Last updated: August 10th, 2025
This Data Processing Addendum (“DPA”) is an agreement between Razorchat Technologies LLC (“Processor,” “we,” “our,” “us”) and the customer that is party to the Agreement, as defined below (“Controller”), and together with the Processor, each a “Party” and collectively the “Parties.”
This document reflects the Parties’ agreement with respect to the Processing of Personal Data, under Data Protection Laws in connection with any services offered by the Processor (“Service”).
Table of Contents
1. Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Controller” refers to you along with any other individual or organization that is party to the Agreement.
“Controller Personal Data” refers to any data transmitted to or from the Controller or any Data Subject that results from using the Service.
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
“Data Subject” means an identified or identifiable person whose rights are protected by the GDPR.
“EEA” means the European Economic Area.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“Processor” refers to Razorchat Technologies LLC.
“Service” means any offerings provided by the Processor including the use of the Website.
“Subprocessor” means any existing or new person or entity appointed by or on behalf of the Processor in order to fulfill certain elements of the Service and to Process Controller Personal Data on behalf of the Controller under the Agreement.
“Website” refers to any websites operated by the Processor, as pertains to the Service, including
razor.chat and
my.razor.chat.
The terms “Commission,” “Controller,” “Member State,” “Personal Data,” “Process,” “Processing,” and “Processor” shall have the same meaning as in applicable Data Protection Laws and shall be construed accordingly.
2. Processing of Controller Personal Data
2.1
The Controller shall:
2.1.1.
authorize the Processor to Process Controller Personal Data on behalf of the Controller to fulfill the Service;
2.1.2.
ensure that any and all data, including without limitation Controller Personal Data, is collected, processed, transferred, and used lawfully and in full compliance with the Agreement and Data Protection Laws;
2.1.3.
be solely responsible for ensuring that it has obtained all necessary authorizations and consents from any Data Subjects to Process Controller Personal Data.
2.2
The Processor shall:
2.2.1.
comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
2.2.2.
implement appropriate technical and organizational measures to ensure the security and confidentiality of any Controller Personal Data associated with the Service;
2.2.3.
not directly or indirectly sell or trade any Controller Personal Data, or access, retain, use, or disclose any Controller Personal Data for any purpose other than the purpose of fulfilling the Service; or access, retain, use, or disclose any Controller Personal Data outside the scope of the Agreement.
3. Processor Personnel and Confidentiality
Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to any Controller Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Controller Personal Data.
4. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessors
The Controller authorizes the Processor to engage the following Subprocessors to Process Personal Data on behalf of the Controller:
Digital Ocean: Data hosting services based in the US.
Pusher Limited: Real-time communications platform based in the UK.
PayPal Inc.: Payment processing platform based in the US.
Amazon SES: Email sending service based in the US.
Google Maps: User geolocation service based in the US.
Cloudflare Inc.: User verification service based in the US.
Artia International: IP geolocation data service based in Romania.
The Controller further authorizes the Processor to engage other Subprocessors to Process Controller Personal Data on behalf of the Controller if the Processor provides the Controller with at least 10 days' notice prior to such engagements.
6. Data Subject Rights
Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws. The Processor will, to the extent required by Data Protection Laws, promptly notify the Controller upon receipt of a request by a Data Subject that relates to Personal Data and identifies the Controller to exercise the Data Subject's rights under the applicable Data Protection Laws.
The Processor will advise the Data Subject to submit their request to the Controller, and the Controller will be solely responsible for responding to any such requests from Data Subjects. The Processor may reasonably assist the Controller with Data Subject Rights as required by Data Protection Laws to the extent the Processor is legally permitted to do so, is technically capable of doing it, and has reasonable access to the relevant Controller Personal Data.
7. Personal Data Breach
The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
The Processor shall cooperate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Data Retention Period
All message data transmitted through the Service, whether sent by the Controller, Processor, or a Data Subject, will be retained for 10 days before permanent removal. Any other Controller Personal Data will be retained for as long as the Controller's account remains active.
10. Deletion of Controller Personal Data
The Processor shall promptly and within 10 days after the cessation of any Service involving the Processing of Controller Personal Data (the “Cessation Date”), delete all Controller Personal Data from the Processor's records.
11. Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and, at the cost of the Controller, allow for and contribute to any audits the Controller deems necessary to assess the Processor's compliance with this DPA.
12. Data Transfer and Storage
12.1
Data Transfer: The Controller acknowledges that the Processor will Process the Controller Personal Data outside of the Protected Area, including in the United States and elsewhere, as identified in section 5, to fulfill the Service. The Controller hereby agrees to and authorizes the transfer of Controller Personal Data to these countries.
12.2
Data Storage: The Controller acknowledges that the Processor will store Controller Personal Data outside of the Protected Area in a secure datacenter located near the Processor in New York City, United States. The Controller hereby agrees to and authorizes the storage of Controller Personal Data at this location.
13. General Terms
13.1
Confidentiality: Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law and/or (ii) the relevant information is already in the public domain.
13.2
Amendments: The Controller agrees that the Processor may amend this DPA periodically, and such amendments become effective and binding immediately upon being published. Your continued use of the Service after any amendments are published constitutes your agreement to, and acceptance of, the amended DPA.
13.3
Liability: The Parties agree that any liability under this DPA, including limitations thereof, will be governed by the relevant provisions in the
Terms of Use.
13.4
Invalidity and Severability: If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
13.5
Governing Law and Jurisdiction: The Parties agree that this DPA shall be governed by the laws and jurisdiction specified in the
Terms of Use.
13.6
Duration: This DPA will remain in effect and automatically expire 10 days after the cessation of any services involving the Processing of Controller Personal Data, at which point all Controller Personal Data will be deleted.
13.7
Notices: All notices and communications pertaining to this DPA will be either (i) posted to the Website and/or (ii) communicated via email. Any requests related to this DPA should be forwarded to
legal@razorchat.com.