Data Processing Addendum (DPA)

1. Overview

This Data Processing Addendum ("DPA") governs Lovisoft’s processing of personal data on behalf of Customer in connection with the provision of Telegram CRM AI services available at crmsolid.com and app.crmsolid.com, and forms part of the Terms of Service.

Capitalized terms not defined in this DPA have the meanings set out in the Terms of Service.

2. Definitions

• "Controller", "Processor", "Data Subject", "Personal Data", "Processing" have the meanings in GDPR Article 4
• "Customer Data" means Personal Data submitted to the Service by or on behalf of Customer
• "Subprocessor" means any Processor engaged by Lovisoft to process Customer Data

3. Roles & Responsibilities

• Customer is the Controller of Customer Data; Lovisoft is the Processor
• Customer determines the purposes and means of processing Customer Data
• Lovisoft processes Customer Data only on documented instructions from Customer

4. Scope of Processing

• Subject Matter: Provision of Telegram CRM AI services
• Duration: For the subscription term and 30 days thereafter for export
• Nature and Purpose: Hosting, storage, messaging automation, analytics, support
• Categories of Data: Contacts, messages, identifiers, usage logs
• Data Subjects: Customer’s end-users, leads, and contacts

5. Security Measures

Lovisoft implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls, least privilege, and MFA
• Network segmentation and firewalling
• Regular security assessments and penetration testing
• Employee training and confidentiality obligations

6. Subprocessors

Customer authorizes the use of Subprocessors for the delivery of the Service. The current list of Subprocessors is available at/subprocessors. Lovisoft will provide notice of material changes and allow objections where required by law.

7. International Transfers

Where Customer Data is transferred outside the EEA/UK, Lovisoft uses appropriate safeguards, including Standard Contractual Clauses (SCCs) and supplementary measures. Primary data processing is in the European Union (Frankfurt, Germany).

8. Data Subject & Supervisory Authority Assistance

• Lovisoft assists Customer in fulfilling data subject requests (access, deletion, etc.)
• Lovisoft assists with DPIAs and consultations with supervisory authorities as required

9. Incident Management & Breach Notification

• Lovisoft maintains an incident response program
• Lovisoft notifies Customer without undue delay after becoming aware of a Personal Data Breach
• Lovisoft provides information reasonably required for Customer’s notifications

10. Data Retention & Deletion

• Customer Data is retained for the subscription term
• Upon termination or request, Lovisoft deletes Customer Data within 30 days unless legally required to retain
• Backups roll off within 90 days

11. Audit & Compliance

• Upon request, Lovisoft provides available audit reports and security documentation
• Customer may conduct audits up to once per year with reasonable notice and scope
• Audits are subject to confidentiality and may be satisfied by third-party certifications

12. Termination

• This DPA terminates automatically upon termination of the Terms of Service
• Obligations that by their nature should survive, will survive (e.g., confidentiality)

13. Contact & Notices