Data Processing Agreement (DPA)

NeoMatX ("the Service") is a software platform that provides AI-powered customer communication tools.

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and NeoMatX ("Processor").

It governs the processing of personal data by NeoMatX on behalf of the Controller in connection with the use of the NeoMatX platform and services.

This agreement applies where the Controller processes personal data using the Service and such processing falls within the scope of the General Data Protection Regulation.

2. Definitions

For the purposes of this DPA, the terms Controller, Processor, Data Subject, Personal Data, and Processing have the meaning given in the GDPR.

  • Controller: the customer using the NeoMatX platform
  • Processor: NeoMatX, providing the platform and related services
  • Sub-processor: third parties engaged by NeoMatX to process data on behalf of the Controller

3. Subject Matter of Processing

The Processor provides a cloud-based platform that allows the Controller to manage business operations including:

  • messaging and communication tools
  • contact forms
  • customer support chatbots
  • AI-assisted content generation
  • workflow automation

The Controller determines the categories of personal data processed through the Service.

4. Nature and Purpose of Processing

Processing activities may include:

  • collection
  • storage
  • organization
  • retrieval
  • transmission
  • deletion

The purpose of processing is to enable the Controller to operate and manage their business activities using the NeoMatX platform.

5. Categories of Data Subjects

Depending on how the Controller uses the Service, the following categories of data subjects may be involved:

  • customers of the Controller
  • website visitors
  • employees or representatives of the Controller
  • business contacts

6. Categories of Personal Data

Personal data processed through the Service may include, depending on usage:

  • names
  • email addresses
  • phone numbers
  • communication content
  • messages or support inquiries
  • IP addresses and technical metadata

The Controller determines which data is processed within the platform.

7. Instructions from the Controller

The Processor shall process personal data only on documented instructions from the Controller, unless required to do otherwise by applicable law.

Use of the Service in accordance with the Terms of Service and this DPA constitutes documented instructions.

If the Processor believes that an instruction from the Controller infringes applicable data protection law, the Processor will inform the Controller without undue delay.

8. Confidentiality

NeoMatX ensures that persons authorized to process personal data:

  • are subject to confidentiality obligations
  • process data only as required to operate the Service

9. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures may include:

  • encrypted data transmission (HTTPS)
  • access control mechanisms
  • infrastructure monitoring
  • server security and patch management
  • authentication and authorization controls

Security measures may evolve over time in accordance with technological developments.

10. Sub-Processors

The Controller authorizes the Processor to engage sub-processors for the operation of the Service. Sub-processors may include providers of:

  • cloud infrastructure
  • AI services
  • email delivery services
  • monitoring and logging systems

NeoMatX ensures that sub-processors are bound by contractual obligations providing data protection safeguards consistent with this DPA.

The Controller may object to the use of a new sub-processor for legitimate data protection reasons. If such objection cannot reasonably be resolved, the Controller may discontinue use of the affected services.

The Controller hereby grants a general authorization to NeoMatX to engage sub-processors. NeoMatX shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors via the website or email, thereby giving the Controller the opportunity to object to such changes.

11. Assistance with Data Subject Requests

To the extent reasonably possible, NeoMatX will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws. Such requests may include:

  • access requests
  • rectification
  • erasure
  • restriction of processing
  • data portability

The Controller remains responsible for handling such requests.

11a. Assistance with Compliance Obligations

Taking into account the nature of the processing and the information available to the Processor, NeoMatX shall assist the Controller in ensuring compliance with obligations relating to:

  • data protection impact assessments
  • consultation with supervisory authorities
  • implementation of appropriate security measures

12. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, NeoMatX will notify the Controller without undue delay after becoming aware of the breach. Such notification will include relevant information available at the time.

13. Data Retention and Deletion

Upon termination of the Service, the Controller may request deletion of personal data stored within the platform. NeoMatX may retain data only where required:

  • by law
  • for security purposes
  • to resolve disputes or enforce agreements

Upon termination of the Service, NeoMatX shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless applicable law requires storage of the personal data.

14. Audits and Compliance

Upon reasonable request, NeoMatX may provide information necessary to demonstrate compliance with this DPA. Any audits must:

  • be reasonable in scope
  • not disrupt normal operations
  • respect confidentiality and security requirements

Audits may be conducted no more than once per year unless required by law or in case of a verified security incident.

15. International Data Transfers

If personal data processed under this DPA is transferred to a country outside the EEA that does not provide an adequate level of data protection, NeoMatX shall ensure that such transfers are subject to appropriate safeguards.

These safeguards typically include the Standard Contractual Clauses (SCCs) adopted by the European Commission. Where NeoMatX acts as a data exporter to a sub-processor in a third country, the Controller hereby authorizes NeoMatX to enter into SCCs with such sub-processors on behalf of the Controller.

16. Liability

Liability between the parties regarding data processing shall be governed primarily by the limitations set forth in the Terms of Service.

17. Term

This DPA remains in effect for as long as NeoMatX processes personal data on behalf of the Controller through the Service.

18. Governing Law

This DPA shall be governed by and interpreted in accordance with the laws of Poland.

Appendix: Technical and Organizational Measures (TOMs)

NeoMatX implements appropriate technical and organizational measures to protect personal data. Key measures include:

  • Confidentiality: Access to personal data is restricted to authorized personnel only. We use industry-standard TLS/SSL encryption for data in transit and ensure secure storage environments.
  • Integrity: We implement input controls and validation mechanisms to ensure data remains accurate and protected against unauthorized modification.
  • Availability & Recoverability: We perform regular automated backups of the database to ensure that data can be restored in the event of a technical failure. System uptime is monitored to ensure prompt reaction to service interruptions.
  • Security Maintenance: We perform regular security patches and software updates to protect the infrastructure against known vulnerabilities.