INTRODUCTION

This Data Processing Agreement ("DPA") forms part of the AuraConnect Terms of Service between AuraChat.AI ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your"). This DPA governs the processing of personal data by AuraChat.AI on behalf of the customer through the AuraConnect platform.

This DPA applies to customers in Mexico and the United States and ensures compliance with applicable data protection laws including:

• Mexican Federal Law for the Protection of Personal Data (LFPDPPP)

• California Consumer Privacy Act (CCPA/CPRA)

• European Union General Data Protection Regulation (GDPR) where applicable

• Other applicable privacy and data protection laws

1. DEFINITIONS

1.1 General Definitions

• "Controller": The entity that determines the purposes and means of processing personal data

• "Processor": The entity that processes personal data on behalf of the Controller

• "Personal Data": Any information relating to an identified or identifiable individual

• "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion

• "Data Subject": An identified or identifiable individual whose personal data is processed

• "Sub-processor": A third party engaged by the Processor to process personal data on behalf of the Controller

1.2 AuraConnect-Specific Definitions

• "Customer Data": All personal data that you submit, upload, or input into AuraConnect

• "AI Processing": Processing of personal data through our AI models and AuraLink® technology

• "Integration Data": Personal data synchronized from third-party services you connect to AuraConnect

• "Competitive Intelligence Data": Aggregated, anonymized data collected through AuraIntelligence®

2. SCOPE AND NATURE OF PROCESSING

2.1 Subject Matter

This DPA governs the processing of personal data necessary to provide AuraConnect services, including:

• Customer relationship management (AuraCRM™)

• AI-powered customer interactions

• Competitive intelligence and monitoring (AuraIntelligence®)

• Marketing campaign management (AuraMarketing™)

• Social media management (AuraSocial™)

• Reputation management (AuraReviews™)

• SEO and listing management (AuraSEO™)

2.2 Duration of Processing

Processing will continue for the duration of your AuraConnect subscription and for the retention period specified in our Privacy Policy, unless you request earlier deletion.

2.3 Nature and Purpose of Processing

We process personal data to:

• Provide and maintain AuraConnect platform functionality

• Enable AI-powered customer service and sales automation

• Facilitate integrations with third-party business tools

• Generate analytics and reporting

• Provide customer support

• Improve AI model performance (using aggregated, anonymized data only)

2.4 Categories of Data Subjects

Personal data may relate to:

• Your customers and leads

• Your employees and users

• Website visitors and prospects

• Social media contacts and connections

• Business contacts and partners

2.5 Categories of Personal Data

We may process the following categories of personal data:

• Identity Data: Names, usernames, titles

• Contact Data: Email addresses, phone numbers, postal addresses

• Communication Data: Messages, call transcripts, chat logs

• Technical Data: IP addresses, browser data, device information

• Usage Data: Platform interactions, feature utilization

• Marketing Data: Preferences, communication history

• Transaction Data: Purchase history, billing information

• Professional Data: Job titles, company information, industry

3. YOUR OBLIGATIONS AS CONTROLLER

3.1 Legal Basis and Instructions

You warrant that:

• You have a valid legal basis for processing personal data

• You have obtained necessary consents from data subjects

• Your instructions to us comply with applicable data protection laws

• You have the authority to enter into this DPA

3.2 Data Subject Rights

You are responsible for:

• Responding to data subject rights requests

• Providing privacy notices to data subjects

• Obtaining necessary consents for processing

• Ensuring data accuracy and relevance

• Implementing appropriate retention policies

3.3 Instructions for Processing

We will process personal data only according to your documented instructions, which include:

• This DPA and the Terms of Service

• Your platform configuration and settings

• Your use of AuraConnect features and integrations

• Any additional written instructions you provide

4. OUR OBLIGATIONS AS PROCESSOR

4.1 Processing Limitations

We will:

• Process personal data only as instructed by you

• Ensure personnel are bound by confidentiality obligations

• Implement appropriate technical and organizational security measures

• Assist with data subject rights requests when possible

• Notify you of data breaches without undue delay

• Delete or return personal data upon termination (unless legal retention is required)

4.2 Data Security Measures

We implement and maintain:

• Encryption: Data encrypted in transit and at rest using industry-standard protocols

• Access Controls: Role-based access with multi-factor authentication

• Network Security: Firewalls, intrusion detection, and continuous monitoring

• Physical Security: Secure data center facilities with restricted access

• Security Audits: Regular assessments and SOC2 Type 2 compliance

• Incident Response: Documented procedures for security incidents

4.3 Security Breach Notification

In case of a personal data breach, we will:

• Notify you without undue delay (within 72 hours when possible)

• Provide detailed information about the breach

• Assist with impact assessment and mitigation

• Cooperate with breach notification to authorities when required

• Implement measures to prevent future incidents

4.4 Data Protection Impact Assessments

We will assist with Data Protection Impact Assessments (DPIAs) when:

• Processing is likely to result in high risk to data subjects

• You request assistance with DPIA preparation

• New processing activities require risk assessment

• Regulatory authorities require DPIA documentation

5. SUB-PROCESSORS

5.1 Sub-processor Authorization

You authorize us to engage sub-processors to assist with providing AuraConnect services, subject to the conditions in this section.

