Legal document
Data Processing Agreement (DPA)
Last updated:
July 6, 2026
This Data Processing Agreement ("DPA") supplements and forms part of our Terms and Conditions. It applies when you ("the Customer", acting as Data Controller) use BuilderBot Cloud ("the Data Processor") to process personal data of your own end users through the builderbot.cloud platform. It complements, and does not replace, our Privacy Policy and our GDPR notice.
1. Parties
- Data Controller ("Customer"): the individual or legal entity that subscribes to the Service and determines the purposes and means of processing the personal data of its own end users.
- Data Processor ("BuilderBot Cloud"): BuilderBot Cloud, LLC, 1111b South Governors Avenue, STE 23416, Dover, DE 19904, United States. Email: support@builderbot.cloud.
2. Subject matter, nature and duration of processing
BuilderBot Cloud processes personal data on behalf of the Customer only to the extent necessary to provide the Service (creating, hosting, and operating chatbots, including integrations with WhatsApp Business, Instagram, and Google Drive/Sheets/Docs when enabled by the Customer). The duration of processing matches the term of the service agreement between the Customer and BuilderBot Cloud, plus the retention period described in Section 8.
3. Categories of data and data subjects
- Categories of data subjects: end users who interact with the Customer's chatbots (for example, the Customer's own customers or WhatsApp/Instagram contacts).
- Categories of data: identification and contact data, the content of messages exchanged with the chatbot, technical usage metadata, and any additional data the Customer configures its conversational flows to collect.
No special categories of data (Article 9 GDPR) are processed unless the Customer itself voluntarily introduces them into its flows, which is the Customer's sole responsibility.
4. Controller's instructions
BuilderBot Cloud will process personal data only on the Customer's documented instructions, as reflected in the platform configuration and the applicable service agreement, unless required to do otherwise by European Union or Member State law; in that case, BuilderBot Cloud will inform the Customer of that legal requirement before processing, unless prohibited from doing so on important grounds of public interest.
5. Confidentiality and authorized personnel
BuilderBot Cloud ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need it to provide the Service.
6. Technical and organizational security measures
BuilderBot Cloud applies reasonable security measures, including:
- Encryption in transit (HTTPS/TLS) for communications with the platform.
- Secure storage at rest with the infrastructure providers listed in Section 7.
- Restricted access limited to authorized personnel.
- Deletion of the Customer's data within a maximum of 30 days after termination of the contract (see Section 8).
7. Authorized sub-processors
The Customer authorizes BuilderBot Cloud to engage the following sub-processors to provide the Service:
| Sub-processor | Function | Location |
|---|---|---|
| Vercel | Hosting and delivery of the marketing website | United States |
| Hetzner | Hosting of the main application (VPS, Docker/Traefik) | European Union |
| Microsoft Azure | Hosting of the AI microservice (VM) and AI processing (Azure OpenAI) | European Union |
| AWS | Document storage (S3) | United States |
| MongoDB | Database of the main application | European Union |
| MongoDB Atlas | Database of the AI microservice | European Union |
| OpenAI | Generative AI processing | United States |
| Anthropic | Generative AI processing | United States |
| Groq | Generative AI processing | United States |
| Mistral AI | Generative AI processing | European Union |
| Google Cloud Platform (Vertex AI) | Generative AI processing (Gemini, Claude, and xAI/Grok served via Vertex AI) | United States |
| Fireworks AI | Generative AI processing | United States |
| Parasail | Generative AI processing | United States |
| Inworld AI | Generative AI processing | United States |
| ElevenLabs | Voice generation / text-to-speech | United States |
| Cal.com | Appointment scheduling | United States |
| Cloudflare | Anti-bot protection (Turnstile) on login | United States |
| Resend | Transactional email delivery | United States |
| Stripe | Payment processing and billing | United States |
| PostHog | Product analytics | United States |
| Meta | Messaging platforms (WhatsApp, Instagram), when enabled by the Customer | United States / Ireland |
BuilderBot Cloud imposes data protection obligations on these sub-processors that are equivalent to those set out in this DPA. If we onboard a new sub-processor with access to personal data, we will update this table and communicate the change on this page.
If the Customer uses the database agent feature to connect its own PostgreSQL database, that database is the Customer's own infrastructure and is not included in the table above; the Customer is responsible for its security and configuration.
8. Deletion or return of data
Upon termination of the contractual relationship, BuilderBot Cloud will permanently delete personal data processed on behalf of the Customer within a maximum of 30 days, unless applicable law requires a different retention period. The Customer may request an export of its data before termination by emailing support@builderbot.cloud.
