Back to home

Data Processing Agreement

Last updated: April 18, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service ("Agreement") between the Customer ("Controller") and Hostcamp Europe s.r.o., Company ID: 21324557, registered at Nove sady 988/2, 602 00 Brno, Czechia, operating the FIFE.BOT platform ("Processor").

This DPA sets out the terms under which the Processor processes Personal Data on behalf of the Controller in connection with the provision of the FIFE.BOT platform and related services. This DPA is intended to ensure compliance with Article 28 of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and any applicable national data protection laws.

In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Where terms are not defined here, they shall have the meaning given to them in the GDPR.

  • "Controller" means the Customer who determines the purposes and means of the processing of Personal Data and who uses the FIFE.BOT platform to deploy AI chatbot services.
  • "Processor" means Hostcamp Europe s.r.o. (operating as FIFE.BOT), which processes Personal Data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA. This may include the Controller's end users, website visitors who interact with deployed chatbots, and the Controller's employees or representatives.
  • "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR. For the Processor, the primary supervisory authority is the Office for Personal Data Protection of the Czech Republic (UOOU).
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

3. Scope and Roles

The Customer acts as the Controller and determines what Personal Data is collected through the FIFE.BOT platform and for what purposes. FIFE.BOT acts as the Processor and processes Personal Data solely on behalf of and under the documented instructions of the Controller.

The processing activities carried out by the Processor in connection with the FIFE.BOT platform include:

  • Providing AI chatbot services: Receiving and processing chat messages submitted by end users through the Controller's deployed chatbot widget, generating AI-powered responses, and delivering those responses to end users via server-sent events (SSE).
  • Storing knowledge base content: Processing and storing documents, web page content, text entries, and structured data uploaded by the Controller to build the chatbot's knowledge base. This may include content that contains Personal Data if the Controller chooses to upload such content.
  • Processing chat conversations: Storing chat session history, message content, and associated metadata (timestamps, session identifiers) for the purpose of providing conversation context and enabling the Controller to review chatbot interactions through analytics.
  • Generating AI responses: Transmitting relevant portions of chat messages and knowledge base content to third-party AI model providers (Sub-processors) for the purpose of generating responses to end-user queries.
  • User account management: Processing the Controller's account information (email address, name, preferences) for authentication, authorization, and service delivery.

The categories of Personal Data processed may include: names, email addresses, IP addresses, chat message content, browser metadata, and any other Personal Data that end users voluntarily submit through the chatbot or that the Controller includes in knowledge base content.

4. Customer Obligations

The Controller shall:

  • Ensure that there is a lawful basis under the GDPR for the processing of Personal Data by the Processor, including but not limited to obtaining any necessary consents from Data Subjects or establishing another valid legal basis (such as legitimate interest or contractual necessity).
  • Inform Data Subjects about the processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR, including the fact that an AI chatbot is used and that conversations may be stored and processed by third-party services.
  • Ensure the accuracy, quality, and legality of the Personal Data provided to the Processor, and ensure that the Controller has the right to transfer such data to the Processor for processing.
  • Not upload or include special categories of Personal Data (Article 9 GDPR) in knowledge base content or chatbot interactions unless the Controller has established an appropriate legal basis and has implemented suitable safeguards.
  • Promptly notify the Processor of any changes to applicable data protection laws or regulations that may affect the Processor's obligations under this DPA.

5. FIFE.BOT Obligations

The Processor shall:

  • Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
  • Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational security measures as described in Section 8 of this DPA to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject.
  • Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities), taking into account the nature of processing and the information available to the Processor.
  • Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, as further described in Section 9 of this DPA.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires further storage, as further described in Section 11 of this DPA.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits as described in Section 10.

6. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors for the processing of Personal Data. The Processor shall ensure that Sub-processors are bound by data processing obligations no less protective than those set out in this DPA.

The current list of Sub-processors engaged by FIFE.BOT is as follows:

Sub-processor Location Purpose
Supabase Inc. United States Database hosting, user authentication, file storage, real-time subscriptions, and edge function execution
OpenRouter Inc. United States LLM API routing for generating AI chatbot responses across multiple model providers
OpenAI Inc. United States Text embedding generation for knowledge base vector search (text-embedding-3-large model)
Firecrawl / Mendable Inc. United States Web page scraping and content extraction for knowledge base ingestion
Stripe Inc. United States Payment processing, subscription management, and billing
Resend Inc. United States Transactional email delivery (account verification, password reset, notifications)
Vercel Inc. United States (Global edge network) Static frontend hosting and edge network for fife.bot App and marketing web

The Processor shall notify the Controller at least 30 days in advance before adding or replacing any Sub-processor, providing the Controller with an opportunity to object to the change. The notification shall include the name of the new Sub-processor, its location, and the nature of the processing it will perform. If the Controller raises a reasonable objection, the parties shall discuss the concern in good faith. If no resolution can be reached, the Controller may terminate the affected services.

