Last updated: December 28th, 2025
This Data Processing Addendum (“DPA”) is an agreement between Razorchat Technologies LLC (“Processor,” “we,” “our,” “us”) and the customer that is party to the Agreement, as defined below (“Controller”), and together with the Processor, each a “Party” and collectively the “Parties.”
This document reflects the Parties’ agreement with respect to the Processing of Personal Data, under Data Protection Laws in connection with any services offered by the Processor (“Service”).
Table of Contents
1. Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Controller” refers to you along with any other individual or organization that is party to the Agreement.
“Controller Personal Data” refers to any data transmitted to or from the Controller or any Data Subject that results from using the Service.
“Data Protection Laws” means the GDPR and any applicable national laws implementing or supplementing the GDPR.
“Data Subject” means an identified or identifiable person whose rights are protected by the GDPR.
“EEA” means the European Economic Area.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Processor” refers to Razorchat Technologies LLC.
“Protected Area” means the European Economic Area and the United Kingdom.
“Service” means any offerings provided by the Processor including the use of the Website.
“Subprocessor” means any existing or new person or entity appointed by or on behalf of the Processor in order to fulfill certain elements of the Service and to Process Controller Personal Data on behalf of the Controller under the Agreement.
“Website” refers to any websites operated by the Processor, as pertains to the Service, including
razor.chat and
my.razor.chat.
The terms “Commission,” “Controller,” “Member State,” “Personal Data,” “Process,” “Processing,” and “Processor” shall have the same meaning as in applicable Data Protection Laws and shall be construed accordingly.
2. Processing of Controller Personal Data
2.1
The Controller shall:
2.1.1.
authorize the Processor to Process Controller Personal Data on behalf of the Controller to fulfill the Service;
2.1.2.
ensure that any and all data, including without limitation Controller Personal Data, is collected, processed, transferred, and used lawfully and in full compliance with the Agreement and Data Protection Laws;
2.1.3.
be solely responsible for ensuring that it has obtained all necessary authorizations and consents from any Data Subjects to Process Controller Personal Data.
2.2
The Processor shall:
2.2.1.
comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
2.2.2.
implement appropriate technical and organizational measures to ensure the security and confidentiality of any Controller Personal Data associated with the Service;
2.2.3.
not directly or indirectly sell or trade any Controller Personal Data, or access, retain, use, or disclose any Controller Personal Data for any purpose other than the purpose of fulfilling the Service; or access, retain, use, or disclose any Controller Personal Data outside the scope of the Agreement.
3. Processor Personnel and Confidentiality
Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to any Controller Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Controller Personal Data.
4. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessors
The Controller authorizes the Processor to engage the following Subprocessors (GDPR Article 28(2); SCC Annex III) to Process Personal Data on behalf of the Controller:
Amazon Web Services, Inc. (SES): Email sending service based in the US.
Artia International: IP geolocation data service based in Romania.
Cloudflare, Inc.: User verification service based in the US.
DigitalOcean Holdings, Inc: Data hosting services based in the US.
Google LLC (Maps API): User geolocation service based in the US.
OpenAI, LLC: AI processing service based in the US.
PayPal, Inc.: Payment processing platform based in the US.
Pusher Limited: Real-time communications platform based in the UK.
The Controller further authorizes the Processor to engage other Subprocessors to Process Controller Personal Data on behalf of the Controller if the Processor provides the Controller with at least 10 days' notice prior to such engagements.
6. Data Subject Rights
Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as possible, to enable the Controller to fulfill its obligations under the Data Protection Laws. The Processor will, to the extent required by applicable law, promptly notify the Controller upon receiving a request from a Data Subject relating to Personal Data and will not respond to such a request except on the documented instructions of the Controller.
If the Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, the Processor shall promptly notify the Controller and shall not respond to the request unless expressly instructed by the Controller or required by law. The Controller is solely responsible for responding to Data Subject requests. The Processor will provide reasonable assistance to the Controller in fulfilling such requests if the Controller cannot independently access, correct, or delete the relevant Personal Data through the Service.
7. Personal Data Breach
The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
The Processor shall cooperate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervising authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Data Retention Period
All message data transmitted through the Service, whether sent by the Controller, Processor, or a Data Subject, will be retained for 10 days before permanent removal. Any other Controller Personal Data will be retained for as long as the Controller's account remains active.
10. Deletion of Controller Personal Data
The Processor shall promptly and within 10 days after the cessation of any Service involving the Processing of Controller Personal Data (the “Cessation Date”), delete all Controller Personal Data from the Processor's records.
11. Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and, at the cost of the Controller, allow for and contribute to any audits the Controller deems necessary to assess the Processor's compliance with this DPA.
12. Data Transfer and Storage
12.1
Data Transfer: The Controller acknowledges that the Processor will Process the Controller Personal Data outside of the Protected Area, including in the United States and elsewhere, as identified in section 5, to fulfill the Service. The Controller hereby agrees to and authorizes the transfer of Controller Personal Data to these countries.
12.2
Transfer Safeguards: The Controller acknowledges that RazorChat implements appropriate technical and organizational measures, including encryption (SSL/TLS) and access controls, intended to ensure a level of protection essentially equivalent to that guaranteed under EU data protection law.
12.3
Data Storage: The Controller acknowledges that the Processor will store Controller Personal Data outside of the Protected Area in a secure datacenter located near the Processor in New York City, United States. The Controller hereby agrees to and authorizes the storage of Controller Personal Data at this location.
12.4
Standard Contractual Clauses (SCCs): To the extent that RazorChat processes Controller Personal Data that involves a transfer to a country outside the European Economic Area or the United Kingdom that does not have an adequacy decision under applicable Data Protection Laws, the parties agree that the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module 2 – Controller to Processor) are hereby incorporated by reference and will apply to such transfers.
For the purposes of the SCCs:
Customer is the data exporter and acts as the Controller.
RazorChat is the data importer and acts as the Processor.
The SCCs shall take precedence in the event of any conflict with this DPA or the Terms. Nothing in this DPA alters or overrides the governing law and jurisdiction provisions set out in the SCCs. A copy of the SCCs is available at
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
13. General Terms
13.1
Confidentiality: Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law and/or (ii) the relevant information is already in the public domain.
13.2
Amendments: The Controller agrees that the Processor may amend this DPA periodically, and such amendments become effective and binding immediately upon being published. Your continued use of the Service after any amendments are published constitutes your agreement to, and acceptance of, the amended DPA.
13.3
Liability: The Parties agree that any liability under this DPA, including limitations thereof, will be governed by the relevant provisions in the
Terms of Use.
13.4
Invalidity and Severability: If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
13.5
Governing Law and Jurisdiction: The Parties agree that this DPA shall be governed by the laws and jurisdiction specified in the
Terms of Use.
13.6
Duration: This DPA will remain in effect and automatically expire 10 days after the cessation of any services involving the Processing of Controller Personal Data, at which point all Controller Personal Data will be deleted.
13.7
Notices: All notices and communications pertaining to this DPA will be either (i) posted to the Website and/or (ii) communicated via email. Any requests related to this DPA should be forwarded to
legal@razorchat.com.