← All legal documents

Data Processing Agreement

LighChat Data Processing Agreement (DPA)

Last updated: 2026-05-07 Applies to: corporate / B2B customers using LighChat to process data on behalf of their employees / users.

⚠️ TEMPLATE. Executed individually with each corporate customer. Final wording subject to legal review.

1. Parties

  • Controller: [CUSTOMER LEGAL ENTITY] (the "Customer").
  • Processor: [LEGAL ENTITY NAME] (the "Operator").

This Agreement is an addendum to the master services agreement.

2. Subject matter

The Operator processes the personal data of the Customer's users (the "Data") solely on documented instructions from the Customer and in accordance with GDPR Art. 28 / 152-FZ.

3. Categories of data and data subjects

  • Data subject categories: Customer's employees, end customers, meeting guests.
  • Data categories: identifiers (name, email, phone), communication content (messages, media, call metadata), technical data (IP, device info).

4. Purposes and term

Processing serves the provision of the LighChat service. Term — duration of the master agreement plus statutory retention periods.

5. Operator's obligations

The Operator undertakes to:

  • process Data only on the Customer's instructions;
  • ensure confidentiality through staff NDAs;
  • apply technical and organisational security measures (see section 8);
  • assist the Customer in handling data subject requests;
  • notify the Customer of security incidents within 48 hours;
  • delete or return all Data within 30 days after the agreement ends;
  • not engage sub-processors without Customer consent (see section 7).

6. Customer's obligations

The Customer:

  • ensures a lawful basis for processing the Data;
  • informs data subjects per GDPR / 152-FZ;
  • issues instructions in writing (including electronic).

7. Sub-processors

The Operator uses the following sub-processors:

  • Google LLC (Firebase, Google Cloud) — storage and processing.
  • Apple Inc. — push delivery (APNs).
  • [TURN provider] — WebRTC media relay.

Current list available at [legal page]/sub-processors. Changes are notified to the Customer 14 days in advance. The Customer may object; if no replacement is feasible, the Customer may terminate without penalty.

8. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256);
  • E2EE for secret chats;
  • role-based access control (RBAC);
  • regular security audits;
  • audit logging of critical operations;
  • bug bounty program ([security@lighchat.app]).

9. Data subject requests

Subject requests for access / deletion / portability are forwarded to the Customer. The Operator provides technical assistance within 10 business days.

10. Incident notification

Upon discovering a personal data breach, the Operator notifies the Customer within 48 hours, including:

  • nature of the incident;
  • categories and approximate number of data subjects affected;
  • likely consequences;
  • remediation measures.

11. Audit

The Customer may audit compliance with this DPA once per calendar year, upon 30 days' notice. The audit may be performed by an independent auditor (NDA required).

12. Cross-border transfers

Transfers to third countries are based on Standard Contractual Clauses (Commission Decision 2021/914) and/or data subject consent under 152-FZ.

13. Liability

Each party bears liability under applicable law and the master agreement.

14. Governing law

[As selected in the master agreement.]

15. Contact

LighChat DPO: [DPO_NAME], dpo@lighchat.app Legal inquiries: legal@lighchat.app