Data Processing Agreement

Last updated: July 1, 2026 · Operated by Richscripts Inc., an Ontario, Canada corporation.

MyLiveChat customers are usually the controller of visitor, agent, transcript, ticket, and account data they choose to place in the service. MyLiveChat acts as a processor for that Customer Personal Data and processes it only to provide, secure, maintain, and support the service, or as otherwise instructed by the customer.

This DPA is designed to address the controller-processor contract requirements in Article 28 of Regulation (EU) 2016/679 ("GDPR") and comparable data protection laws where they apply.

GDPR data protection illustration

1. Definitions

"Customer" means the organization or person that has an account for the MyLiveChat service. "Customer Personal Data" means personal data submitted to, collected by, or otherwise processed through the service on behalf of Customer. "Data Protection Laws" means GDPR, UK GDPR where applicable, PIPEDA, and any other privacy law that applies to the parties' processing under the service agreement. Terms such as controller, processor, personal data, process, data subject, and supervisory authority have the meanings given in applicable Data Protection Laws.

2. Roles and Subject Matter

  1. Customer determines the purposes and means of processing Customer Personal Data. MyLiveChat processes Customer Personal Data as Customer's processor or, where Customer itself acts as a processor, as Customer's sub-processor.

  2. The subject matter, duration, nature, purpose, categories of data subjects, and types of Customer Personal Data are described in Annex 1.

  3. Customer is responsible for providing lawful notices, obtaining required consents, selecting appropriate settings, and making sure Customer's instructions comply with Data Protection Laws.

3. Customer Instructions

  1. MyLiveChat will process Customer Personal Data only on documented instructions from Customer, including this DPA, the Terms of Service, Customer's configuration in the service, support requests, and other written instructions accepted by MyLiveChat.

  2. MyLiveChat may process Customer Personal Data where required by law. Unless legally prohibited, MyLiveChat will notify Customer before doing so.

  3. MyLiveChat will promptly inform Customer if it believes an instruction infringes applicable Data Protection Laws.

4. Processor Obligations

  1. Confidentiality. MyLiveChat will ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations.

  2. Security. MyLiveChat will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Current measures are summarized in Annex 2.

  3. Data-subject rights. Taking into account the nature of the processing, MyLiveChat will reasonably assist Customer with requests to access, export, correct, restrict, or delete Customer Personal Data.

  4. Compliance assistance. MyLiveChat will reasonably assist Customer with security, breach-notification, data protection impact assessment, and supervisory-authority consultation obligations under GDPR Articles 32 to 36, where the information is available to MyLiveChat and Customer cannot reasonably obtain it through the service.

  5. Personal data breaches. MyLiveChat will notify Customer without undue delay after confirming a personal data breach affecting Customer Personal Data and will provide information reasonably available to MyLiveChat to help Customer meet its legal obligations.

  6. Return or deletion. At the end of service, MyLiveChat will delete or return Customer Personal Data as described in Section 8 and Annex 1, unless applicable law requires continued retention.

  7. Demonstrating compliance. MyLiveChat will make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation, subprocessors, and audit responses subject to confidentiality and reasonable security limits.

5. Sub-processors

  1. Customer grants MyLiveChat general written authorization to engage sub-processors needed to provide, secure, maintain, support, bill, and improve the service.

  2. MyLiveChat will maintain a current sub-processor list in Annex 3 and on the Trust & Security page. MyLiveChat will provide at least 30 days' notice before adding or replacing a sub-processor, except where urgent security, legal, or service continuity reasons require a shorter period.

  3. Customer may object to a new sub-processor by contacting [email protected] before the effective date. If the parties cannot resolve the objection, Customer may stop using the affected service feature or terminate the affected service according to the Terms of Service.

  4. MyLiveChat will impose written data-protection obligations on sub-processors that are no less protective in substance than this DPA for the processing they perform. MyLiveChat remains responsible to Customer for sub-processor performance of those obligations.

6. International Transfers

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, MyLiveChat will use appropriate safeguards required by Data Protection Laws. These may include Standard Contractual Clauses, approved addenda, transfer impact assessments, supplementary technical and organizational measures, or Customer-selected data residency and self-hosted options where available.

7. Audits

  1. Customer may request information reasonably necessary to verify MyLiveChat's compliance with this DPA. MyLiveChat may satisfy an audit request through documentation, security questionnaires, third-party reports, or a mutually agreed audit process.

  2. On-site or live-system audits require at least 30 days' written notice, may occur no more than once every 12 months unless required by a supervisory authority or following a confirmed material breach, and must not unreasonably disrupt MyLiveChat operations or compromise another customer's data.

  3. Audit information is MyLiveChat confidential information and must be used only for Customer's compliance review.

8. Return, Export, and Deletion

  1. During the service term, Customer may export available Customer Personal Data through dashboard exports, APIs, or support-assisted export workflows.

  2. After account termination, MyLiveChat will delete Customer Personal Data from active systems according to the service's normal deletion process unless Customer requests return within 30 days or applicable law requires retention.

  3. Encrypted backups are overwritten on the normal backup lifecycle and are not restored except for disaster recovery, security, or legal-preservation purposes. If backup restoration is required, MyLiveChat will reapply deletion requests where technically feasible.

9. Relationship to Other Terms

This DPA forms part of the Terms of Service. If this DPA conflicts with the Terms of Service on the processing of Customer Personal Data, this DPA controls for that processing. The Terms of Service govern liability, payment, suspension, termination, and other service terms unless expressly changed by this DPA or a signed agreement between the parties.

Annex 1 - Processing Details

Subject matterProvision of MyLiveChat live chat, AI chatbot, knowledge base, dashboard, reporting, support, billing, and related services.
DurationFor the service term and any retention period required for export, backup, security, fraud prevention, dispute resolution, or legal obligations.
Nature and purposeCollection, transmission, hosting, storage, retrieval, organization, display, analysis, deletion, export, support access, and other processing needed to provide, secure, troubleshoot, and support the service.
Data subjectsCustomer's website visitors, chat participants, ticket requesters, knowledge-base users, prospects, customers, agents, admins, account users, and other individuals whose data Customer submits to the service.
Personal data typesNames, email addresses, phone numbers, IP addresses, user agent and device information, location derived from IP, chat transcripts, uploaded files, ticket content, survey responses, custom fields, account credentials, authentication logs, billing contact details, and metadata generated by the service.
Sensitive dataThe service is not intended for special categories of personal data, criminal-offense data, children's data, payment card numbers, government identifiers, or protected health information unless Customer has a signed agreement and an appropriate deployment for that workload.

Annex 2 - Technical and Organizational Measures

  • Encryption. TLS for data in transit; encryption for supported storage, backups, and sensitive secrets.
  • Access control. Role-based access, least-privilege administration, password controls, optional MFA/SSO where available, and access review procedures.
  • Tenant separation. Logical separation of customer accounts, scoped API tokens, and authorization checks for dashboard and API access.
  • Logging and monitoring. Operational logging, audit records for administrative activity, monitoring for availability and abuse, and alerting for security-relevant events.
  • Secure development. Code review, vulnerability remediation, dependency review, release controls, and regression testing for security-sensitive behavior.
  • Incident response. Documented investigation, containment, remediation, and customer-notification procedures for confirmed incidents affecting Customer Personal Data.
  • Business continuity. Encrypted backups, disaster-recovery procedures, availability monitoring, and service restoration processes.
  • Personnel and vendors. Confidentiality obligations, security awareness, access limitation, vendor due diligence, and written sub-processor obligations.

Annex 3 - Current Sub-processors

Not every sub-processor is used for every customer, plan, region, or feature. Customers can subscribe to change notices by emailing [email protected].

Sub-processor Purpose Region
AWSApplication hosting, managed databases, storage, and infrastructure services.Canada / EU / US
StripePayment processing for subscriptions and invoices.US / global
PayPalAlternate payment processing.US / global
OpenAIAI chatbot inference for managed AI features where enabled.US
SendGridTransactional email such as signups, password resets, and transcript delivery.US
CloudflareCDN, security filtering, and DDoS protection for public service endpoints and widget delivery.Global
Free forever for 1 agent

Give every visitor an instant way to reach you.

Launch live chat, connect your knowledge base, and add AI answers when you are ready. No credit card, no trial clock.