Last updated: May 13, 2026
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service or other written or electronic agreement between Salesgroup, Inc., a Delaware corporation (“Salesgroup AI”, “we”, “us” or “our”), and the customer entity identified in the applicable Order (“Customer”, “you” or “your”) for the provision of the Salesgroup AI service (the “Agreement”). This DPA governs the Processing of Personal Data by Salesgroup AI on behalf of Customer in connection with the Service. In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the Processing of Personal Data.
By accepting the Agreement, Customer also accepts this DPA on its own behalf and, to the extent required by applicable Data Protection Laws, in the name and on behalf of its Affiliates and authorized Users.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. For purposes of this DPA, the following terms have the meanings set forth below:
- “Affiliate” has the meaning given in the Agreement.
- “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Special Categories of Personal Data” have the meanings given in the GDPR. Where applicable Data Protection Laws use equivalent terms (such as “Business”, “Service Provider”, “Consumer”, and “Personal Information” under the CCPA), those terms apply with their respective meanings.
- “Customer Personal Data” means Personal Data that Salesgroup AI Processes on behalf of Customer in connection with the Service, including Personal Data contained in User Information and User Submissions.
- “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (as applicable) the GDPR, the UK GDPR, the Swiss FADP, the CCPA, the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, and all other US state comprehensive privacy laws, in each case as amended or superseded from time to time.
- “EU SCCs” means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as updated from time to time.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation).
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
- “Restricted Transfer” means a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision under applicable Data Protection Laws.
- “Sub-processor” means any third party engaged by Salesgroup AI to Process Customer Personal Data in connection with the Service.
- “UK IDTA” means the International Data Transfer Agreement and International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
- “UK GDPR” means the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2. Roles and Scope
2.1 Roles of the Parties
With respect to Customer Personal Data, the parties acknowledge and agree that Customer is the Controller (or a Processor acting on behalf of a third-party Controller), and Salesgroup AI is the Processor. Under the CCPA, Customer is the Business and Salesgroup AI is the Service Provider. Each party will comply with its respective obligations under applicable Data Protection Laws.
2.2 Customer Responsibilities
Customer is responsible for: (a) ensuring it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to Salesgroup AI and to authorize the Processing described in this DPA; (b) providing all required notices to Data Subjects regarding the Processing of their Personal Data; (c) determining the purposes and means of Processing; (d) the accuracy, quality, and legality of Customer Personal Data; and (e) complying with all Data Protection Laws applicable to Customer in its capacity as Controller.
2.3 Subject Matter and Duration
The subject matter of the Processing is the provision of the Service as described in the Agreement. The duration of the Processing is the term of the Agreement, plus any period during which Salesgroup AI retains Customer Personal Data in accordance with Section 9 of this DPA.
2.4 Nature and Purpose of Processing
Salesgroup AI Processes Customer Personal Data for the purpose of providing, maintaining, supporting, securing, and improving the Service, including: (a) hosting and storage; (b) generating responses to end-user prompts through AI Providers; (c) authentication and access control; (d) billing and account administration; (e) technical support and troubleshooting; (f) detecting and preventing fraud, abuse, and security incidents; and (g) complying with legal obligations.
2.5 Categories of Data Subjects
Customer Personal Data may relate to the following categories of Data Subjects, as determined and controlled by Customer:
- Customer’s authorized Users, employees, contractors, and agents
- Customer’s end users, customers, prospects, and other individuals who interact with chatbots configured by Customer
- Any other Data Subjects whose Personal Data Customer chooses to submit to the Service
2.6 Categories of Personal Data
The categories of Customer Personal Data Processed under this DPA include, as determined and controlled by Customer:
| Category | Examples |
|---|---|
| Identifiers | Name, email address, username, account ID, IP address |
| Contact information | Email address, phone number (if provided) |
| Account and authentication data | Login credentials (hashed), session tokens, authentication logs |
| Chat interaction content | Messages, prompts, file uploads, and other content submitted to or generated by the Service |
| Technical and usage data | Browser type, operating system, device identifiers, log files, timestamps, feature usage events |
| Customer configuration data | Chatbot configurations, knowledge base content, integration settings |
Customer agrees not to submit to the Service any Special Categories of Personal Data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation), data relating to criminal convictions and offenses, government-issued identification numbers, full payment card numbers (handled separately by Stripe under Section 7.2), or Personal Data of children under 16 (or the applicable age of digital consent), unless Customer has obtained explicit consent and notified Salesgroup AI in writing that such categories will be Processed. Salesgroup AI provides no additional safeguards for such data absent a separate written agreement.
