Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Taktik, operated by Zeron Studio (“Processor”), and the entity agreeing to these terms (“Controller”). This DPA applies to the extent that Processor processes Personal Data on behalf of Controller in connection with the Taktik customer support platform (“Service”).

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• “Data Subject” means the individual to whom Personal Data relates (e.g., your end customers who interact with the Taktik chat widget).
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller. This includes:

• Receiving and storing customer support conversations
• Storing visitor profile information (name, email, browser data)
• Sending notifications (email, SMS, in-app) on behalf of the Controller
• Generating analytics and insights from conversation data
• Providing AI-powered response suggestions based on conversation content

Categories of Data Subjects include the Controller's end customers, visitors, and team members who use the Service.

3. Controller Obligations

• The Controller shall ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process such data.
• The Controller is responsible for providing notice to Data Subjects about the processing of their data and obtaining any necessary consents.
• The Controller shall not provide the Processor with Personal Data of children under 16 unless appropriate parental consent has been obtained.

4. Processor Obligations

• Process Personal Data only on documented instructions from the Controller, including transfers outside the EEA, unless required by applicable law.
• Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
• Delete or return all Personal Data at the end of the provision of services, at the Controller's choice, and delete existing copies unless storage is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller an opportunity to object.

Current Sub-processors:

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests. Taktik provides self-service tools for:

• Data export: Export all data associated with a visitor in machine-readable JSON format via the GDPR export endpoint.
• Data anonymization: Anonymize all personally identifiable information for a visitor while preserving aggregate analytics integrity.

These tools are accessible from the workspace Settings under “Data & Privacy.” The Controller may also contact us at hello@taktik.xyz for assistance with Data Subject requests.

7. Security Measures

The Processor implements the following technical and organisational security measures:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database storage is encrypted at rest using AES-256 encryption.
• Access control: Role-based access control (RBAC) with granular permissions. Multi-tenant isolation ensures workspace data separation.
• Authentication: OAuth 2.0 via Google, with session-based authentication and CSRF protection.
• Audit logging: Security-relevant events are logged for accountability.
• Infrastructure: Deployed on Vercel's SOC 2 compliant infrastructure with automatic scaling and DDoS protection.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification shall include:

• The nature of the breach, including the categories and approximate number of Data Subjects affected
• The name and contact details of the data protection point of contact
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

9. Return and Deletion of Data

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies within 90 days, unless applicable law requires storage. The Controller may export all data via the GDPR export tools before account closure. After the 90-day deletion period, data will be permanently removed from all systems, including backups.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the underlying Terms of Service. For Data Subjects in the European Economic Area (EEA), United Kingdom, or Switzerland, the provisions of the GDPR (and its UK equivalent, UK GDPR) shall apply to the processing of their Personal Data.

11. Contact

For questions about this DPA or to exercise data protection rights: