Data Processing Agreement

Last Updated

March 14, 2026

Processor

Boti Mobile Ltd.

Jurisdiction

Israel

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Boti Mobile Ltd. ("Boti," "Processor") and the Customer ("Controller," "you"). It governs how Boti processes Customer Personal Data on behalf of the Customer in connection with the Services.

The parties expressly acknowledge and agree that:

• This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR.
• Each party remains solely responsible for its own compliance with Applicable Data Protection Laws.
• Boti processes Customer Personal Data solely on behalf of and under the instructions of the Customer.
• Boti may process Service Data, Log Data, aggregated data, and de-identified data as an independent controller for analytics, security, billing, and product development purposes.
• Boti does not engage in automated decision-making with legal or similarly significant effects on Data Subjects.

Data Protection Contact: legal@boti.bot

1. Definitions

Capitalized terms used in this DPA that are not defined here carry the meaning assigned in the Agreement. In addition:

• "Applicable Data Protection Laws" means all legislation and regulations protecting individuals' fundamental rights regarding the processing of personal data that apply to the parties, including but not limited to the GDPR, UK GDPR, Israel's Privacy Protection Law, CCPA/CPRA, PIPEDA, and the Swiss revFADP.
• "CCPA" means the California Consumer Privacy Act of 2018 and its amendments (including the CPRA) and any binding regulations promulgated thereunder.
• "Customer Personal Data" means any Personal Data processed by Boti or its Sub-processors on behalf of and under the documented instructions of the Customer in connection with the Services.
• "Data Subject" means an individual whose Personal Data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Personal Data Breach" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Boti's possession, custody, or control. This does not include unsuccessful attempts such as failed login attempts, port scans, or denial-of-service attacks that do not compromise Customer Personal Data.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure, or destruction.
• "Service Data" means operational telemetry and aggregated data relating to the use, support, and operation of the Services, collected directly by Boti for its own purposes.
• "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for international transfers of personal data adopted by the European Commission in Decision (EU) 2021/914.
• "Sub-processor" means any processor engaged by Boti to process Personal Data on behalf of the Customer.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

Role Assignment:

• For EU/EEA Personal Data: Customer acts as Controller; Boti acts as Processor.
• For UK Personal Data: Customer acts as Controller; Boti acts as Processor under UK GDPR.
• For U.S. Personal Data: Customer is the "business"; Boti is the "service provider/contractor." Boti shall not "sell" or "share" such data nor combine it for cross-contextual advertising.
• For Israeli Personal Data: Customer acts as database owner; Boti acts as holder/manager under the Privacy Protection Law.

2. Scope, Activities, and Duration

• Boti shall process Customer Personal Data only in accordance with the Customer's documented instructions as described in Annex 1.
• Boti may decline, suspend, or propose alternatives to any instruction it reasonably believes would breach Applicable Data Protection Laws or materially compromise the security or performance of the Services.
• Customer Personal Data transmitted through the Service shall be retained as specified in Annex 1.
• This DPA remains in effect for the duration of the Agreement.

3. Customer Obligations

The Customer represents and warrants that:

1. It shall serve as the single point of contact for Boti on all matters under this DPA, including coordinating instructions, requests, and the distribution of notifications.
2. It is entitled to provide access to Customer Personal Data and has obtained all necessary consents, authorizations, and lawful bases for Boti's processing in connection with the Services.
3. It bears sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired.
4. It shall comply with all Applicable Data Protection Laws, including implementing appropriate security configurations and data handling practices within the Services.
5. It shall cooperate with Boti in responding to data subject requests and shall reimburse Boti for any reasonable, documented costs incurred in providing assistance beyond standard operations.
6. It is solely responsible for securing its own account credentials, systems, devices, and network access, and for maintaining backups of Customer Personal Data.
7. It shall not upload, input, or otherwise provide to Boti any data classified as sensitive, including protected health information (HIPAA), government identification numbers, financial account credentials, or biometric data.

4. Boti's Obligations as Processor

Boti shall process Customer Personal Data solely in accordance with documented instructions from the Customer, for the following limited purposes:

1. Performing the Services under the terms of the Agreement, including operating bots, processing conversations, and generating AI-driven responses.
2. Setting up, operating, and monitoring the infrastructure (servers, databases, connectivity) required to deliver the Services.
3. Executing processing operations initiated by authorized users of the Customer's account.
4. Carrying out documented instructions from the Customer that are consistent with the scope of the Services.
5. Addressing service issues, debugging, and resolving technical problems.
6. Meeting requirements under Applicable Data Protection Laws, in which case Boti shall (unless legally prohibited) inform the Customer of such requirements before processing.

