Data Processing Agreement
Last updated: April 2026 · Applies to customers processing EU/UK personal data
Plain-language summary
When you use AskOrac to handle your end users' personal data, this agreement is the GDPR/UK-GDPR contract between us. We process data only on your instructions, encrypt everything in transit and at rest, isolate your project from every other customer at the database level, delete data within 30 days of account termination, and notify you within 72 hours if anything goes wrong. The full clauses are below. For a counter-signed PDF copy, email hello@askorac.com.
1. Scope and Parties
This Data Processing Agreement (DPA) forms part of the AskOrac Terms of Service and applies whenever AskOrac (operated by Webeons Technologies, the 'Processor') processes personal data on behalf of a customer (the 'Controller') as part of providing the AskOrac service. It is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and the UK GDPR for customers who process personal data of EU/UK data subjects.
2. Subject Matter and Duration of Processing
AskOrac processes personal data submitted by the Controller (documents and content uploaded for training) and by the Controller's end users (visitors interacting with the embedded chat widget) for the purpose of providing AI chatbot services. Processing continues for the duration of the Controller's active subscription and for up to 30 days after termination, after which all personal data is permanently deleted unless legal retention obligations apply.
3. Nature and Purpose of Processing
Personal data is processed to: (a) train the Controller's chatbot on supplied content, (b) respond to end-user queries via retrieval-augmented generation, (c) record conversation history for the Controller's analytics and review, (d) capture leads when the Controller has enabled that feature, (e) surface knowledge gaps and quality signals in the Intelligence dashboard. Processing is performed only on documented instructions from the Controller, which are deemed given through the Controller's use of the product's configuration surfaces.
4. Categories of Data Subjects and Data
Data subjects include the Controller's end users (website visitors) and the Controller's own team members (dashboard users). Categories of personal data may include: email addresses (collected only when the Controller enables lead capture), names, IP addresses, conversation transcripts, page URLs visited, and any content the end user volunteers in chat. AskOrac does not require — and actively discourages — submission of special-category data (health, biometric, political opinion, etc.) into chat conversations.
5. Obligations of the Processor
AskOrac commits to: (a) process personal data only on the Controller's documented instructions, (b) ensure all personnel with access are subject to confidentiality obligations, (c) implement appropriate technical and organisational security measures (see Security section below), (d) assist the Controller with responding to data subject rights requests, (e) assist with breach notification, impact assessments, and regulator consultations, (f) delete or return personal data at the end of the service on the Controller's choice, (g) make available information necessary to demonstrate compliance and contribute to audits.
6. Sub-processors
AskOrac uses the following sub-processors to deliver the service: Supabase (Postgres database, authentication, pgvector, storage — US and EU regions), Vercel (hosting and edge network — global), Resend (transactional email — US), Razorpay (payment processing — India), OpenAI, Anthropic, and Google (LLM inference when processing queries — US). Each sub-processor is bound by a data processing agreement at least as protective as this DPA. AskOrac will give the Controller reasonable notice before adding or replacing a sub-processor.
7. International Data Transfers
Where personal data of EU/UK data subjects is transferred outside the EU/UK, such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as applicable. The Controller may request a copy of the executed SCCs by emailing hello@askorac.com. Controllers subject to the EU AI Act should review the LLM sub-processors' data handling terms directly, since inference providers' practices continue to evolve.
8. Security Measures
Technical measures include: TLS 1.2+ for all data in transit, AES-256 encryption at rest (Supabase-managed), row-level security for complete per-project data isolation, separately-encrypted BYOK API keys that are never retrievable after initial entry, rate limiting and abuse protection, and comprehensive audit logging. Organisational measures include role-based access control, principle-of-least-privilege for engineering access, annual security reviews, and incident response procedures. Details are maintained on the /security page.
9. Data Subject Rights
The Controller is responsible for responding to data subject rights requests. AskOrac provides the technical means to fulfil these requests: in-dashboard export of all project data, programmatic deletion of specific conversations or sources, and permanent account deletion with 30-day finalisation. For requests AskOrac cannot fulfil through self-serve tools, the Controller may email hello@askorac.com and AskOrac will respond within 30 days.
10. Personal Data Breach Notification
AskOrac will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting the Controller's data. The notification will include the nature of the breach, affected data categories and approximate number of data subjects, likely consequences, and measures taken or proposed. The Controller is responsible for onward notifications to regulators and data subjects as required by applicable law.
11. Return or Deletion of Data
Upon termination of the service, the Controller may export all data via the dashboard for up to 30 days. After that window, AskOrac permanently deletes all personal data from active systems within 7 days, and from backups within the subsequent backup rotation cycle (not exceeding 90 days total). Written confirmation of deletion is available on request.
12. Audits
The Controller may request information reasonably necessary to demonstrate AskOrac's compliance with this DPA once per 12-month period, or more frequently following a personal data breach. AskOrac will respond in writing within 30 days. Requests for on-site audits will be considered in good faith but require mutual agreement on scope, timing, and reasonable cost-sharing, and must be conducted under confidentiality.
13. Liability and Conflict
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding processing of personal data, this DPA prevails. Any terms not defined here inherit their meaning from the Terms of Service.
14. Acceptance and Contact
By using the AskOrac service while processing personal data of EU/UK data subjects, the Controller accepts this DPA. Controllers requiring a counter-signed copy for their compliance records may email hello@askorac.com with their legal entity name and address — AskOrac will return an executed PDF within 5 business days. For data-protection questions: hello@askorac.com. AskOrac is a product of Webeons Technologies.
Note: This DPA is a reasonable starting position based on common industry practice. For customers with specific compliance requirements (healthcare, financial services, government), we are happy to negotiate bespoke terms. AskOrac is not yet SOC 2 certified — that audit is planned for a future milestone. This DPA does not constitute legal advice; customers should review with their own counsel before relying on it for compliance purposes.