5.2 Current Sub-processors

Our current sub-processors include:

Infrastructure and Hosting:

• Amazon Web Services (AWS) - Cloud hosting and infrastructure

• Google Cloud Platform (GCP) - AI/ML services and data processing

• Microsoft Azure - Additional cloud services and integrations

Business Operations:

• Stripe - Payment processing

• SendGrid - Email delivery services

• Twilio - SMS and voice communication services

• Intercom - Customer support platform

Analytics and Monitoring:

• Google Analytics - Website and platform analytics

• Mixpanel - Product usage analytics

• Sentry - Error monitoring and performance tracking

5.3 Sub-processor Requirements

All sub-processors must:

• Enter into written agreements with data protection terms substantially similar to this DPA

• Implement appropriate technical and organizational security measures

• Allow for audits and inspections

• Notify us immediately of any data breaches

• Comply with applicable data protection laws

5.4 Sub-processor Changes

We will:

• Provide 30 days advance notice of new sub-processors

• Allow you to object to new sub-processors with legitimate reasons

• Provide alternative solutions if you object to a sub-processor

• Maintain an updated list of sub-processors on our website

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Mechanisms

Personal data may be transferred outside your jurisdiction using these safeguards:

For Mexico Customers:

• Standard Contractual Clauses approved by INAI

• Adequacy decisions by Mexican authorities

• Your explicit consent for specific transfers

• Binding Corporate Rules where applicable

For US Customers:

• Standard Contractual Clauses (EU Commission approved)

• Adequacy decisions by relevant authorities

• Certified frameworks (e.g., Data Privacy Framework)

• Your explicit consent for specific transfers

6.2 Transfer Locations

Personal data may be transferred to:

• United States (primary data processing location)

• Mexico (for Mexican customer data localization)

• European Union (for sub-processor services)

• Other jurisdictions with adequate protection

6.3 Data Localization Options

We offer data localization preferences:

• Mexico Option: Store Mexican customer data within Mexico

• US Option: Store US customer data within the United States

• Custom Arrangements: Enterprise customers may request specific data residency requirements

7. DATA SUBJECT RIGHTS

7.1 Rights Assistance

We will assist you in responding to data subject rights requests, including:

Mexico (ARCO Rights):

• Access: Providing information about personal data processing

• Rectification: Correcting inaccurate or incomplete data

• Cancellation: Deleting personal data when legally permissible

• Opposition: Stopping specific processing activities

US (CCPA Rights):

• Right to Know: Disclosing categories and specific pieces of personal information

• Right to Delete: Deleting personal information subject to exceptions

• Right to Correct: Correcting inaccurate personal information

• Right to Opt-Out: Stopping sale or sharing of personal information

7.2 Rights Request Process

When you receive a data subject rights request:

1. Verify the identity of the data subject

2. Determine the scope and validity of the request

3. Contact us at dpo@aurachat.ai with request details

4. We will provide necessary assistance within 10 business days

5. You remain responsible for responding to the data subject

7.3 Technical Assistance

We will provide reasonable technical assistance to:

• Locate relevant personal data in AuraConnect

• Export data in commonly used formats

• Delete or anonymize data as instructed

• Modify data processing settings

• Generate reports on data processing activities

8. DATA RETENTION AND DELETION

8.1 Retention Periods

We retain personal data according to:

• Your instructions and retention settings

• Legal and regulatory requirements

• Legitimate business purposes

• Industry standard practices

8.2 Standard Retention Schedule

Unless otherwise instructed:

• Active Customer Data: Retained during subscription period

• Inactive Data: Retained for 90 days after subscription termination

• Backup Data: Retained for 12 months in encrypted backups

• Log Data: Retained for 24 months for security and audit purposes

8.3 Data Deletion Process

Upon termination or your request, we will:

• Cease processing personal data (except for legal retention requirements)

• Provide 30 days for data export

• Delete personal data from active systems within 90 days

• Securely destroy backup copies according to our retention schedule

• Provide written confirmation of deletion upon request

8.4 Legal Hold Exceptions

We may retain personal data longer when required by:

• Legal proceedings or investigations

• Regulatory audits or examinations

• Contractual obligations to third parties

• Legitimate business purposes (with your consent)

9. AUDITS AND COMPLIANCE

9.1 Audit Rights

You have the right to:

• Receive copies of our relevant certifications (SOC2, ISO 27001)

• Request information about our security measures

• Conduct audits of our data processing activities (with reasonable notice)

