The DPA that travels with every Engagement.

This Data Processing Agreement (the “DPA”) supplements the Terms of Service between you (the “Client” or “Controller”) and Live Agents(the “Processor”) and applies whenever the Processor processes Personal Data on the Controller’s behalf in connection with the Services.

Capitalized terms not defined here have the meanings given in Article 4 of the EU GDPR or the equivalent provisions of the UK GDPR, the California Consumer Privacy Act, the Philippines Data Privacy Act of 2012, or other applicable Data Protection Laws.

Subject matter

Provision of staffing, training, dashboard, and supervised work environment Services as described in the Terms.

Duration

For the term of the Services and any post-termination assistance period required by law.

Nature & purpose

Storage, transmission, hosting, structuring, monitoring, supervision, billing, and quality oversight of work performed by contractors on the Controller's behalf.

Categories of data subjects

Controller's employees, contractors, customers, prospects, and any other individuals whose personal data is shared with a contractor for the purpose of the Engagement.

Categories of personal data

Identification data; contact data; CRM and customer-record data; communications metadata; usage and activity data; any additional categories the Controller chooses to share with the Engagement.

Special categories

Only if the Controller specifically configures the Engagement to involve them and notifies the Processor in writing in advance.

• Process Personal Data only on documented instructions from the Controller, including in respect of international transfers, except where required by applicable law.
• Ensure that personnel and contractors authorized to process Personal Data are bound by written confidentiality obligations.
• Implement appropriate technical and organizational measures (see Section 6) to ensure a level of security appropriate to the risk.
• Engage sub-processors only under the conditions set out in Section 5.
• Assist the Controller, taking into account the nature of processing, in fulfilling its obligation to respond to data-subject requests.
• Assist the Controller in ensuring compliance with security, breach-notification, impact-assessment, and prior-consultation obligations.
• At the Controller’s choice, delete or return all Personal Data after termination, and delete copies unless retention is required by law.

• Establish and maintain a lawful basis for the processing it instructs the Processor to perform.
• Provide instructions in writing through the dashboard, signed orders, or recorded communications. Verbal instructions must be confirmed in writing within a reasonable time.
• Configure the Services lawfully, including monitoring features, screenshot frequency, retention, and any special categories of data.
• Maintain its own records of processing as required by applicable law.

The Controller authorizes the Processor to engage the sub-processors listed below to perform aspects of the Services. The Processor remains responsible for the acts and omissions of its sub-processors.

AWS / Vercel

Hosting and edge delivery of the website and dashboard. United States.

Supabase

Managed Postgres, authentication, and storage backing the application. United States.

Stripe

Payment processing and PCI-DSS scope. United States.

Resend

Transactional email delivery. United States.

Cloudflare

DNS, caching, WAF, and DDoS mitigation. Global edge.

Sentry

Application error monitoring with PII scrubbing. United States.

The Processor will provide at least thirty (30) days’ prior notice through the dashboard or by email of the addition or replacement of any sub-processor. The Controller may object to a new sub-processor for legitimate data-protection reasons, in which case the parties will work in good faith to find an alternative; if none is reasonably available, the Controller may terminate the affected Services for convenience.

The Processor implements at least the following measures, which may be updated to reflect industry practice provided overall protection is not diminished:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 for primary data stores and screenshot buckets).
• Strong authentication (MFA mandatory for all administrative consoles), least-privilege access, and just-in-time elevation for production access.
• Centrally managed, full-disk-encrypted, MDM-enrolled work devices for all contractors. Personal devices may not access Engagement data.
• Network segmentation, WAF, IDS, and routine vulnerability scanning. Annual third-party penetration testing.
• Logging and monitoring of administrative and supervisor access, including ghost-mode views, with retention for security and audit.
• Documented incident-response plan with named owners and tabletop drills at least annually.
• Written information-security program reviewed at least annually by senior management.

Where the transfer of Personal Data outside the Controller’s jurisdiction would otherwise be prohibited, the parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor), approved by the European Commission and adapted for the United Kingdom by the IDTA, are incorporated by reference and form part of this DPA. For transfers governed by the Philippines Data Privacy Act, the parties rely on Section 21 of the Act and NPC Circular 20-01 on data sharing.

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller’s data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Breach notices are provided as preliminary information and updated as the investigation progresses; they do not constitute an admission of fault.

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligations to respond to requests from data subjects to exercise their rights under Data Protection Laws. The Processor will redirect any data-subject requests it receives directly to the Controller without responding on the merits, except as required by law.

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable advance notice (no fewer than thirty (30) days), confidentiality, and not more than once per twelve-month period unless required by a regulator.

On termination of the Services, the Processor will, at the Controller’s choice, delete or return all Personal Data and delete existing copies, unless storage is required by Union or Member State law or the law of the relevant jurisdiction. Where deletion is not technically feasible (for example, in encrypted backups), the Processor will isolate the data, prevent further processing, and delete it in line with its backup-rotation schedule.

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this DPA varies the allocation of risk under the Terms.

In case of conflict, this DPA prevails over the Terms in respect of the processing of Personal Data; the Standard Contractual Clauses prevail over this DPA in respect of cross-border transfers governed by them.

For DPA matters, including breach notices and data-subject requests, write to info@liveagents.io.