Data Processing Agreement

Last Updated: April 4, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between the entity agreeing to these terms (“Controller”, “you”) and TheRackey OÜ (registry code: 16903336), trading as Chasivo (“Processor”, “we”, “us”), and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

  • “GDPR” — Regulation (EU) 2016/679 (General Data Protection Regulation).
  • “UK GDPR” — The GDPR as retained in UK law by the European Union (Withdrawal) Act 2018.
  • “Personal Data” — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • “Processing” — Any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • “Data Subject” — The identified or identifiable natural person to whom Personal Data relates.
  • “Subprocessor” — A third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Breach” — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose

2.1. This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the provision of the Chasivo Service.

2.2. The details of the processing are described in Annex 1 (Processing Details).

2.3. The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3. Obligations of the Processor

The Processor shall:

3.1. Process Personal Data only on documented instructions from the Controller, as described in Annex 1, unless required by applicable law.

3.2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS/HTTPS) and at rest (AES-256 via Supabase/Postgres);
  • Row-level security (RLS) ensuring strict data isolation between tenants;
  • Regular security assessments and penetration testing;
  • Access controls with role-based permissions;
  • Input validation and output sanitisation on all data processing endpoints;
  • PII sanitisation before AI model processing (sanitizeForAI);
  • AI output validation (validateAIOutput).

3.4. Respect the conditions for engaging Subprocessors as set out in Section 5.

3.5. Assist the Controller, taking into account the nature of processing, with appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to Data Subject requests (Chapter III GDPR).

3.6. Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.

3.7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data. The Processor offers:

  • JSON data export (available in Settings);
  • Account deletion with 90-day soft-delete, followed by permanent deletion;
  • Financial/tax records retained for 7 years as required by law.

3.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

4. Controller Obligations

The Controller shall:

4.1. Ensure that it has a lawful basis for the processing of Personal Data and that Data Subjects have been informed of the processing in accordance with Articles 13 and 14 GDPR.

4.2. Ensure that the instructions given to the Processor comply with applicable data protection laws.

4.3. Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor.

5. Subprocessors

5.1. The Controller provides general authorisation for the Processor to engage Subprocessors. The current list of Subprocessors is set out in Annex 2 and is maintained at https://chasivo.com/privacy#service-providers.

5.2. The Processor shall:

  • Notify the Controller of any intended changes to Subprocessors at least 30 days in advance by email or in-app notification;
  • Provide the Controller with the opportunity to object to such changes;
  • Impose data protection obligations no less protective than those in this DPA on each Subprocessor by way of a contract;
  • Remain fully liable for the acts and omissions of its Subprocessors.

5.3. If the Controller objects to a new Subprocessor within 14 days of notification and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services with 30 days’ notice.

6. International Data Transfers

6.1. The Processor shall not transfer Personal Data to a country outside the EEA or UK unless:

  • The European Commission or UK Secretary of State (as applicable) has issued an adequacy decision for the destination country; or
  • Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission; or
  • A derogation under Article 49 GDPR applies.

6.2. Where transfers are made to the United States, the Processor relies on the EU-US Data Privacy Framework where applicable, or SCCs where the recipient is not certified.

6.3. Current transfer mechanisms for each Subprocessor are detailed in Annex 2.

6.4. UK Transfers. For transfers of Personal Data from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018). Where the EU SCCs apply under this DPA, they shall be deemed amended as set out in the UK Addendum.

6A. California and US State Privacy Laws

6A.1. To the extent that the Processor processes Personal Data subject to the California Consumer Privacy Act (CCPA/CPRA), the Processor is a “service provider” as defined under the CCPA.

6A.2. The Processor shall not:

  • Sell or share the Controller’s Personal Data;
  • Retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Agreement;
  • Retain, use, or disclose Personal Data outside of the direct business relationship between the Controller and the Processor;
  • Combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA.

6A.3. The Processor certifies that it understands and will comply with the restrictions in this Section 6A.

6A.4. The Controller may take reasonable and appropriate steps to ensure the Processor uses Personal Data in a manner consistent with the Controller’s obligations under applicable US state privacy laws.

7. Data Breach Notification

7.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller’s Personal Data.

7.2. The notification shall include:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of the Processor’s point of contact;
  • A description of the likely consequences of the Data Breach;
  • A description of the measures taken or proposed to be taken to address the Data Breach.

7.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach.

