Data Processing Addendum

Effective: February 16, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Rovixal ("Processor") and the customer ("Controller") and applies to the processing of personal data by Rovixal on behalf of the Controller under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • "Sub-processor" means any third party engaged by Rovixal to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data through the Service. Rovixal acts as a Processor, processing Personal Data only on documented instructions from the Controller, except where required by applicable law.

Categories of Personal Data processed may include: names, email addresses, IP addresses, browser information, chat conversation content, and any data uploaded to the knowledge base.

3. Processing Instructions

Rovixal shall process Personal Data only in accordance with documented instructions from the Controller, including:

  • Providing the AI-powered chatbot service and related features
  • Storing and indexing knowledge base content for retrieval
  • Processing chat conversations and generating AI responses
  • Providing analytics and reporting on chatbot performance
  • Maintaining system security and preventing abuse

4. Security Measures

Rovixal implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Access controls and authentication requirements
  • Regular security assessments and penetration testing
  • Employee security awareness training
  • Incident detection and response procedures
  • Regular backups and disaster recovery capabilities

5. Sub-processors

Rovixal uses the following categories of sub-processors:

  • Cloud infrastructure: Amazon Web Services (AWS) — US/EU regions
  • AI model providers: OpenAI — for natural language processing
  • Payment processing: Stripe — for billing and subscription management
  • Authentication: Clerk — for user identity and authentication
  • Email delivery: Resend — for transactional emails

Rovixal will notify the Controller before adding or replacing sub-processors, providing the Controller an opportunity to object. All sub-processors are bound by data processing agreements with equivalent obligations.

6. Data Subject Rights

Rovixal will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

Data Subjects may contact the Controller directly, or reach Rovixal at privacy@rovixal.com.

7. Data Breach Notification

Rovixal will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:

  • The nature of the breach and categories of data affected
  • The approximate number of Data Subjects and records concerned
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Rovixal ensures that appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) for transfers to third countries
  • UK International Data Transfer Addendum where applicable
  • Transfer impact assessments for each destination country

9. Data Retention and Deletion

Upon termination of the Service or upon the Controller's request, Rovixal will delete or return all Personal Data within 30 days, unless retention is required by applicable law. The Controller may export their data at any time through the Service dashboard.

10. Audit Rights

Rovixal will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections. Audits shall be conducted with reasonable notice and during normal business hours.

11. Contact

For questions about this DPA or data processing practices, contact our Data Protection team:

privacy@rovixal.com