3. Processor Obligations
3.1 Processing on Documented Instructions
Salesgroup AI will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement (including this DPA), Customer’s use and configuration of the Service, and any additional written instructions agreed by the parties constitute Customer’s documented instructions. If Salesgroup AI is required by applicable law to Process Customer Personal Data other than on Customer’s instructions, Salesgroup AI will notify Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.
3.2 No Sale or Sharing of Personal Data
Salesgroup AI will not (a) sell or share Customer Personal Data, as those terms are defined under the CCPA and equivalent US state laws; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing it for a commercial purpose other than providing the Service; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Salesgroup AI; or (d) combine Customer Personal Data with Personal Data received from or on behalf of any other person, except as permitted under the CCPA for the purpose of performing a business purpose on behalf of Customer.
3.3 No Use for Model Training
Salesgroup AI will not use Customer Personal Data to train, fine-tune, or otherwise improve any foundation model, large language model, or other generally available AI model. Salesgroup AI has configured its integrations with the AI Providers (Google LLC, Anthropic, PBC, and OpenAI, OpenCo, LLC) using API offerings under which Customer Personal Data submitted as input or generated as output is not used by the AI Providers to train their models. Salesgroup AI may use aggregated, de-identified, or anonymized data derived from Customer’s use of the Service to improve Salesgroup AI’s own products and services, provided that such data does not identify Customer, its Users, or any Data Subject and cannot reasonably be re-identified.
3.4 Confidentiality
Salesgroup AI will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and are made aware of the confidential nature of Customer Personal Data. Salesgroup AI will limit access to Customer Personal Data to personnel who need such access to perform their duties.
3.5 Cooperation and Assistance
Taking into account the nature of the Processing and the information available to Salesgroup AI, Salesgroup AI will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Data Protection Laws, including obligations relating to: (a) responding to Data Subject requests under Section 6; (b) the security of Processing under Section 4; (c) Personal Data Breach notification under Section 5; (d) data protection impact assessments; and (e) prior consultations with supervisory authorities. Salesgroup AI may charge a reasonable fee for assistance that exceeds the standard functionality of the Service.
4. Security of Processing
4.1 Technical and Organizational Measures
Salesgroup AI will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of Processing Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures include, at a minimum:
- Encryption of Customer Personal Data in transit using TLS 1.2 or higher
- Encryption of Customer Personal Data at rest using AES-256 or equivalent
- Logical access controls, including role-based access, principle of least privilege, and multi-factor authentication for administrative access
- Network security controls, including firewalls, intrusion detection, and segmentation of production environments
- Regular vulnerability scanning and timely application of security patches
- Secure software development practices, including code review and dependency management
- Logging and monitoring of access to Customer Personal Data and security-relevant events
- Regular backups and tested disaster recovery procedures
- Background checks for personnel with access to Customer Personal Data, where permitted by law
- Security awareness training for all personnel
- Incident response procedures, including a designated incident response team
- Vendor risk management procedures for Sub-processors
A current description of Salesgroup AI’s technical and organizational measures is available upon written request to [email protected]. Salesgroup AI may update these measures from time to time, provided that the updated measures do not materially diminish the overall level of security.
4.2 Certifications and Audits
Salesgroup AI is working toward SOC 2 Type II certification. Upon achievement, current attestation reports will be made available to Customer under appropriate confidentiality terms. Customer may, no more than once per calendar year and upon at least thirty (30) days’ prior written notice, request additional information reasonably necessary to demonstrate compliance with this DPA. Where Customer requires an on-site audit (and Salesgroup AI is unable to satisfy the request through existing certifications, attestations, or written responses), the audit will be conducted at Customer’s expense, during regular business hours, by mutually agreed independent third-party auditors bound by confidentiality, and in a manner that does not unreasonably interfere with Salesgroup AI’s operations or compromise the security or confidentiality of other Salesgroup AI customers’ data.
5. Personal Data Breach Notification
5.1 Notification to Customer
Salesgroup AI will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will be sent to the email address associated with Customer’s account or to such other address as Customer designates in writing.