• Engage third-party auditors (subject to confidentiality agreements)

9.2 Compliance Documentation

We will provide:

• Annual compliance reports

• Security certification updates

• Data processing activity records

• Sub-processor compliance confirmations

• Incident reports and remediation measures

9.3 Audit Procedures

For on-site audits:

• Provide 60 days advance written notice

• Limit audits to once per year (unless breach or regulatory requirement)

• Conduct during normal business hours

• Execute mutual confidentiality agreements

• You bear the costs of third-party auditors

10. LIABILITY AND INDEMNIFICATION

10.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

10.2 Data Protection Indemnification

We will indemnify you against claims arising from:

• Our material breach of this DPA

• Our violation of applicable data protection laws

• Unauthorized processing outside your instructions

• Security breaches caused by our negligence

You will indemnify us against claims arising from:

• Your violation of data protection laws

• Your failure to obtain necessary consents

• Inaccurate or unlawful instructions

• Your breach of this DPA

10.3 Regulatory Cooperation

Both parties will:

• Cooperate with data protection authorities

• Provide requested information and documentation

• Attend hearings and meetings when required

• Implement remedial measures as directed

11. JURISDICTION-SPECIFIC PROVISIONS

11.1 Mexico-Specific Terms

LFPDPPP Compliance:

• We act as "Encargado" (processor) under Mexican law

• You remain the "Responsable" (controller) of personal data

• Cross-border transfers comply with LFPDPPP Article 37

• We maintain registers required by LFPDPPP Article 63

INAI Cooperation:

• We will cooperate with INAI investigations

• Provide requested documentation in Spanish when required

• Attend hearings in Mexico when necessary

• Implement INAI orders and recommendations

11.2 US-Specific Terms

CCPA/CPRA Compliance:

• We act as "Service Provider" under California law

• We will not sell personal information received from you

• We will not retain, use, or disclose personal information for purposes other than providing services

• We will assist with consumer rights requests

State Law Variations:

• We comply with Virginia CDPA requirements

• We meet Colorado CPA obligations

• We adhere to Connecticut CTDPA provisions

• We adapt to emerging state privacy laws

12. TERMINATION

12.1 Termination of DPA

This DPA terminates automatically upon termination of the Terms of Service.

12.2 Data Return or Deletion

Upon termination, we will:

• Stop processing personal data immediately

• Return or delete personal data as you instruct

• Provide 30 days for data export

• Confirm deletion in writing upon request

• Retain only data required by law

12.3 Survival

The following provisions survive termination:

• Confidentiality obligations

• Data deletion confirmations

• Audit rights for completed processing

• Indemnification obligations

• Liability limitations

13. AMENDMENTS AND UPDATES

13.1 DPA Modifications

We may update this DPA to:

• Reflect changes in data protection laws

• Address new regulatory requirements

• Improve data protection practices

• Clarify existing provisions

13.2 Notification Process

Material changes will be communicated through:

• Email notifications to account administrators

• In-platform notifications

• Website posting with 30 days advance notice

• Direct communication for significant changes

13.3 Acceptance

Continued use of AuraConnect after DPA updates constitutes acceptance of the new terms.

14. CONTACT INFORMATION

14.1 Data Protection Officer

Primary Contact: Email: dpo@aurachat.ai Phone: [Primary Phone Number]

Mexico DPO: Email: privacidad@aurachat.ai Phone: [Mexico Phone Number] Address: [Mexico Office Address]

US Privacy Officer: Email: privacy@aurachat.ai Phone: [US Phone Number] Address: [US Office Address]

14.2 Legal and Compliance

Email: legal@aurachat.ai Website: https://auraconnect.ai/legal

14.3 Security Incidents

Email: security@aurachat.ai Phone: [24/7 Security Hotline]

ANNEX A: TECHNICAL AND ORGANIZATIONAL MEASURES

A.1 Access Control Measures

• Multi-factor authentication for all user accounts

• Role-based access controls with principle of least privilege

• Regular access reviews and deprovisioning procedures

• Secure authentication protocols and session management

A.2 Data Encryption

• AES-256 encryption for data at rest

• TLS 1.3 for data in transit

• End-to-end encryption for sensitive communications

• Encrypted database connections and API calls

A.3 Physical Security

• SOC2-compliant data center facilities

• 24/7 physical security monitoring

• Biometric access controls

• Environmental controls and disaster recovery

A.4 Network Security

• Web application firewalls and intrusion detection

• Network segmentation and micro-segmentation

• Regular vulnerability scanning and penetration testing

• DDoS protection and traffic monitoring

A.5 Data Backup and Recovery

• Automated daily backups with encryption

• Geographically distributed backup storage

• Regular restore testing procedures

• Business continuity and disaster recovery plans

 

ANNEX B: SUB-PROCESSOR LIST​