DRAFT — pending legal review

This page is a starting draft written from standard B2B SaaS templates plus Adoomi-specific facts. It has NOT been reviewed by a qualified lawyer or a paid legal-template service. Do not rely on it for compliance until the draft banner is removed. Karim is in the process of engaging counsel (or a service like Termly / iubenda) to sign these off.

Data Processing Agreement

DPA for customers acting as data controller

Last updated: 18 May 2026

Adoomi acts as a data processor on behalf of customers (data controllers) for end-user chat traffic and any personal data customers upload to bots they configure. We provide a standard Data Processing Agreement (DPA) that, when signed, forms part of the agreement between Adoomi and the customer.

The DPA covers GDPR Art 28 requirements: subject matter, duration, nature and purpose, type of data, categories of data subjects, controller obligations + rights, sub-processor rules, security measures, breach notification, data subject rights assistance, audit rights, and end-of-service data return / deletion.

How to get the DPA

The DPA template lives outside this site (as a Word document customers can review and counter-sign). Email legal@adoomi.ai with subject “DPA request” and we’ll send the current version (typically within 1 business day). Include your legal entity name + jurisdiction so we can fill out the parties section before sending.

A self-serve PDF download is on the roadmap.

What's referenced in the DPA

The DPA cross-references three public documents on this site:

  • Sub-processor list — Annex of authorised sub-processors and change-notification process.
  • Security Overview — Annex of technical and organisational measures (TOMs).
  • Privacy Policy — General data-handling policy; the DPA supersedes it for processor-mode processing.

International transfers

Where the DPA permits transfers outside the EEA, transfers rely on the EU Commission’s Standard Contractual Clauses (Module 3 for processor-to-processor where applicable) and, where available, the EU-US Data Privacy Framework. Specific transfer mechanisms per sub-processor are listed in the sub-processor annex.

Audit rights

The DPA grants the customer audit rights consistent with GDPR Art 28(3)(h). Audits are coordinated through legal@adoomi.ai and follow our standard process: SOC 2 / ISO 27001 reports (once available) under NDA satisfy most enterprise audit obligations; site visits coordinated for material customers where reasonable.