Boti shall:

• Promptly report any request, demand, or order from a supervisory authority or data subject to the Customer, once identified as relating to the Customer's data.
• Upon termination, return or delete Customer Personal Data as described in Section 11, unless retention is required by law.
• Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and that access is limited to those who require it to perform the Services.
• Promptly notify the Customer if any instruction appears to violate Applicable Data Protection Laws.
• Provide reasonable assistance if the Customer chooses to carry out a data protection impact assessment. Such assistance may be subject to Boti's professional services fees on a time-and-materials basis.

5. Security Measures

In connection with its processing of Customer Personal Data, Boti shall implement and maintain appropriate administrative, physical, technical, and organizational security measures designed to protect data against unauthorized access, loss, destruction, or alteration. These measures include:

• Encryption in transit (TLS) and at rest for databases and storage
• Role-based access controls and multi-factor authentication for administrative access
• Continuous monitoring, centralized logging, and regular vulnerability assessments
• Infrastructure hosted in certified data centers with physical security controls
• Employee confidentiality obligations and security awareness training
• Regular review and audit of security measures and practices

6. Data Breach Notification

Boti will inform the Customer without undue delay after confirming a Personal Data Breach. The notification process includes:

1. Boti shall investigate the breach and take reasonable steps to identify its root cause, where the breach originates from Boti or one of its Sub-processors.
2. As information becomes available, and to the extent legally permitted, Boti shall provide a description of the breach, the types of data affected, and other information the Customer may reasonably request to assess the impact.
3. Boti will provide follow-up reports on a timely basis as reasonably requested by the Customer.

Notification of a breach does not constitute an acknowledgment of fault or liability by Boti. If the Customer decides to notify governmental entities, data subjects, or the public, and such notice identifies Boti, the Customer agrees to provide Boti with advance written notice and to consult with Boti in good faith on the content.

Boti may delay notification if a law-enforcement agency determines that immediate disclosure would impede a criminal investigation, provided Boti notifies the Customer as soon as the restriction is lifted.

These obligations do not apply to the extent that the breach is caused by the Customer, its affiliates, or anyone acting on the Customer's behalf.

7. Sub-Processors

The Customer acknowledges that Boti engages third-party Sub-processors to support the Services. The current authorized Sub-processors are:

Sub-processor	Purpose	Location
WhatsApp / Meta	Messaging channel delivery and routing	United States / EU
Stripe	Payment processing and billing	United States
OpenAI	AI model processing for bot responses	United States
Claude	AI model provider and integration services	United States
PostHog	Product analytics	United States / EU

Boti will inform the Customer of any intended additions or replacements of Sub-processors by updating the list above. The Customer may object to a new Sub-processor by notifying legal@boti.bot within twenty (20) business days, providing reasonable grounds related to the protection of Personal Data. The parties shall work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the Agreement and receive a pro-rata refund of prepaid fees.

All Sub-processors are bound by contractual data-protection obligations equivalent to those in this DPA.

8. International Data Transfers

Boti shall not transfer Customer Personal Data to a country or international organization lacking adequate data protection unless:

• The destination has been recognized as providing adequate protection by the European Commission, the UK Secretary of State, or the relevant regulatory authority; or
• Appropriate safeguards are in place, including Standard Contractual Clauses, binding corporate rules, or approved certification mechanisms.

For transfers from the EEA, the parties agree that:

• Module 2 (Controller-to-Processor) of the EU SCCs applies when the Customer is a Controller and Boti processes data as a Processor.
• Module 3 (Processor-to-Sub-Processor) applies when the Customer is a Processor and Boti acts as a Sub-processor.

For transfers from the UK, the UK Addendum supplements the SCCs. For transfers from Switzerland, the Swiss Addendum adapts the SCCs to the revised FADP.

If any applicable transfer mechanism is invalidated, the parties will cooperate to promptly implement an alternative lawful mechanism. Boti may suspend affected transfers until such mechanism is in place, without this constituting a breach of the Agreement.

9. Service Data

The Customer acknowledges that Boti may collect, use, and disclose Service Data for its own business purposes, including:

• Accounting, billing, tax, and audit compliance
• Operating, improving, and optimizing the Services
• Investigating fraud, spam, or unlawful use of the Services
• Product development and performance analysis

Service Data is not Customer Personal Data, and the obligations in this DPA do not apply to Boti's processing of Service Data. Boti may retain Service Data for as long as it has a legitimate business need, may share it with affiliates and Sub-processors for the purposes above, and may create and publish anonymized or aggregated data derived from Service Data, provided such data does not identify the Customer or any individual.

10. AI and Machine Learning

Boti shall not use Customer Personal Data for training, retraining, fine-tuning, or otherwise developing any AI or machine-learning models.

Customer Personal Data is processed solely for delivering, maintaining, securing, and supporting the Services as described in this DPA, in accordance with documented instructions and Applicable Data Protection Laws.