8. Data Protection Impact Assessments

Where required under Article 35 GDPR, the Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and, where necessary, prior consultations with supervisory authorities under Article 36 GDPR.

9. Audit Rights

9.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

9.2. The Controller may conduct an audit (or appoint a third-party auditor) no more than once per year, with at least 30 days’ written notice, during normal business hours, and subject to reasonable confidentiality obligations.

9.3. The Processor may satisfy audit requests by providing:

  • Relevant certifications or audit reports (e.g., SOC 2 reports from Subprocessors);
  • Written responses to the Controller’s reasonable questions;
  • Access to relevant documentation.

10. Term and Termination

10.1. This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

10.2. Upon termination of the Agreement, the Processor shall, at the Controller’s election:

  • Return all Personal Data via the export functionality; and/or
  • Delete all Personal Data within 90 days, except where retention is required by law.

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service). Nothing in this DPA limits either party’s liability for breaches of its obligations under data protection laws where such limitation is not permitted.

12. Governing Law

This DPA is governed by the laws of the Republic of Estonia. For GDPR-related matters, the applicable data protection laws of the relevant EU Member State or the UK apply. The competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Annex 1 — Processing Details

Subject Matter and Duration

ElementDetail
Subject matterProcessing of Personal Data to provide the Chasivo accounts receivable management service
DurationFor the duration of the Agreement plus any retention periods specified in Section 3.7
Nature and purposeStorage, organisation, retrieval, analysis, transmission, and deletion of Personal Data to enable invoice management, payment tracking, customer communication, AI-powered analysis, and reporting

Categories of Data Subjects

  • Controller’s customers and their employees/contacts
  • Controller’s employees and team members
  • Controller’s end users (email recipients)

Categories of Personal Data

  • Identity data: Full name, email address, phone number, job title, company name
  • Financial data: Invoice amounts, payment amounts, payment dates, bank details (as entered by Controller), billing history
  • Communication data: Email content (subject, body, attachments metadata), timestamps, sender/recipient information
  • Behavioural data: Invoice payment patterns, response times, communication history
  • Technical data: IP addresses (for security/authentication), browser user agent (for security)
  • AI-derived data: Risk scores, client profiles, intent classifications, sentiment indicators (derived from the above data)

Special Categories of Personal Data

None. The Processor does not intentionally process special categories of Personal Data as defined in Article 9 GDPR. If the Controller includes such data in free-text fields, the Controller is responsible for ensuring a lawful basis.

Processing Operations

  • Account creation and authentication
  • Invoice creation, storage, and management
  • Customer record management
  • Email synchronization, analysis, and sending
  • AI analysis: client profiling, risk scoring, email drafting, intent classification, dispute resolution
  • Payment recording and tracking
  • Report generation and analytics
  • Automated chasing workflows (per Controller’s configuration)
  • Transactional email delivery (reminders, notifications)

Annex 2 — Subprocessors

The current list of approved Subprocessors is maintained at https://chasivo.com/privacy#service-providers and is replicated below for reference.

SubprocessorPurposeData ProcessedLocationTransfer Mechanism
Supabase, Inc.Database hosting, authentication, row-level securityAll Customer DataUS (AWS us-east-1)EU-US Data Privacy Framework + SCCs
Stripe, Inc.Payment processing, subscription billingName, email, billing address, payment method tokensUSEU-US Data Privacy Framework
Anthropic, PBCAI text generation (Claude — risk scoring, email drafting, dispute resolution)Sanitised invoice/customer data (PII removed via sanitizeForAI)USSCCs
Google LLCAI chat (Gemini), Gmail integration (email sync/send)Email content, sanitised customer data (AI), OAuth tokens (Gmail)USEU-US Data Privacy Framework
Resend, Inc.Transactional email deliveryRecipient email, email subject, email bodyUSSCCs
Railway Corp.Application hosting and computeAll data in transit/processingUSSCCs
Hostinger International Ltd.Marketing website hostingWebsite visitor data (IP, cookies)EU (Lithuania)N/A (EU-based)
Sentry (Functional Software, Inc.)Error monitoring and performance trackingError logs, stack traces, IP addresses, browser metadataUSEU-US Data Privacy Framework + SCCs

TheRackey OÜ Nelgi 30, 11213 Tallinn, Estonia Registry code: 16903336

Email: privacy@chasivo.com Website: https://chasivo.com

This Data Processing Agreement was last updated on April 4, 2026.