00
Preamble
This Data Processing Agreement (“DPA”) forms part of the agreement between ChatPilot (“Processor”) and the subscribing business entity (“Controller”) and governs the processing of personal data by ChatPilot on behalf of the Controller in connection with the ChatPilot platform and services (“Services”).
This DPA is entered into pursuant to the Personal Data Protection Act 2010 (Act 709) of Malaysia (“PDPA”) and its subsidiary regulations, as amended from time to time. It supplements and is incorporated into the ChatPilot Terms and Conditions. In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to the processing of personal data.
By subscribing to the Services, accessing the platform, or signing a separate order form that references this DPA, the Controller agrees to be bound by the terms of this DPA.
01
Definitions
Terms used in this DPA have the meanings given in the PDPA unless otherwise defined here.
- “Controller” means the business entity that determines the purposes and means of processing personal data — i.e., the ChatPilot customer.
- “Processor” means ChatPilot, which processes personal data on behalf of the Controller.
- “Data Subject” means an identified or identifiable individual whose personal data is processed — including the Controller's end customers, guests, and contacts.
- “Personal Data” has the meaning given in Section 4 of the PDPA: information relating directly or indirectly to a Data Subject, who is identifiable from that information.
- “Sensitive Personal Data” has the meaning given in Section 4 of the PDPA.
- “Processing” means any operation performed on personal data.
- “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
- “Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- “Services” means the ChatPilot unified messaging platform, AI features, and any related services provided under the Terms and Conditions.
02
Subject matter, nature & purpose
2.1 Subject matter
The Processor will process personal data submitted to or generated by the Services on behalf of the Controller for the purpose of delivering the Services.
2.2 Nature of processing
Processing activities include: collection, storage, retrieval, transmission, routing, analysis, automated decision-support, and deletion of personal data through the ChatPilot platform.
2.3 Purpose
The Processor processes personal data solely to:
- Route and deliver messages across connected messaging channels (WhatsApp, Instagram, Facebook Messenger, TikTok, Telegram, Gmail, and others)
- Power AI-assisted features including automated responses, suggested replies, contact tagging, and conversation analytics
- Maintain conversation history and contact records within the platform
- Provide the Controller with reporting, analytics, and operational dashboards
- Comply with legal obligations and respond to lawful requests from authorities
2.4 Duration
Processing continues for the duration of the Controller's active subscription and for the post-termination retention period specified in Clause 11, unless a shorter period is required by law or agreed in writing.
03
Data categories
3.1 Categories of personal data processed
- Identity data: First name, last name, username, or similar identifiers
- Contact data: Phone numbers, email addresses, social media handles
- Communication data: Message content, attachments, images, voice notes, and documents exchanged through connected channels
- Transactional data: Order references, booking details, or purchase information shared in conversations
- Technical data: Device identifiers, IP addresses, timestamps, and message metadata
- Profile data: Contact tags, notes, conversation history, and custom fields entered by the Controller
3.2 Sensitive personal data
The Services are not designed to process Sensitive Personal Data. The Controller must not submit Sensitive Personal Data through the Services unless expressly agreed in writing with the Processor. If Sensitive Personal Data is incidentally present in communications, the Processor will handle it with heightened security measures consistent with Clause 7 but bears no additional liability for such data beyond the obligations in this DPA.
3.3 Categories of data subjects
- The Controller's end customers and prospective customers
- Guests and individuals who initiate contact through connected messaging channels
- The Controller's team members and authorised users of the platform
- Any other individuals whose personal data is submitted to the Services by the Controller
04
Controller's obligations
The Controller represents, warrants, and agrees that:
- It has a valid lawful basis under the PDPA for all personal data submitted to the Services
- It has provided Data Subjects with appropriate privacy notices disclosing the use of ChatPilot as a data processor
- It has obtained all necessary consents and opt-ins required under applicable law, including messaging platform policies (e.g., WhatsApp Business Policy)
- It will not instruct the Processor to process personal data in a manner that would violate the PDPA or any other applicable law
- It will promptly notify the Processor of any Data Subject rights request that it cannot handle without the Processor's assistance
- It will maintain its own records of processing activities as required under the PDPA
- It is responsible for the accuracy and legality of all personal data submitted to the Services
05
Processor's obligations
5.1 Processing on instructions only
The Processor will process personal data only on the documented instructions of the Controller, including as set out in this DPA and the Terms and Conditions, unless required to do so by Malaysian law or other applicable law.