9. International transfers
When processing involves a transfer of personal data outside the European Economic Area, BuilderBot Cloud relies on safeguards recognized by the GDPR, in particular the European Commission's Standard Contractual Clauses, or equivalent adequacy mechanisms offered by the sub-processors listed in Section 7.
10. Assistance to the Controller
BuilderBot Cloud will assist the Customer, to the extent reasonably possible given the platform's functionality, so that the Customer can comply with its obligation to respond to data subject rights requests (access, rectification, erasure, portability, objection, and restriction), and with its obligations regarding security, breach notification, and impact assessments, when reasonably required.
11. Personal data breach notification
In the event of a breach of security affecting personal data processed on behalf of the Customer, BuilderBot Cloud will notify the Customer without undue delay and in any case within a reasonable timeframe after becoming aware of it, providing the information available so the Customer can meet its own notification obligations under the GDPR.
12. Audits
BuilderBot Cloud will make available to the Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. Upon a reasonable request, BuilderBot Cloud may respond via security questionnaires or equivalent documentation instead of on-site audits, unless otherwise agreed between the parties.
13. Customer representations and warranties
The Customer represents and warrants that:
- It has a valid legal basis under the GDPR (or other applicable data protection law) for processing the personal data of its own end users through the Service.
- It has provided its end users with all the information required under Articles 13 and 14 of the GDPR before their personal data is processed through the Service.
- Its instructions to BuilderBot Cloud, as well as the configuration applied to its chatbots and flows, do not infringe the GDPR or any other applicable data protection law.
- It is solely responsible for obtaining the consents necessary from its own end users to enable third-party integrations (WhatsApp Business, Instagram, Google Drive/Sheets/Docs) and for any special category data it chooses to introduce into its flows under Section 3.
14. Liability and indemnification
- Each party's own compliance: each party is responsible for its own obligations under the GDPR. Nothing in this DPA relieves BuilderBot Cloud of its obligations as a data processor under Article 28 of the GDPR.
- Limitation of liability: to the maximum extent permitted by applicable law, BuilderBot Cloud's aggregate liability arising out of this DPA is subject to, and is not additional to or cumulative with, the limitations of liability set out in the applicable Terms and Conditions or Service Conditions between the parties.
- Exclusion of indirect damages: unless resulting from BuilderBot Cloud's willful misconduct or gross negligence, BuilderBot Cloud will not be liable for lost profits, lost revenue, loss of business opportunity, or any indirect, incidental, special, or consequential damages arising from the processing of personal data under this DPA.
- Customer indemnification: the Customer will indemnify and hold BuilderBot Cloud harmless from any claim, penalty, fine, or damage reasonably arising from: (i) Customer instructions that violate the GDPR or other applicable data protection law; (ii) the Customer's lack of a valid legal basis for processing the data of its own end users; (iii) the Customer's failure to meet its notice or consent obligations toward its end users under Section 13; or (iv) the Customer's use of the Service in breach of this DPA, the GDPR, or the applicable Terms and Conditions.
- Time limit for claims: any claim arising from this DPA must be notified in writing to BuilderBot Cloud within one (1) year of the claiming party becoming aware, or reasonably having become aware, of the facts giving rise to it, unless applicable law mandatorily provides for a different period.
15. General provisions
- Force majeure: neither party will be liable for failures resulting from causes beyond its reasonable control, including infrastructure provider outages, natural disasters, government actions, or widespread network disruptions.
- Assignment: BuilderBot Cloud may assign this DPA, in whole or in part, in connection with a merger, acquisition, or substantial sale of assets, and will notify the Customer through this page or by email.
- Severability: if any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
- Entire agreement: this DPA, together with the applicable Terms and Conditions or Service Conditions and the Privacy Policy, constitutes the entire agreement between the parties regarding the processing of personal data, and supersedes any prior agreement on this subject.
- No third-party beneficiaries: this DPA does not create rights enforceable by the Customer's end users or any third party outside the parties, without prejudice to any rights those end users may have directly against BuilderBot Cloud under the GDPR and our GDPR notice.
16. Governing law and precedence
This DPA is governed by the same applicable law as the Terms and Conditions. In the event of a conflict between this DPA and the Terms and Conditions regarding the processing of personal data, this DPA will prevail.
17. Contact
BuilderBot Cloud, LLC
- Address: 1111b South Governors Avenue, STE 23416, Dover, DE 19904, United States
- Email: support@builderbot.cloud
© 2026 BuilderBot. All rights reserved.