Last Updated: October 24, 2025
This Data Processing Agreement ("DPA") is entered into between:
The Client (as defined in the Main Services Agreement)
(hereinafter referred to as the "Controller")
and
Mental Balance sp. z o. o., with its registered office at ul. Prof. Władysława Szafera 1/14, 31-543, Kraków, Małopolskie, Poland, entered into the National Court Register (KRS) under number 0000998746.
(hereinafter referred to as the "Processor" or "Boostedchat")
(The Controller and Processor are hereinafter collectively referred to as the "Parties" and individually as a "Party")
This DPA forms an integral part of the Main Services Agreement ("Main Agreement") concluded between the Parties and governs the processing of Personal Data in connection with its performance.
Terms used in this DPA shall have the meanings ascribed to them by the GDPR, unless defined otherwise.
2.1. The Processor undertakes to process Personal Data only on behalf of the Controller, on its documented instructions, and for the purpose of performing the Services specified in the Main Agreement.
2.2. The Controller's instructions are deemed to include all actions necessary for the provision of the Services (including the use of cloud infrastructure, APIs, AI models, etc.), in accordance with the platform's functionality and the configuration selected by the Controller.
2.3. A detailed description of the subject matter, purpose, nature of the processing, categories of data, and categories of data subjects is provided in Appendix 1 to this DPA.
The Processor represents and undertakes that it:
3.1. Processes Personal Data only to the extent and for the purpose provided for in this DPA and the Main Agreement.
3.2. Ensures that persons authorized to process Personal Data (e.g., employees, contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of infringement of the rights or freedoms of natural persons, in accordance with Art. 32 GDPR. A description of the implemented measures is provided in Appendix 2.
3.4. Taking into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights (under Chapter III GDPR).
3.5. Assists the Controller in ensuring compliance with the obligations pursuant to Art. 32–36 GDPR (security, breach notification, impact assessments).
3.6. Following the termination of the Services, at the choice of the Controller, deletes or returns all Personal Data to the Controller. These rules are detailed in the retention policy specified in Appendix 1.
The Controller represents and undertakes that it:
4.1. Is the sole controller of the Personal Data and bears full responsibility for the lawfulness of its processing, including having an appropriate legal basis for processing it.
4.2. Bears sole responsibility for the quality, integrity, and legality of the Personal Data introduced into the Processor's platform.
4.3. Bears sole responsibility for the configuration of the Services, including all automations, AI scripts, prompts, and marketing activities conducted using the platform.
4.4. Consents for Sensitive and Biometric Data: The Controller is solely responsible for collecting all necessary, explicit consents (in accordance with Art. 9 GDPR) from data subjects in the event of processing health data or biometric data (including for the purpose of voice cloning or synthesis).
4.5. Consents for Recording and Monitoring: The Controller is solely responsible for informing its employees and end-customers and (if legally required) collecting consents from them for the recording and analysis of conversations (voice and text) conducted via the Services.
4.6. AI Act Compliance: The Controller acknowledges that in light of future regulations (e.g., the EU AI Act), it acts as the "Deployer" of AI systems and is responsible for their use in accordance with their intended purpose and applicable law.
5.1. The Controller grants the Processor general authorization to use other processors ("Subprocessors") for the provision of the Services.
5.2. The list of currently approved Subprocessors is provided in Appendix 3 to this DPA.
5.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Controller the opportunity to object to such changes. Notification will be provided via email or the platform dashboard, at least 14 days in advance.
5.4. The Processor ensures that its contracts with Subprocessors impose data protection obligations on them that are no less protective than those set out in this DPA (in accordance with Art. 28(4) GDPR).
5.5. Where a Subprocessor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Subprocessor's obligations.
6.1. The Controller accepts that the provision of the Services may involve the transfer of Personal Data outside the European Economic Area (EEA), particularly to the USA, where key Subprocessors are located (listed in Appendix 3).
6.2. The legal mechanisms governing such transfers (including the Data Privacy Framework and Standard Contractual Clauses) are set out in Appendix 4 (Module A).
7.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
7.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
7.3. The Parties agree that the Controller will primarily use external audit reports (e.g., SOC 2, ISO 27001, if available) or responses to security questionnaires provided by the Processor.
