Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fiveminutes.io ("we," "us," "our," "Processor") and the developer customer using our services ("you," "your," "Customer") whenever we process personal data on your behalf.

This DPA applies to personal data submitted to, stored in, or otherwise processed through Fiveminutes.io for the purpose of providing chat, moderation, support, analytics, and related service functionality for your applications and your end users.

We will process personal data only on your documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law. In that case, we will inform you of that legal requirement before processing unless the law prohibits us from doing so.

We will ensure that persons authorised to process personal data are subject to a duty of confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need it to provide or support the services.

We will implement and maintain appropriate technical and organisational measures designed to protect personal data in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

• Access controls, authentication, and least-privilege permissions for service administration
• Encryption and secure transport protections where appropriate for data in transit and at rest
• Logging, monitoring, backup, recovery, and change-management procedures
• Measures to restore availability and access to personal data in a timely manner after an incident

You authorise us to engage sub-processors needed to deliver the services, subject to this DPA. We will impose data protection obligations on each authorised sub-processor that are no less protective than those set out in this DPA, and we remain responsible for the performance of those sub-processor obligations.

Where we intend to add or replace a sub-processor in a way that materially affects processing of your data, we will provide advance notice through the service, email, or updated legal documentation so that you can raise reasonable objections before the change takes effect.

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to help you fulfil your obligation to respond to requests for exercising data subject rights under Chapter III GDPR, including access, rectification, erasure, restriction, portability, and objection requests.

Taking into account the nature of processing and the information available to us, we will assist you in ensuring compliance with Articles 32 to 36 GDPR, including security of processing, personal data breach notification, communication of a breach to data subjects, data protection impact assessments, and prior consultation with supervisory authorities where required.

If we become aware of a confirmed personal data breach affecting personal data processed under this DPA, we will notify you without undue delay and no later than 24 hours after becoming aware of the breach, and we will provide timely updates as further information becomes available.

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Upon reasonable prior written notice, we will allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you, provided that such audits are limited to what is necessary, are carried out during normal business hours, and do not unreasonably interfere with our operations or the confidentiality of other customers.

At your choice, and subject to applicable law, we will delete or return personal data to you after the end of the provision of services relating to processing and delete existing copies unless applicable law requires storage of the personal data for a longer period.

Questions, notices, and DPA-related requests may be sent to privacy@fiveminutes.io. For general service terms, please also review our Privacy Policy and Terms of Service.