Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of, and is incorporated by reference into, the LevelChat Subscription Agreement, Terms of Service, or any other written or electronic agreement between LevelChat ("Processor") and the customer ("Controller") that governs the customer's use of the LevelChat service (the "Service"). It reflects the parties' obligations under Article 28 of Regulation (EU) 2016/679 ("GDPR") and incorporates the Standard Contractual Clauses ("SCCs") set out in Commission Implementing Decision (EU) 2021/914 where transfers of personal data outside the European Economic Area occur.

How to execute: download the PDF below, fill in the Controller details + sign on page 1, and email a scan to privacy@levelchat.io. We counter-sign within 3 business days and return the executed copy. No sales call required.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the GDPR. "Personal data", "data subject", "processing", "controller", "processor", and "sub-processor" each carry their GDPR Article 4 meaning.

2. Subject matter + duration

The Processor processes personal data on behalf of the Controller solely to provide the Service. Processing continues for the duration of the underlying Subscription Agreement; on termination, the rules in clause 9 ("Return + deletion") apply.

3. Nature + purpose of processing

The Processor's processing activities cover:

Hosting real-time audio/video signalling + media routing for calls, broadcasts, and recordings.
Storing recordings, transcripts, and chat messages in the regions the Controller selects (default: EU).
Generating billing records, usage analytics, and security/audit logs.
Delivering transactional email notifications (room invites, recording-ready, billing receipts).

4. Categories of data subjects + personal data

Data subjects: the Controller's users, the Controller's invited participants (including external guests), and the Controller's billing contact.

Personal data: identity data (display name, email when supplied), contact data (email, phone where supplied), technical data (IP address, browser fingerprint, device + network telemetry), content data (audio + video tracks published during a session, chat messages, recordings + transcripts where enabled), and billing data (organisation name, billing email, taxable region — never card numbers; those route directly to Stripe).

The Service is not designed for the processing of special categories of personal data (Article 9 GDPR). The Controller must not knowingly upload special-category data without first executing a separate addendum.

5. Processor obligations

The Processor will:

Process personal data only on the Controller's documented instructions (including the Controller's configuration of the Service).
Ensure persons authorised to process personal data are bound by confidentiality.
Implement the technical + organisational measures described in clause 7.
Respect the sub-processor conditions in clause 6.
Assist the Controller with data-subject requests, DPIAs, and prior consultations with supervisory authorities, taking into account the nature of the processing.
Notify the Controller of a personal-data breach without undue delay (within 48 hours of the Processor becoming aware) and in any case promptly enough that the Controller can meet its own 72-hour GDPR notification window.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow audits as described in clause 8.

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed below. The list is also kept current at /legal/dpa. The Processor will give the Controller at least 14 days' notice of new sub-processors via the email on file; the Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to find an alternative.

Sub-processor	Purpose	Region
Hetzner Online GmbH	Primary cloud + recording storage	DE / FI
Stripe Payments Europe Ltd.	Subscription billing + invoicing	IE
Cloudflare Inc.	Edge CDN + DNS + DDoS mitigation	Global (EU PoPs preferred)
Postmark (ActiveCampaign LLC)	Transactional email delivery	US (DPA + SCCs in place)

Self-hosted deployments under the LevelChat Community License do not necessarily use the cloud sub-processors above — operators control their own infrastructure and act as their own data processor.

7. Technical + organisational measures

Encryption in transit: TLS 1.3 between every client and the Service; DTLS-SRTP between participants and the SFU.
Encryption at rest: AES-256 on all recording + transcript storage. Customer-managed KMS available on the Enterprise tier.
End-to-end encryption: optional per-room E2EE via the SDK's insertable-streams pipeline.
Access control: role-based access (host / co-host / member / viewer); mTLS between internal services; signed JWTs short-lived (≤ 1 hour).
Logging + monitoring: structured audit logs retained for 90 days by default; alerts on anomalous access patterns.
Data minimisation: PII is never written to application logs; recordings + transcripts are opt-in per room.
Business continuity: daily encrypted backups; restoration RPO ≤ 24h, RTO ≤ 4h for the managed cloud.

On Enterprise contracts these measures are baselined; on lower tiers the same technical measures are in force but specific commitments (RPO/RTO, dedicated KMS, audit window) are addressed in the Subscription Agreement.

8. Audit rights

The Processor makes its current SOC 2 Type II readiness packet (in progress at the time of this DPA's update — see /security) available to the Controller on request, under NDA. The Controller may additionally request an on-site audit no more than once per twelve-month period, on 30 days' notice, during business hours, at the Controller's expense, conducted by an independent third-party auditor mutually acceptable to both parties.

9. Return + deletion

On termination of the Subscription Agreement, or sooner on the Controller's written request:

The Processor will, at the Controller's option, return or permanently delete all personal data within 30 days, except where applicable law requires retention.
Customer-generated content (recordings, transcripts, chat history) is deleted from production storage; backups age out under the rotation policy (typically 90 days).
The Processor will certify deletion in writing on the Controller's request.

10. International transfers

Personal data is processed within the European Economic Area unless the Controller configures a non-EEA region for a room. Where personal data is transferred outside the EEA, the SCCs apply: Module 2 (Controller-to-Processor) is incorporated by reference; the parties select Option 1 of Clause 17 (the law of the EU Member State in which the Controller is established, falling back to Ireland where the Controller is not established in an EU Member State).

11. Liability + governing law

The parties' liability under this DPA is governed by the limits in the underlying Subscription Agreement. This DPA is governed by the same law as the Subscription Agreement; nothing in this DPA limits a data subject's GDPR rights.

12. Contact

Data-protection inquiries: privacy@levelchat.io. Security disclosures: security@levelchat.io.

This page is the current public DPA template. The executed copy you receive is the binding instrument; if it diverges from this page, the executed copy controls. Self-host operators using the LevelChat Community License should treat this document as a template and execute their own DPA with their downstream customers.