Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller

Party:The Supplo customer (the business entity or individual that has agreed to the Supplo Terms of Service)

Role:Data Controller

Referred to as:"Controller" or "Customer"

Data Processor

Party:Supplo, Inc.

Role:Data Processor

Contact:support@supplo.io

Referred to as:"Processor" or "Supplo"

This DPA is incorporated into and forms part of the Supplo Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to privacy and data protection matters.

2. Subject Matter and Duration

This DPA governs the processing of personal data by Supplo in its capacity as processor on behalf of the Customer in connection with the provision of the Supplo customer support platform (the "Service").

This DPA commences on the date the Customer agrees to the Terms of Service and remains in effect for as long as Supplo processes personal data on behalf of the Customer. Upon termination, the provisions of Section 9 (Return and Deletion) shall apply.

3. Nature and Purpose of Processing

Supplo processes personal data for the following purposes, strictly as instructed by the Customer:

Storing and transmitting customer support conversations initiated by the Controller's end-users via the Supplo embeddable widget
Routing, assigning, and managing conversations within the Controller's inbox
Sending notifications and automated replies as configured by the Controller
Providing the Controller with access to conversation history, analytics, and reporting
Maintaining the technical operation, security, and availability of the Service

Supplo shall not process personal data for any other purpose without the prior written consent of the Controller, except where required by applicable law.

4. Categories of Data Subjects and Personal Data

The personal data processed under this DPA relates to the following categories of data subjects and data types:

Data Subjects

End-users:Visitors to the Controller's website(s) who initiate or receive communications via the Supplo widget

Agent users:Employees and contractors of the Controller who access the Supplo inbox

Categories of Personal Data

Identifiers:Name, email address, and any other identifiers provided in conversation or by the Controller via API

Communications:The content of chat messages, including any attachments or files shared

Technical data:IP address, browser type, operating system, referrer URL, session identifiers

Custom attributes:Any additional data fields passed by the Controller via the Supplo widget API (e.g., user ID, account plan, custom tags)

The Controller is responsible for ensuring that the categories of personal data it collects and transmits to Supplo are appropriate and lawfully obtained.

5. Processor Obligations

Supplo, as processor, agrees to:

Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to third countries
Ensure that authorised personnel are bound by appropriate confidentiality obligations
Implement appropriate technical and organisational security measures as described in Section 7
Respect the conditions for engaging sub-processors (see Section 6)
Assist the Controller in fulfilling data subject rights requests within the Service's technical capabilities
Assist the Controller in meeting its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs)
Delete or return all personal data upon termination of the Service, as per the Controller's choice
Make available all information necessary to demonstrate compliance with this DPA and allow for audits

6. Sub-processors

The Controller provides general written authorisation for Supplo to engage sub-processors for the processing activities described in this DPA. Supplo will inform the Controller of any intended changes to sub-processors with at least 30 days' advance notice, giving the Controller the opportunity to object.

Current sub-processors are listed below. All sub-processors are bound by data processing agreements that impose equivalent data protection obligations to those in this DPA.

Sub-processor	Purpose	Location	Privacy Policy
Hetzner Online GmbH	Cloud infrastructure hosting (VPS servers, storage)	Germany (EU)	hetzner.com
Stripe, Inc.	Payment processing and billing	United States (SCCs in place)	stripe.com
Postmark (ActiveCampaign)	Transactional email delivery (alerts, notifications)	United States (SCCs in place)	postmarkapp.com

7. Security Measures

Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, Supplo implements the following technical and organisational measures to ensure an appropriate level of security:

Encryption in transit: All data transmitted between users and the Supplo platform is encrypted using TLS 1.3
Encryption at rest: Data stored on servers is encrypted using AES-256
Access control: Role-based access controls (RBAC) restrict access to personal data to authorised personnel only. All internal access is logged
Network security: Firewalls, VPN access for administrative operations, and regular vulnerability scanning
Infrastructure: Hosted on Hetzner's ISO 27001-certified data centres in Germany
Backup and recovery: Regular automated backups with defined recovery time objectives
Incident response: A documented incident response plan is maintained and tested periodically
Personnel training: All personnel with access to personal data receive data protection training

For full details, see our Security page.

8. Data Subject Rights Assistance

Where a data subject exercises their rights under the GDPR directly with Supplo, we will promptly notify the Controller and provide reasonable assistance to enable the Controller to respond. The Controller remains responsible for responding to all data subject rights requests relating to data processed through the Service.

Supplo provides tools within the dashboard to assist with data subject requests, including conversation export (data portability) and conversation deletion (erasure).

9. Return and Deletion of Data

Upon termination of the Service or upon the Controller's written request, Supplo will, at the Controller's election:

Return all personal data to the Controller in a machine-readable format (JSON or CSV export)
Securely delete all personal data and certify in writing that deletion has been completed

Requests for data return must be made within 30 days of account termination. After this period, Supplo will proceed with secure deletion. Supplo may retain personal data to the extent required by applicable law, for the minimum period required and only to the extent necessary.

10. Audit Rights

Supplo will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits (or commission a third-party auditor) of Supplo's data processing practices, subject to: (a) providing at least 30 days' advance written notice; (b) audits being conducted during normal business hours with minimal disruption; (c) the auditor agreeing to appropriate confidentiality obligations; and (d) audits occurring no more frequently than once per calendar year, unless there is a specific cause for concern.

In lieu of on-site audits, Supplo may, at its discretion, provide current third-party audit reports (e.g., SOC 2 Type II) or security certifications as a means of satisfying audit requests.

Request a countersigned DPA

Need a signed copy of this DPA for your compliance records? We'll turn it around in 2 business days.

Email Us to Request