5.2 Confidentiality
The Processor will ensure that all personnel authorised to process personal data are subject to binding confidentiality obligations and are made aware of their data protection responsibilities. Access is restricted to personnel who need it to perform the Services.
5.3 Cooperation
- Responding to Data Subject rights requests under the PDPA
- Conducting data protection impact assessments where required
- Meeting obligations under the PDPA's breach notification requirements
- Demonstrating compliance with this DPA upon reasonable written request
5.4 No sale of personal data
The Processor will not sell, rent, or otherwise commercially exploit personal data processed under this DPA.
06
Sub-processors
6.1 Authorised sub-processors
The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Schedule B. The Processor will ensure that each sub-processor is bound by data protection obligations at least equivalent to those in this DPA.
6.2 Changes to sub-processors
The Processor will notify the Controller of any intended changes to the list of sub-processors by updating Schedule B and providing at least 14 days' advance notice. The Controller may object within 14 days by notifying the Processor in writing. If unresolved, the Controller may terminate on 30 days' written notice without penalty.
6.3 Liability for sub-processors
The Processor remains liable to the Controller for the acts and omissions of its sub-processors to the same extent as if the Processor performed the processing itself.
07
Security measures
In accordance with the Security Principle under the PDPA, the Processor implements and maintains the technical and organisational measures described in Schedule C to protect personal data.
These measures include, at a minimum:
- Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Role-based access controls and least-privilege access policies
- Multi-factor authentication for platform access
- Regular security vulnerability assessments and penetration testing
- Logical separation of Controller data in a multi-tenant environment
- Audit logs of access to and processing of personal data
- Staff training on data protection and information security
- Incident response and disaster recovery procedures
08
Data breach notification
8.1 Notification to Controller
CommitmentIn the event of a confirmed Data Breach affecting the Controller's personal data, the Processor will notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
8.2 Content of notification
- A description of the nature of the breach, including categories and approximate number of Data Subjects and personal data records affected
- The name and contact details of the Processor's Data Protection Officer or relevant contact
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
8.3 Controller's notification obligations
The Controller is solely responsible for determining whether to notify the Personal Data Protection Commissioner (JPDP) and affected Data Subjects in accordance with the PDPA.
09
Cross-border transfers
The Processor may transfer personal data outside Malaysia as necessary to provide the Services (including to sub-processors listed in Schedule B). The Processor will only make such transfers in compliance with Section 129 of the PDPA — either to countries with adequate protection, pursuant to the Controller's consent, or subject to appropriate contractual safeguards.
Where data is transferred to countries without an adequate protection finding, the Processor will implement contractual protections with the receiving party that are substantially equivalent to those in this DPA.
10
Audit & inspection rights
The Controller may, upon reasonable written notice of at least 14 business days and no more than once per calendar year, request an audit of the Processor's data processing activities relating to this DPA. Audits may be conducted:
- By the Controller's internal team, subject to reasonable confidentiality obligations
- By an independent third-party auditor agreed by both parties, at the Controller's cost
In lieu of an on-site audit, the Processor may provide a current third-party security audit report or certification (e.g., ISO 27001, SOC 2) as evidence of compliance.
11
Return & deletion of data
11.1 Upon termination
Upon termination or expiry of the Services, the Processor will, at the Controller's choice and within 30 days of receiving written instructions:
- Return a complete copy of all personal data to the Controller in a machine-readable format; or
- Securely and permanently delete all personal data, including copies held by sub-processors
11.2 Export window
The Controller may export its data directly from the platform for 30 days after termination. After this window, the Processor may delete the data without further notice unless an extension is agreed in writing.