5.2 Information Provided
To the extent the relevant information is known or reasonably available at the time of notification, Salesgroup AI will provide: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects; and (d) the contact details of a person from whom Customer can obtain further information. Where it is not possible to provide all such information at the same time, the information may be provided in phases without further undue delay.
5.3 No Acknowledgment of Liability
Salesgroup AI’s notification of, or response to, a Personal Data Breach under this Section 5 does not constitute an acknowledgment by Salesgroup AI of any fault or liability with respect to the Personal Data Breach.
6. Data Subject Rights
6.1 Assistance with Data Subject Requests
Taking into account the nature of the Processing, Salesgroup AI will provide reasonable assistance, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests by Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of Processing, data portability, objection, and rights related to automated decision-making.
6.2 Direct Requests from Data Subjects
If Salesgroup AI receives a request directly from a Data Subject to exercise rights with respect to Customer Personal Data, Salesgroup AI will, without undue delay, forward the request to Customer (or instruct the Data Subject to contact Customer directly) and will not respond to the request itself, except as required by law or as Customer directs in writing.
7. Sub-processors
7.1 General Authorization
Customer provides general written authorization for Salesgroup AI to engage Sub-processors to Process Customer Personal Data, subject to the requirements of this Section 7.
7.2 Current Sub-processors
The Sub-processors currently engaged by Salesgroup AI to Process Customer Personal Data are:
| Sub-processor | Purpose | Location of Processing | Transfer Mechanism |
|---|---|---|---|
| Google LLC (Gemini) | AI model inference for chatbot responses | United States | EU SCCs / UK IDTA / EU-US DPF |
| Anthropic, PBC (Claude) | AI model inference for chatbot responses | United States | EU SCCs / UK IDTA / EU-US DPF |
| OpenAI, OpenCo, LLC (ChatGPT) | AI model inference for chatbot responses | United States | EU SCCs / UK IDTA / EU-US DPF |
| Stripe, Inc. | Payment processing and billing | United States | EU SCCs / UK IDTA / EU-US DPF |
| Google LLC (Google Cloud Platform) | Cloud hosting and infrastructure | United States (with regional options) | EU SCCs / UK IDTA / EU-US DPF |
| Railway Corp. | Application hosting and deployment infrastructure | United States | EU SCCs / UK IDTA |
| Resend, Inc. | Transactional email delivery | United States | EU SCCs / UK IDTA |
| Google LLC (Google Analytics) | Website and product analytics | United States | EU SCCs / UK IDTA / EU-US DPF |
| PostHog Inc. | Product analytics and usage tracking | United States (EU region available) | EU SCCs / UK IDTA |
Stripe is the Payment Processor referenced in the Agreement; full payment card numbers are submitted directly to Stripe and are not stored by Salesgroup AI.
7.3 Sub-processor Obligations
Salesgroup AI will: (a) enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those set out in this DPA and applicable Data Protection Laws; (b) remain liable to Customer for the acts and omissions of its Sub-processors to the same extent Salesgroup AI would be liable if performing the services directly under this DPA; and (c) conduct reasonable due diligence on each Sub-processor’s ability to provide the level of protection required by this DPA.
7.4 Changes to Sub-processors
Salesgroup AI will provide Customer with at least thirty (30) days’ prior written notice of any intended addition or replacement of a Sub-processor that will Process Customer Personal Data. Customer may object to the proposed change on reasonable data protection grounds by notifying Salesgroup AI in writing within fifteen (15) days of the notice. If Customer reasonably objects, the parties will work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service that cannot be provided without the objected-to Sub-processor, with a pro rata refund of any prepaid Fees attributable to the terminated portion for the remainder of the then-current Subscription Period.
7.5 Advertising Partners (Independent Controllers)
Salesgroup AI engages the following third parties for advertising, marketing, and audience measurement purposes in connection with its website and marketing channels (but not within the Service itself):
- Google LLC (Google Ads, Google Tag Manager, and related advertising services)
- Meta Platforms, Inc. (Facebook and Instagram advertising, including the Meta Pixel and Conversions API)
These advertising partners are not Sub-processors with respect to Customer Personal Data Processed within the Service. They act as independent or joint controllers with Salesgroup AI for limited categories of data collected from visitors to Salesgroup AI’s public marketing properties (such as IP addresses, device identifiers, cookie identifiers, page-view events, and conversion events). No Customer Personal Data submitted through the Service is shared with these advertising partners. Visitors to Salesgroup AI’s public marketing properties may opt out of advertising-related Processing as described in Salesgroup AI’s Privacy Policy and through standard browser and platform controls (including cookie consent banners where required).
