Data Processing Agreement (AVV)

This DPA forms a legally binding addendum to the Terms of Service between Mignuti Chatbot (Processor) and Customer (Controller) under Art. 28 GDPR.

Annex 1 — Description of processing

• Subject matter: Operation of the Mignuti Chatbot chatbot SaaS.
• Nature & purpose: Storage and retrieval of Customer's knowledge base; generation of AI responses to end-user chat queries; provision of analytics.
• Duration: For the duration of the Mignuti Chatbot subscription, plus retention periods per Terms § 8.
• Categories of data subjects: End-users of the Customer's website; Customer's team members.
• Categories of personal data: IP-hash, session-id, chat messages (potentially containing any PII the end-user types), team-member email/name.

Annex 2 — Technical & Organizational Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• PostgreSQL Row-Level-Security with default-deny policies; tenant isolation enforced at the database layer.
• PII redaction via Microsoft Presidio before LLM forwarding (where configured).
• Append-only audit log with 7-year cold archive.
• Role-based access control, MFA mandatory for all Owner / Super-Admin accounts.
• Quarterly penetration tests; annual ISO 27001 roadmap (in progress).

Annex 3 — Sub-processors

See the always-current list at /en/legal/subprocessors. Customer may opt-in to receive 30-day advance notice of changes.

This template follows the EU Commission SCCs (2021/914) structure. A countersigned PDF can be requested via privacy@mignuti.com.