Data Processing Agreement (DPA)
Template — version 1.0, dated 9 May 2026
Who is this for? This DPA is for organisational customers that operate Messenger by Chattriix on behalf of their members (employees, contractors, etc.). It is a B2B contract between the customer organisation and Nexa Lucent Technologies Ltd, signed by authorised representatives of each. Individual end-users do not need to sign this DPA. If you're an individual using Messenger, the Privacy Policy is the document that applies to you — Nexa Lucent Technologies is the Controller in that relationship, not a Processor. To execute this DPA, an authorised representative of the customer organisation should review it and contact legal@chattriix.com — we'll send a counter-signature copy and complete it via e-signature or attached to the customer's Order Form.
This Data Processing Agreement (the "DPA") forms part of the agreement between Nexa Lucent Technologies Ltd ("Chattriix", "Processor") and the Customer organisation identified in the corresponding Order Form ("Customer", "Controller") for the provision of Messenger by Chattriix (the "Service").
This DPA is required by Article 28 of the UK GDPR / EU GDPR. It applies whenever Chattriix processes Personal Data on behalf of Customer in connection with the Service.
In the event of a conflict between this DPA and the main Terms of Service, this DPA prevails for matters of personal data processing.
1. Definitions
Capitalised terms not defined here have the meanings given in the UK GDPR. The following definitions also apply:
- "Customer Personal Data" — Personal Data that Customer (or its end users) submits to or generates within the Service.
- "Data Protection Laws" — the UK GDPR, EU GDPR, the UK Data Protection Act 2018, and any other applicable data-protection law.
- "Sub-Processor" — any third party engaged by Chattriix to process Customer Personal Data.
2. Roles
- Customer is the Controller of Customer Personal Data.
- Chattriix is the Processor of Customer Personal Data.
- For end-users of the Service who are using it as individuals (e.g., on a free plan outside an Organisation), Chattriix is the Controller in respect of their personal data — see the consumer Privacy Policy.
3. Subject matter and duration
- Subject matter: Chattriix's processing of Customer Personal Data in the course of providing the Service.
- Duration: for as long as the agreement between Chattriix and Customer remains in force, plus retention periods specified in Section 9.
- Nature and purpose of processing: delivering an end-to-end encrypted messaging service for Customer's authorised users.
- Categories of Data Subjects: Customer's employees, contractors, agents, customers, suppliers, or other persons authorised by Customer to use the Service.
- Types of Personal Data: account identifiers (email, display name), encrypted message content (which Chattriix cannot decrypt), device identifiers, connection metadata, authentication and session data, telemetry.
4. Customer instructions
Chattriix processes Customer Personal Data only on documented instructions from Customer, including the instruction set out in the Service's normal operation as documented in the agreement and the Privacy Policy. Customer's instructions for processing are:
(a) to provide and operate the Service in accordance with the agreement; (b) to respond to support requests from Customer or its end users; (c) to comply with applicable law; (d) other instructions documented in writing and agreed by Chattriix.
If Chattriix believes an instruction infringes Data Protection Laws, Chattriix will notify Customer.
5. Chattriix's obligations
Chattriix shall:
- Confidentiality. Ensure that personnel with access to Customer Personal Data are bound by confidentiality obligations.
- Security. Implement and maintain the technical and organisational security measures described in Annex II (Technical and Organisational Measures), which Chattriix may update from time to time provided the level of protection is not reduced.
- Sub-Processors. Engage Sub-Processors only as set out in Annex I and Section 6.
- Data Subject rights. Provide reasonable assistance to Customer in responding to Data Subject requests under the UK GDPR (access, rectification, erasure, restriction, portability, objection).
- Breach notification. Notify Customer without undue delay (and in any event within 72 hours) on becoming aware of a Personal Data Breach affecting Customer Personal Data, including the information required by Article 33 GDPR insofar as known.
- DPIAs. Provide reasonable assistance to Customer with Data Protection Impact Assessments under Article 35 GDPR.
- Audits. Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer (or another auditor mandated by Customer) at reasonable intervals and on reasonable notice. Chattriix may charge for time spent supporting audits beyond what's reasonable.
6. Sub-Processors
- Customer authorises Chattriix to engage the Sub-Processors listed in Annex I.
- Chattriix will give Customer notice (e.g., via the Service or by email to Customer's primary administrator) of any new Sub-Processor at least 14 days before the new Sub-Processor begins processing Customer Personal Data.
- Customer may object to a new Sub-Processor on reasonable grounds related to data protection within that period. If the parties cannot resolve the objection, Customer may terminate the agreement (or the affected portion) without penalty, with prorated refund of pre-paid fees.
- Chattriix imposes obligations on Sub-Processors no less protective than those in this DPA and remains responsible for Sub-Processor performance.