7. International Transfers

The Controller acknowledges that certain Sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For any transfer of Personal Data to countries outside the EEA that have not received an adequacy decision from the European Commission, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR.

These safeguards include:

  • EU Standard Contractual Clauses (SCCs): The Processor shall enter into or ensure that its Sub-processors have entered into the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for the transfer of Personal Data to third countries.
  • Supplementary measures: Where necessary based on a transfer impact assessment, additional technical, organizational, or contractual measures shall be implemented to ensure an essentially equivalent level of data protection.
  • Data Processing Frameworks: Where applicable, reliance on the EU-U.S. Data Privacy Framework or successor frameworks for Sub-processors that have been certified thereunder.

The Processor shall provide the Controller, upon request, with information about the specific safeguards in place for each international transfer.

8. Security Measures

The Processor implements and maintains the following technical and organizational measures to protect Personal Data, in accordance with Article 32 of the GDPR:

  • Encryption in transit: All data transmitted between end users, the FIFE.BOT application, and backend services is encrypted using TLS/HTTPS. No Personal Data is transmitted in plaintext.
  • Row-Level Security (RLS): The database enforces row-level security policies on all tables containing user data, ensuring that each authenticated user can only access data belonging to their own account. This provides tenant isolation at the database level.
  • Credential encryption: Third-party integration credentials (such as API tokens for Notion, Confluence, or Google Drive) are encrypted at rest using AES-256-GCM encryption before storage in the database.
  • Authentication and authorization: User authentication is handled by Supabase Auth using JSON Web Tokens (JWT). Access to edge functions and API endpoints requires valid authentication tokens. Edge functions verify JWT signatures before processing requests.
  • Access control: Administrative access to infrastructure, databases, and third-party services is restricted to authorized personnel and protected by multi-factor authentication where available.
  • Secure hosting: The application frontend is hosted on Vercel, a global edge platform providing automated HTTPS, DDoS protection, and managed CDN. The backend database and edge functions are hosted on Supabase's managed infrastructure, which provides automated backups, network isolation, and monitoring.
  • Regular security reviews: The Processor conducts periodic reviews of its security practices, infrastructure configurations, and access controls to identify and address potential vulnerabilities.

9. Data Breach Notification

In the event of a Personal Data breach (as defined in Article 4(12) of the GDPR), the Processor shall:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, using the contact information provided by the Controller.
  • Provide the Controller with the following information, to the extent available at the time of notification (with additional details provided as they become available):
    • A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
    • The likely consequences of the breach.
    • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
    • The name and contact details of the Processor's point of contact for further information.
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Document the breach, including the facts relating to it, its effects, and the remedial action taken, in accordance with Article 33(5) of the GDPR.

10. Audit Rights

The Controller, or a third-party auditor appointed by the Controller, may audit the Processor's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice before conducting an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear its own costs associated with the audit unless the audit reveals a material breach by the Processor.
  • The Processor shall make available relevant documentation, records, and information necessary to demonstrate compliance with this DPA. Where possible, the Processor may satisfy audit requests by providing existing third-party audit reports, certifications, or compliance documentation from its Sub-processors.
  • Any third-party auditor must sign a confidentiality agreement before accessing the Processor's systems or documentation.

11. Data Deletion

Upon termination or expiration of the Agreement, or upon the Controller's written request, the Processor shall:

  • Delete all Personal Data processed on behalf of the Controller within 30 days, including all copies stored in databases, file storage, backups, and any Sub-processor systems, unless applicable EU or Member State law requires continued storage of the data.
  • At the Controller's request (made before deletion), return a copy of the Personal Data to the Controller in a commonly used, machine-readable format.
  • Provide written confirmation to the Controller that all Personal Data has been deleted, upon the Controller's request.
  • Where applicable law requires the Processor to retain certain Personal Data beyond the termination of the Agreement, the Processor shall inform the Controller of that requirement and shall continue to protect such data in accordance with this DPA until it is deleted.

12. Term

This DPA shall become effective on the date the Controller accepts the Agreement (Terms of Service) and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. The obligations of the Processor regarding data deletion and confidentiality shall survive the termination of this DPA.

13. Contact

For any questions, requests, or notifications relating to this Data Processing Agreement, please contact:

Hostcamp Europe s.r.o. (operating as FIFE.BOT)
Nove sady 988/2, 602 00 Brno, Czechia
Company ID: 21324557
Email: support@hostcamp.eu

14. Updates

The Processor may update this DPA from time to time to reflect changes in applicable law, Sub-processors, or security measures. The following log records material updates to this document:

  • April 18, 2026: Corrected the Sub-processors list and Security Measures section to accurately reflect the frontend hosting provider (Vercel Inc., United States). Previous versions of this document erroneously referenced Microsoft Azure Static Web Apps; no production traffic was ever served from Azure, and no actual Sub-processor change occurred.