Data Processing Agreement

Between:

Data Controller: The customer ("you", "Controller") who operates a Cloop account
Data Processor: ROFFI Oy ("we", "us", "Cloop", "Processor"), Business ID 1234567-8, Vantaa, Finland

Effective date: Upon acceptance of the Cloop Terms of Service

This Data Processing Agreement ("DPA") supplements the Cloop Terms of Service and governs our processing of personal data on your behalf when visitors interact with the Cloop chat widget on your website(s).

1. Definitions

Personal Data, Processing, Data Subject, Supervisory Authority have the meanings given in GDPR (Regulation (EU) 2016/679).
Service Data means personal data processed by Cloop on behalf of the Controller through the Widget and dashboard.
Subprocessor means a third party engaged by the Processor to process Service Data.

2. Scope and Roles

2.1 Your Role (Data Controller)

You determine the purposes and means of processing visitor personal data collected through the Widget on your website. You are responsible for:

Your legal basis for collecting visitor data (consent, legitimate interest, etc.)
Informing visitors about data processing (via your privacy policy)
Responding to data subject requests from your visitors
Ensuring the data you collect complies with applicable laws

2.2 Our Role (Data Processor)

We process Service Data only on your documented instructions (i.e., your use of the Cloop platform features) and as described in this DPA. We do not determine the purposes of processing visitor data.

3. Categories of Data and Data Subjects

3.1 Data Subjects

Visitors to your website who interact with the Cloop chat widget
Leads who voluntarily provide their email address through the widget

3.2 Categories of Personal Data

Category	Examples
Contact information	Email address (when voluntarily provided)
Communication content	Chat messages, questions asked
Technical identifiers	Random visitor UUID (generated, not linked to identity), entry page URL
Behavioral data	Session timestamps, conversation phase, message count, lead status
System-generated metadata	AI confidence scores, knowledge base content references

3.3 Sensitive Data

The Widget is not designed to collect special categories of personal data (Article 9 GDPR). You must not configure the Widget to solicit health, financial, political, religious, or biometric data. If a visitor voluntarily shares such information in chat, it will be stored in the conversation history. You may delete such sessions through the dashboard.

4. Our Obligations

4.1 Processing Instructions

We process Service Data only:

As necessary to provide the Cloop service as described in the Terms of Service
In accordance with your documented instructions through the platform (e.g., configuring the Widget, setting up lead capture)
As required by applicable EU or Finnish law (in which case we will inform you, unless prohibited by law)

If we believe an instruction from you violates GDPR, we will inform you.

4.2 Confidentiality

All personnel authorized to process Service Data are bound by confidentiality obligations.

4.3 Security Measures

We implement appropriate technical and organizational measures as described in our Privacy Policy (Section 8) and Security Overview, including:

TLS encryption for all data in transit
Multi-tenant database isolation (all queries scoped by tenant/site)
Parameterized queries preventing injection attacks
Role-based access control with token-based authentication
Input validation and SSRF protection
Multi-tier rate limiting and abuse prevention
Infrastructure hardening (mandatory access control, firewall, hardened service configuration)
Structured audit logging
Regular security assessments

4.4 Subprocessors

We use the subprocessors listed in our Subprocessor List. We will:

Notify you at least 30 days before adding a new subprocessor (via email or dashboard notification)
Ensure each subprocessor is bound by data protection obligations no less protective than this DPA
Remain liable for the acts of our subprocessors

If you object to a new subprocessor, you may terminate the affected service within 30 days of notification. We will work with you to find an alternative where commercially reasonable.

4.5 Data Subject Requests

If we receive a request from one of your visitors (data subject request), we will:

Promptly notify you (unless prohibited by law)
Not respond to the request directly (unless you instruct us to)
Provide reasonable assistance to help you fulfill the request

Through the dashboard, you can:

View and export session/conversation data
Delete individual sessions, leads, or all data for a visitor
Export lead data

4.6 Data Breach Notification

If we become aware of a personal data breach affecting Service Data, we will:

Notify you without undue delay (and in any event within 48 hours of becoming aware)
Provide details: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
Cooperate with your breach notification obligations under GDPR Article 33/34

4.7 Data Protection Impact Assessment

If you need to conduct a Data Protection Impact Assessment (DPIA) related to your use of Cloop, we will provide reasonable assistance and information about our processing activities.

4.8 Audit Rights

You may audit our compliance with this DPA by:

Requesting our most recent security assessment or audit report
Sending written questions about our data processing practices (we will respond within 30 days)
Conducting an on-site or remote audit with reasonable notice (at your expense), limited to once per year unless required by a supervisory authority

We are a small team (three people), so we ask that audit requests be proportionate and coordinated in advance.

5. International Transfers

All Service Data is processed within the EU/EEA:

Application servers: Hetzner Online GmbH, Helsinki, Finland
AI inference: Nebius B.V., EU data centers
No Service Data is transferred outside the EU/EEA

If this changes, we will notify you and ensure appropriate safeguards (Standard Contractual Clauses or adequacy decision) are in place before any transfer.

6. Data Retention and Deletion

6.1 During the Agreement

Service Data is retained for as long as your account is active, unless you delete specific data earlier through the dashboard.

6.2 Upon Termination

When you delete your account or terminate the service:

We will delete all Service Data within 30 days
We will confirm deletion upon request
Backup copies (if any) will be deleted within 90 days

6.3 Legal Retention

If we are required by law to retain certain data beyond these periods, we will inform you and limit processing to what is legally required.

7. AI Processing Specifics

7.1 How AI Processes Visitor Data

When a visitor sends a chat message, the following happens:

The message text is used to search your knowledge base (vector similarity search, processed locally on our server)
The message text and relevant content chunks are sent to Nebius AI API for response generation
The AI-generated response is streamed back to the visitor
The conversation (question + answer) is stored in our database

7.2 Data Sent to AI Provider

We send to Nebius AI:

The visitor's message text
Retrieved content chunks from your knowledge base
System instructions (language, persona settings)
Recent conversation history from the current session

We do not send:

Visitor email addresses
Visitor identifiers
Any data beyond what is needed to generate the response

7.3 AI Provider Commitments

Nebius AI Studio does not use API inputs/outputs for model training. Their processing is transient — data is not stored after response generation.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits either party's liability for GDPR fines or penalties imposed directly on that party by a supervisory authority.

9. Duration and Termination

This DPA is effective for the duration of your use of Cloop and terminates automatically when your account is deleted and all Service Data has been removed per Section 6.

10. Governing Law

This DPA is governed by the laws of Finland. Disputes shall be resolved as specified in the Terms of Service.

11. Contact

For data protection questions related to this DPA:

ROFFI Oy Vantaa, Finland Email: privacy@cloop.io

Finnish Data Protection Authority (Supervisory Authority): Tietosuojavaltuutetun toimisto https://tietosuoja.fi/en