subject matter

The subject matter of the processing is the hosting, maintenance, and updating of the client's static website as described in the WeblyChat Terms & Conditions.

Nature and purpose

WeblyChat processes personal data as strictly necessary to: (a) serve the client's website to end users via Cloudflare's CDN; (b) apply changes to the website requested by the client via Telegram; and (c) maintain the technical operation and security of the hosting infrastructure.

Types of personal data

The types of personal data processed depend on the content of the client's website and may include: names, email addresses, phone numbers, and any other personal data submitted by website visitors through contact forms or other website features configured by the client.

Categories of data subjects

The data subjects are the visitors and end users of the client's website.

Duration

Processing continues for the duration of the client's active subscription with WeblyChat. Upon termination of the subscription, WeblyChat will delete or return the data in accordance with Section 11.

Section 5

Processor Obligations

WeblyChat, as Processor, shall:

Process Personal Data only on documented instructions from the Controller (i.e. the client's change requests), except where required to do so by EU or Member State law, in which case WeblyChat will inform the Controller before processing unless prohibited by law.
Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
Implement the technical and organisational security measures described in Section 8.
Respect the conditions for engaging sub-processors as described in Section 6.
Assist the Controller in fulfilling data subject rights requests as described in Section 7.
Assist the Controller in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIAs) taking into account the nature of the processing and the information available to WeblyChat.
Delete or return all Personal Data to the Controller on termination of the service, as described in Section 11.
Make available all information necessary to demonstrate compliance with this DPA and assist with audits as described in Section 12.

The Controller acknowledges that WeblyChat is not responsible for determining whether the personal data it processes on the Controller's behalf is subject to GDPR or any other data protection law. That determination is the Controller's responsibility.

Section 6

Sub-processors

The Controller provides a general written authorisation for WeblyChat to engage sub-processors. WeblyChat will inform the Controller of any intended additions or replacements of sub-processors, giving the Controller the opportunity to object before the change takes effect.

Current sub-processors

WeblyChat currently relies on the following sub-processors in connection with the client website hosting service:

Cloudflare, Inc. (United States) — CDN and static site hosting. Cloudflare operates under its Data Processing Addendum and is certified under the EU–US Data Privacy Framework.

Sub-processor obligations

Where WeblyChat engages a sub-processor, it shall impose data protection obligations on that sub-processor that are equivalent to those set out in this DPA, by way of a written contract. WeblyChat remains liable to the Controller for the acts and omissions of sub-processors to the same extent as if it were performing the processing directly.

Section 7

Data Subject Rights

Taking into account the nature of the processing, WeblyChat shall assist the Controller — insofar as reasonably possible — to fulfil its obligations to respond to data subject requests under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

If WeblyChat receives a data subject request that relates to personal data processed on behalf of the Controller, WeblyChat will promptly forward the request to the Controller and will not respond to the data subject directly unless instructed by the Controller or required by law.

The Controller is responsible for determining the lawfulness of any processing and for responding to data subjects within the timeframes set out in the GDPR.

Section 8

Security

WeblyChat implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include:

Encryption in transit: All data transmitted between end users and the hosted website is encrypted using TLS via Cloudflare.
Access controls: Access to production systems and any stored personal data is restricted to authorised personnel only, protected by strong authentication.
Infrastructure security: The hosting infrastructure uses Cloudflare's enterprise-grade network, including DDoS mitigation and WAF capabilities.
Minimal data retention: WeblyChat does not persistently store visitor personal data beyond what is technically necessary to serve the website. Contact form submissions and other visitor data reside where the client's website is configured to send them (e.g. an email address or third-party service).
No third-party tracking: WeblyChat does not embed third-party advertising pixels or tracking scripts into client websites without the client's instruction.

WeblyChat regularly reviews its security measures and will update them as necessary to account for new threats or technological developments.

Section 9

Data Breach Notification

In the event that WeblyChat becomes aware of a confirmed Security Incident affecting personal data processed on behalf of the Controller, WeblyChat will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the incident.

The notification will include, to the extent then known:

A description of the nature of the Security Incident, including the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected.
The name and contact details of the WeblyChat data protection contact.
A description of the likely consequences of the Security Incident.
A description of the measures taken or proposed to be taken to address the Security Incident.

The Controller is responsible for determining whether to notify the relevant supervisory authority and affected data subjects, and for making any such notifications within the applicable legal timeframes.

To report a potential security concern, please use our security disclosure page.

Section 10

International Transfers

WeblyChat stores its own data on EU-based infrastructure. However, the CDN service used to host client websites (Cloudflare) operates a global network, meaning that requests from website visitors may be served from data centres located outside the European Economic Area.

Cloudflare is certified under the EU–US Data Privacy Framework and provides a Data Processing Addendum. These constitute appropriate safeguards for transfers of personal data to the United States under Article 46 GDPR.

If the Controller requires data to be processed exclusively within the EEA for their specific use case, the Controller should contact WeblyChat at hola@weblychat.eu to discuss the feasibility of any additional configuration.

Section 11

Deletion & Return

Upon termination of the WeblyChat service, or at the Controller's written request, WeblyChat shall — at the Controller's choice — either delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless EU or Member State law requires further storage.

In practice, the primary artefact that WeblyChat holds on behalf of the client is the client's website source code and any associated assets. Upon termination, WeblyChat will provide the client with a copy of their website files on request, and will delete the hosting configuration from its systems within 30 days of termination.

WeblyChat will confirm completion of deletion in writing upon request.

Section 12

Audit Rights

WeblyChat shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall give WeblyChat reasonable prior notice of any audit (at least 30 days except in the case of a regulatory investigation). Audits shall be conducted during normal business hours, shall not unreasonably disrupt WeblyChat's operations, and shall be limited in scope to the processing activities covered by this DPA.

WeblyChat may satisfy audit obligations through the provision of up-to-date third-party certifications or audit reports where these demonstrate compliance with the relevant obligations under this DPA.

Section 13

Liability

Each party's liability under this DPA is subject to the limitations set out in the WeblyChat Terms & Conditions.

If a party is held liable for damage caused by processing that infringes the GDPR, the party that has fulfilled its obligations under the GDPR and this DPA shall be entitled to have the other party bear the portion of the compensation corresponding to its part of responsibility for the damage.

WeblyChat shall not be liable for any processing carried out by the Controller outside the scope of instructions given to WeblyChat, or for any failure by the Controller to comply with its own data protection obligations.

Section 14

Contact

For any questions about this DPA, to submit data subject requests forwarded to us as Processor, or to discuss your data protection obligations as a WeblyChat client, please contact us:

Email: hola@weblychat.eu
Company: WeblyChat

We aim to acknowledge all DPA-related enquiries within 5 business days.

For the full picture of how we handle our own client account data, please read our Privacy Policy and GDPR Compliance page.