DATA PROCESSING ADDENDUM (DPA)

Last updated: 4 February 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Adealo OÜ ("Adealo", "Processor") and the customer using the Adealo Service ("Customer", "Controller").

This DPA applies where Adealo processes personal data on behalf of the Customer in connection with the Service.

1. Parties

Processor:
Adealo OÜ
Registry Code: 17305560
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145
Email: legal@adealo.com

Controller:
The entity identified as the customer in the applicable Adealo account, order, or subscription.

2. Definitions

Terms such as "personal data," "processing," "controller," "processor," "data subject" have the meanings given in the EU General Data Protection Regulation (GDPR).

3. Roles of the parties

The Customer is the data controller and determines the purposes and means of processing personal data.

Adealo acts as a data processor and processes personal data solely on behalf of and according to the documented instructions of the Customer.

Adealo does not determine the purposes for which Customer Data is processed.

4. Scope of processing

4.1 Subject matter

Processing of personal data submitted to the Adealo Service by or on behalf of the Customer.

4.2 Duration

For the duration of the Customer's use of the Service, plus any limited period required for backup retention or legal obligations.

4.3 Nature and purpose

Processing necessary to:

• provide, operate, and maintain the Service,
• enable customer communication via widgets and dashboards,
• provide AI-assisted features requested by the Customer,
• ensure security, reliability, and support.

4.4 Types of personal data

May include:

• end-user identifiers (e.g. name, email, phone),
• communication content and metadata,
• support-related context and session data.

4.5 Categories of data subjects

Customer's end users

Customer's employees, agents, or representatives

5. Customer obligations

The Customer represents and warrants that it:

• has a lawful basis to process and share personal data with Adealo,
• provides appropriate privacy notices to data subjects,
• obtains all required consents,
• ensures its instructions comply with applicable data protection laws.

The Customer is responsible for responding to data subject requests unless otherwise required by law.

6. Processor obligations

Adealo shall:

• Process personal data only on documented instructions from the Customer.
• Ensure persons authorized to process personal data are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Assist the Customer, to the extent reasonably possible, with:

• data subject requests,
• security and impact assessments,
• regulatory inquiries related to the processing.

Notify the Customer without undue delay upon becoming aware of a personal data breach involving Customer Data.

Delete or return personal data upon termination of the Service, subject to legal retention requirements.

7. Security measures

Adealo implements reasonable technical and organizational measures, including:

• encryption of data in transit,
• access controls and authentication,
• least-privilege access principles,
• monitoring and incident response procedures.

No system is completely secure, and Adealo does not guarantee absolute security.

8. Sub-processors

The Customer authorizes Adealo to engage sub-processors to assist in providing the Service, including:

• infrastructure and hosting providers,
• AI service providers used solely to generate requested outputs,
• payment processors and operational vendors.

Adealo shall:

• impose data protection obligations on sub-processors consistent with this DPA,
• remain responsible for sub-processors' performance of processing obligations.

A list of current sub-processors may be made available upon request.

9. AI processing clarification

Where AI features are used:

• Personal data is processed solely to generate outputs requested by the Customer.
• Customer Data is not used to train public or general-purpose AI models.
• Prompts and outputs are not stored outside Adealo, cached, or retained for training purposes.

10. International transfers

Where personal data is transferred outside the EEA, Adealo ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission, or
• other lawful transfer mechanisms.

11. Audits

Upon reasonable written request, Adealo shall make available information necessary to demonstrate compliance with this DPA. On-site audits are subject to reasonable limitations, confidentiality, and security requirements.

12. Liability

Liability arising from this DPA is subject to the limitations of liability set forth in the Terms of Service.

13. CCPA / CPRA (United States)

To the extent applicable:

• Adealo acts as a service provider / processor.
• Adealo does not sell or share personal data.
• Adealo processes personal data solely to provide the Service and for no other commercial purpose.

14. Governing law

This DPA is governed by the laws of Estonia, without regard to conflict-of-law rules.

15. Order of precedence

In the event of conflict, this DPA prevails over the Terms of Service with respect to data protection matters.

16. Contact

Data protection inquiries may be sent to:
📧 legal@adealo.com