11.3 Retention for legal compliance
The Processor may retain personal data beyond the 30-day window only to the extent and for the duration required by Malaysian law (e.g., financial records for 7 years under the Companies Act).
11.4 Certification of deletion
Upon request, the Processor will provide the Controller with written confirmation that deletion has been completed.
12
Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the ChatPilot Terms and Conditions. Where the Controller suffers damage as a result of the Processor's breach of this DPA, the Processor's total liability shall not exceed the amounts paid by the Controller to the Processor in the 12 months immediately preceding the event giving rise to the claim. The Controller shall indemnify and hold the Processor harmless from any third-party claims, fines, or penalties arising from the Controller's failure to comply with its obligations as a data controller.
13
Term & termination
This DPA takes effect on the date the Controller subscribes to the Services or signs an order form referencing this DPA, and remains in force for the duration of the Services agreement. It terminates automatically upon termination of the Services agreement, subject to the survival of Clauses 7, 8, 11, and 12.
14
Governing law
This DPA is governed by the laws of Malaysia. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Kuala Lumpur, Malaysia.
15
General
- Entire agreement: This DPA, together with the Terms and Conditions and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of personal data.
- Amendments: The Processor may update this DPA to reflect changes in the PDPA or its processing activities. Material changes will be communicated with at least 30 days' notice.
- Severability: If any provision of this DPA is found unenforceable, the remaining provisions remain in full effect.
- Language: This DPA is drafted in English. In the event of any conflict with a translation, the English version prevails.
A
Schedule — Details of processing
| Subject matter of processing | Provision of the ChatPilot unified messaging and CRM platform |
| Duration of processing | Duration of the Controller’s active subscription plus the post-termination deletion period (Clause 11) |
| Nature of processing | Collection, storage, transmission, analysis, display, and deletion of personal data via connected messaging channels |
| Purpose of processing | Customer messaging, contact management, AI-assisted response, analytics, and reporting |
| Types of personal data | Names, phone numbers, email addresses, social media handles, message content, attachments, timestamps, device metadata, contact tags, and notes |
| Categories of data subjects | The Controller’s end customers, guests, contacts, and team members |
| Sensitive personal data | Not intended — see Clause 3.2 |
B
Schedule — Approved sub-processors
The following sub-processors are authorised as of the date of this DPA. The Processor will update this list and provide notice of changes per Clause 6.2.
| Sub-processor | Country | Purpose |
|---|
| Meta Platforms, Inc. | United States | WhatsApp Business API, Instagram, and Facebook Messenger message delivery |
| TikTok Pte. Ltd. | Singapore | TikTok messaging channel integration |
| Telegram Messenger Inc. | United Arab Emirates | Telegram messaging channel integration |
| Google LLC | United States | Gmail integration and cloud infrastructure (Google Cloud) |
| Vercel Inc. | United States | Platform hosting, data storage, and content delivery |
| Anthropic, PBC | United States | AI-powered response suggestions and analytics features |
| Lemon Squeezy LLC | United States | Subscription billing and payment management |
C
Schedule — Security measures
Access controls
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) required for all internal system access
- Regular review and revocation of access rights upon staff changes
- Unique user credentials — no shared logins
Encryption
- Data in transit: TLS 1.2 or higher for all communications
- Data at rest: AES-256 encryption for stored data
- Database-level encryption for all personal data stores
Multi-tenancy isolation
- Logical separation of Controller data in a shared infrastructure environment
- Tenant-scoped API authentication — Controllers cannot access other Controllers' data
- Audit logging of all data access events by user and tenant
Availability and resilience
- Automated backups with tested restore procedures
- Redundant infrastructure to minimise single points of failure
- Incident response plan with defined escalation paths
Organisational measures
- Confidentiality obligations in all staff contracts
- Data protection training for all personnel with access to personal data
- Vendor security assessments before onboarding sub-processors
- Periodic internal security reviews