8. International Transfers
8.1 Transfer Mechanisms
Customer acknowledges that Salesgroup AI and its Sub-processors are primarily located in the United States and that the provision of the Service involves transfers of Customer Personal Data to the United States and potentially to other countries. For any Restricted Transfer:
- Where the transfer is from the European Economic Area, the EU SCCs are incorporated by reference and apply, with Customer as data exporter and Salesgroup AI as data importer. Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is a Processor acting on behalf of a third-party Controller. The optional docking clause applies. Clause 7 (optional) does not apply. Clause 9(a) Option 2 applies (general written authorization, with thirty (30) days’ notice). Clause 11(a) optional language does not apply. Clause 17 Option 1 applies (governing law of Ireland). Clause 18(b) specifies the courts of Ireland. The information required by Annexes I, II, and III is provided in this DPA and the Agreement.
- Where the transfer is from the United Kingdom, the UK IDTA applies with the EU SCCs to provide UK-specific protections.
- Where the transfer is from Switzerland, the EU SCCs apply with references to the GDPR interpreted as references to the Swiss FADP, references to EU member state law interpreted as references to Swiss law, and the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner.
- To the extent Salesgroup AI is certified under the EU-US Data Privacy Framework, UK Extension, or Swiss-US Data Privacy Framework, transfers may also be made in reliance on that certification.
8.2 Supplementary Measures
Salesgroup AI has assessed the laws and practices of the United States with respect to access to Personal Data by public authorities and has determined that the technical, organizational, and contractual measures described in this DPA provide a level of protection essentially equivalent to that guaranteed within the European Economic Area. These measures include encryption in transit and at rest, access controls, transparency reporting, and a commitment to challenge overbroad government requests where lawfully possible.
9. Return and Deletion
9.1 At Termination
Upon termination or expiration of the Agreement, Salesgroup AI will, at Customer’s choice, delete or return all Customer Personal Data to Customer, and delete existing copies, unless applicable law requires storage of the Customer Personal Data. The mechanisms and timelines for return and deletion are set out in Section 5.3 of the Agreement and are supplemented by this Section 9.
9.2 Retained Copies
Salesgroup AI may retain Customer Personal Data: (a) to the extent and for the period required by applicable law; (b) in backups, which will be deleted in accordance with Salesgroup AI’s standard backup retention schedule (not to exceed 180 days from the date of deletion from production systems); and (c) in aggregated, de-identified, or anonymized form as permitted by Section 3.3. Salesgroup AI will continue to protect any retained Customer Personal Data in accordance with this DPA.
10. Liability and Indemnification
Each party’s liability under or in connection with this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes either party’s liability to a Data Subject under applicable Data Protection Laws.
11. Order of Precedence
In the event of a conflict between this DPA and the Agreement, the order of precedence will be: (1) the EU SCCs and UK IDTA (where applicable), (2) this DPA, and (3) the Agreement. In the event of a conflict between this DPA and any business terms in an Order, this DPA will prevail with respect to the Processing of Personal Data.
12. Changes to this DPA
Salesgroup AI may update this DPA from time to time to reflect changes in Data Protection Laws, the addition of new Sub-processors, or improvements to Salesgroup AI’s data protection practices, provided that no such update will materially diminish the protections afforded to Customer Personal Data under this DPA. Salesgroup AI will provide reasonable notice of any material change, including by posting the updated DPA at https://salesgroupai.com/legal/dpa and updating the “Last updated” date at the top of this DPA.
13. Governing Law and Venue
This DPA is governed by the same governing law and venue provisions set out in Section 10.10 of the Agreement (State of Delaware, USA; state or federal courts in New Castle County, Delaware), except (a) where the EU SCCs apply, in which case Clause 17 of the EU SCCs (governing law of Ireland) and Clause 18 (courts of Ireland) govern the EU SCCs; and (b) where the UK IDTA applies, in which case the governing law and jurisdiction provisions of the UK IDTA govern that addendum.
14. Contact
Questions, requests for information, or notices relating to this DPA should be directed to:
- Privacy and data protection requests: [email protected]
- Security incidents and vulnerability reports: [email protected]
- Legal notices: [email protected]
Postal address: Salesgroup, Inc., 8 The Green #23898, Dover, DE 19901, United States of America.