7. International transfers
Chattriix may transfer Customer Personal Data outside the United Kingdom or European Economic Area only with appropriate safeguards, including:
- transfers to countries with an adequacy decision;
- transfers under the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (as applicable);
- other safeguards permitted under the UK GDPR.
Customer authorises Chattriix to enter into Standard Contractual Clauses with Sub-Processors on Customer's behalf, where doing so is necessary for the international transfer.
8. End-to-end encryption — practical effect
Customer acknowledges that the Service uses end-to-end encryption such that Chattriix cannot read the contents of messages, calls, or shared media transmitted through the Service. As a result:
- Chattriix cannot fulfil access or portability requests for plaintext message content beyond what Customer's end users can already obtain themselves through the Service.
- Chattriix cannot moderate or screen Content for compliance, legal, or other purposes.
- Where Customer must respond to Data Subject access requests for message content, Customer must obtain that content from the relevant end user's device.
This limitation is a feature, not a bug, of an end-to-end encrypted system.
9. Return or deletion
Upon termination or expiration of the agreement, Chattriix will, at Customer's choice, delete or return all Customer Personal Data, including by:
- Deleting all Customer Personal Data from active systems within 30 days of termination, except where applicable law requires retention.
- Scrubbing encrypted message content so that even with cooperation, the content cannot be reconstructed.
- Allowing Customer to export account-level data (membership, configuration) in a structured format prior to termination.
Backups follow normal rotation timelines documented in Annex II; data in backups is purged within 90 days of termination.
10. Liability
Liability for breach of this DPA is governed by the limitation-of-liability provisions of the main agreement. Nothing in this DPA limits or excludes either party's liability for matters that cannot be limited or excluded under applicable law (such as fines imposed directly by a supervisory authority on the responsible party).
11. Term and conflicts
This DPA takes effect on the date of the corresponding Order Form and continues for the term of the main agreement. In case of conflict between this DPA and any other agreement between the parties, this DPA prevails for matters of personal data processing.
12. Governing law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.
Annex I — Authorised Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Oracle Cloud Infrastructure | Primary cloud hosting | United Kingdom |
| Apple Push Notification Service | iOS push notifications (notification metadata only — no message content) | United States |
| Firebase Cloud Messaging (Google) | Android push notifications (notification metadata only — no message content) | United States |
| Sentry / Functional Software, Inc. | Error reporting and crash logs (no message content) | United States, EU regions |
| Grafana Labs | Metrics and observability telemetry (no message content) | EU regions |
| Let's Encrypt (Internet Security Research Group) | TLS certificate issuance — public certificate metadata only | Cross-border |
Updated list available at https://chat.chattriix.com/sub-processors.
Annex II — Technical and Organisational Measures
A. Encryption
- All Customer Personal Data in transit: TLS 1.2 or higher, with strong cipher suites; HSTS enforced.
- Message content: end-to-end encrypted with industry-standard cryptographic primitives (forward secrecy; per-message key rotation).
- Data at rest: encrypted using disk-level encryption on managed cloud infrastructure.
- Mobile clients: encrypted local storage; biometric app lock available.
B. Access controls
- Production access restricted to a minimum number of authorised personnel.
- Multi-factor authentication on all administrative accounts.
- Privileged actions logged in an immutable audit log.
- Role-based access control (RBAC) for administrative functions; least-privilege principle.
C. Network and infrastructure
- Network segmentation between production, staging, and corporate environments.
- Restrictive ingress rules (security groups / firewalls).
- Continuous monitoring for unusual activity.
- Patch management for OS and application dependencies.
D. Operational security
- Secure software development lifecycle: peer code review, automated security scanning, vulnerability tracking.
- Vendor risk management for Sub-Processors.
- Annual third-party security review.
- Backup and disaster-recovery procedures with documented Recovery Time Objectives.
E. Personnel
- Background checks for personnel with access to production systems, where lawful.
- Mandatory data-protection and security training on hire and annually thereafter.
- Confidentiality obligations in employment and contractor agreements.
F. Incident response
- Documented incident-response plan with defined roles and escalation paths.
- Personal Data Breach notification within 72 hours of awareness, in line with Article 33 GDPR.
- Post-incident review and remediation.
G. Secure deletion
- Account deletion: personal data removed from active systems within 30 days.
- Backup purge: within 90 days of deletion request.
- Cryptographic erasure: where backups contain encrypted message content, deletion of the corresponding keys renders the content permanently unreadable.
Signature
Customer and Chattriix execute this DPA by signing the Order Form referencing it. This DPA may also be entered into as a standalone agreement signed by both parties.
| For Nexa Lucent Technologies Ltd | For Customer |
|---|---|
| Signature: ____________________ | Signature: ____________________ |
| Name: | Name: |
| Title: | Title: |
| Date: | Date: |