7.4. The costs of a direct audit shall be borne by the Controller. Such an audit must be announced at least 30 days in advance and must not disrupt the Processor's obligations to other clients or the security of its infrastructure.
8.1. The Processor shall notify the Controller of any confirmed Personal Data Breach without undue delay, no later than 48 hours after becoming aware of it.
8.2. The notification shall contain at least the information required by Art. 33(3) GDPR.
9.1. In the event that the Controller processes data subject to specific jurisdictional regulations (e.g., HIPAA, CCPA in the USA), the additional modules contained in Appendix 4 shall apply.
This Appendix describes the details of the processing of Personal Data in accordance with Art. 28(3) GDPR.
Nature: The processing is automated and takes place within the SaaS platform. It includes collecting, storing, analyzing (including by AI), recording, synthesizing (voice), and making data available to the Controller and its users.
Purpose: Solely for the purpose of providing the Services defined in the Main Agreement, i.e., providing the Controller with access to and use of the Boostedchat platform for managing customer relations, marketing automation, and communication.
The Processor has implemented at least the following technical and organizational measures (in accordance with Art. 32 GDPR), based on the information from the questionnaire:
In accordance with clause 5.1 of the DPA, the Controller grants the Processor general authorization to use the following Subprocessors to provide the Services:
| Full Legal Name of Entity | Service Provided | Country of Processing (Main) |
|---|---|---|
| Google (Cloud/AI) | Cloud infrastructure, AI models | EEA / USA |
| Meta Platforms Ireland Ltd. | Social media integration (Instagram, FB, WA) | EEA / USA |
| Perplexity AI, Inc. | Information search (Perplexity Search), AI Models | USA |
| ElevenLabs Inc. | AI voice synthesis and cloning | USA |
| Vonage | API (SMS / Voice) | USA |
| Stripe, Inc. | Payment processing | EEA / USA |
| Integration (e.g., ads, messaging) | EEA / USA |
The Processor maintains and provides the Controller with an up-to-date list of Subprocessors.
The application of the following modules depends on the Controller's location and the type of data processed.
In the case of a transfer of Personal Data covered by GDPR to a third country (outside the EEA) that is not covered by an adequacy decision of the European Commission, the Parties rely on the following mechanisms:
This Module applies only if the Controller is a "Covered Entity" or a "Business Associate" as defined under the Health Insurance Portability and Accountability Act (HIPAA) and processes "Protected Health Information" (PHI) through the Services.
Terms used in this Module (e.g., "Business Associate", "Covered Entity", "PHI") shall have the meaning given to them in 45 C.F.R. § 160.103.
The Controller is the (Covered Entity/Business Associate), and the Processor (Boostedchat) is its "Business Associate".
(a) Processor shall not use or disclose PHI other than as permitted or required by this DPA or as Required by Law.
(b) Processor shall use appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
(c) Processor shall report to the Controller (Covered Entity) any use or disclosure of PHI not provided for by this DPA, and any "Breach of Unsecured PHI," without undue delay.
(d) Processor shall ensure that any Subprocessor (agent) to whom it provides PHI agrees in writing to the same restrictions and conditions that apply to the Processor.
(e) Processor shall make PHI available to an Individual upon the Controller's request.
(f) Processor shall make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with HIPAA.
This Agreement shall terminate upon the termination of the underlying Services Agreement. Upon termination, Business Associate shall return or destroy all PHI, if feasible.
This Module applies if the Controller is subject to the California Consumer Privacy Act (CCPA) as amended (CPRA).
The terms "Business", "Service Provider", "Consumer", "Personal Information" shall have the meanings given in the CCPA.
The Controller is the "Business", and the Processor (Boostedchat) is its "Service Provider".
(a) Processor shall collect, use, retain, or disclose Personal Information solely for the purpose of providing the Services ("Business Purpose").
(b) Processor shall not "Sell" or "Share" Personal Information as defined by the CCPA.
(c) Processor shall not combine Personal Information received from the Controller with data received from other entities, except as permitted by the CCPA (e.g., to perform the Services).