Boti may process de-identified and aggregated information derived from Service Data for statistical reporting, security analysis, and operational insights, provided such information cannot reasonably be used to re-identify any individual.

11. Return and Deletion of Data

1. Upon termination of the Agreement, Boti shall immediately discontinue all processing of Customer Personal Data, except for secure storage or processing expressly permitted under this DPA.
2. Within thirty (30) calendar days after termination, the Customer may instruct Boti in writing to return or delete all Customer Personal Data, unless Applicable Data Protection Laws require its retention.
3. If no instruction is received within thirty (30) calendar days, Boti may permanently delete or irreversibly anonymize the Customer Personal Data in accordance with its documented retention schedule.
4. Where manual data export or bespoke deletion work exceeds two (2) person-hours, Boti may charge its reasonable, documented professional services rates, except where such charges are prohibited by law.
5. Backup copies may persist for up to 90 days before permanent deletion.

12. Governing Law and Jurisdiction

This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by the laws of the State of Israel and subject to the exclusive jurisdiction of the courts of Tel Aviv-Jaffa, Israel, unless otherwise required by mandatory local law applicable to the Customer.

13. Indemnification

The Customer shall defend, indemnify, and hold harmless Boti and its affiliates from any third-party claim, investigation, fine, loss, or reasonable legal cost arising from: (i) the Customer's instructions or configurations; (ii) failure to secure a lawful basis or required consents; (iii) provision of sensitive or prohibited data as described in Section 3.7; or (iv) any breach of this DPA or Applicable Data Protection Laws by the Customer.

Boti will provide prompt written notice and reasonable cooperation. The Customer may control the defense but may not settle any matter that admits fault on behalf of Boti without Boti's prior written consent.

14. Limitation of Liability

Each party's liability under this DPA is subject to the limitation-of-liability provisions in the Agreement. Neither party shall be liable to the other for any loss of profits, revenue, goodwill, business interruption, or any indirect, special, incidental, punitive, or consequential damages, regardless of the theory of liability. Neither party is obligated to indemnify the other for administrative fines imposed by a supervisory authority.

15. U.S. Privacy Laws

To the extent Boti's processing of Customer Personal Data is subject to U.S. Privacy Laws (including the CCPA/CPRA):

• Boti shall use, retain, and disclose Customer Personal Data only as necessary to perform the business purposes specified in the Agreement.
• Boti shall comply with all applicable obligations and provide the same level of data protection required of a "service provider" or "contractor" under each applicable U.S. statute.
• Boti shall notify the Customer without undue delay if it determines it can no longer meet its obligations under U.S. Privacy Laws.
• Boti shall not sell or share Customer Personal Data, retain it for purposes other than the Services, or combine it with data from other sources for cross-contextual advertising.
• Any de-identification performed by Boti shall meet the standards required by applicable U.S. Privacy Laws.

16. Miscellaneous

• In the event of inconsistencies between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
• If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force, and the parties shall replace the invalid provision with one that most closely reflects the original intent.
• This DPA, together with the Agreement and its annexes, constitutes the entire understanding between the parties on the subject matter hereof.

Annex 1 — Description of Processing

A. Parties

Role	Details
Data Exporter (Controller)	The Customer, as defined in the Agreement, on behalf of itself and any permitted affiliates. Contact details as set out in the Customer's Boti account.
Data Importer (Processor)	Boti Mobile Ltd., Rothschild 77, Tel Aviv, Israel. Contact: legal@boti.bot

B. Description of Processing

Boti is an AI-powered conversational automation platform that enables businesses to build and deploy bots across messaging channels. The platform processes data provided by the Customer to operate bots, manage conversations, generate AI-driven responses, and provide analytics.

Processing may include the hosting, storage, indexing, analysis, and AI-assisted generation of conversational content, configuration files, workflow definitions, and user-profile data in order to deliver, secure, maintain, and improve the Services.

C. Categories of Personal Data

• Customer Personal Data: Data disclosed or made accessible by the Customer for provision of the Services, which may identify individuals. Processed for account creation, billing, service delivery, support, and integration operations.
• Service Data: Aggregated and/or de-identified operational telemetry, processed by Boti independently for analytics, billing, security, fraud prevention, and product improvement.
• Log Data: Operational telemetry including IP addresses, browser details, API access patterns, timestamps, session identifiers, and error codes. Processed for security and platform improvement.

D. Categories of Data Subjects

• Customer's employees, contractors, agents, and authorized users of the Services
• End users and customers who interact with published bots
• Third-party contributors connected through integrations

E. Retention and Erasure

• Customer Personal Data: Retained for the term of the Agreement. Returned or deleted upon written request within 30 days after termination, unless retention is required by law. Deleted data may persist in backups for up to 90 days.
• Service Data: May be retained indefinitely in anonymized and aggregated form.

---

Privacy Policy  ·  Terms of Service  ·  Cookie Settings