Avelto

Data Processing Agreement (DPA)

Last updated: 2026-05-04

This Data Processing Agreement ("DPA") forms part of the agreement between the customer (the "Controller") and Avelto Sp. z o.o. (the "Processor") for the provision of services that involve the processing of personal data.

1. Subject matter and duration

The Processor will process personal data on behalf of the Controller solely for the purpose of providing the services described in the main agreement. This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller.

2. Nature and purpose of processing

The Processor will process personal data to:

  • Operate the chat-widget and conversation history features
  • Generate AI-assisted responses based on the Controller's configuration
  • Capture leads and conversation transcripts on the Controller's behalf
  • Provide analytics, exports, and audit-log functionality

3. Categories of data

  • Contact details of end-users (name, email, phone, where provided)
  • Conversation content
  • Technical metadata (IP, user-agent, timestamps)
  • Operator user identifiers and audit-log entries

4. Categories of data subjects

End-users of the Controller's services (visitors, customers, leads), and operator users invited by the Controller.

5. Data residency

Personal data is hosted in the EU region. Cross-border transfers, where required, rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Sub-processors

The Processor may engage sub-processors. A current list is available upon request to hello@avelto.pl. The Processor remains responsible for the acts and omissions of its sub-processors.

7. Security measures

The Processor implements industry-standard technical and organisational measures, including:

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest for sensitive fields (API keys, integration credentials)
  • Role-based access control with audit logging
  • Multi-factor authentication for operator accounts
  • Regular backups and tested disaster-recovery procedures

8. Retention

Personal data is retained for 30 days by default and is deleted or anonymised after that period unless the Controller configures a different retention or applicable law requires otherwise.

9. Data subject rights

The Processor will assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, objection) within the timeframes required by applicable law. Requests should be sent to hello@avelto.pl.

10. Audits

Upon reasonable notice and not more than once per calendar year, the Controller may audit the Processor's compliance with this DPA. The Processor will make available the information necessary to demonstrate compliance.

11. Breach notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal-data breach, providing all information reasonably required for the Controller to comply with its own notification obligations.

12. Termination

Upon termination of the main agreement, the Processor will, at the Controller's option, delete or return all personal data, and delete existing copies unless storage is required by law.

13. Contact

Questions about this DPA should be directed to hello@avelto.pl.

Processor entity: Avelto Sp. z o.o.