Соглашение об обработке данных
Последнее обновление: март 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between A.M.T.H DIGITAL LTD (“Processor,” “WebGPT”) and the entity or individual accepting these terms (“Controller,” “Customer”).
This DPA applies where WebGPT processes Personal Data on behalf of the Customer in the course of providing the Service at webgpt.com, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and other applicable data protection laws.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
- Data Subject: The identified or identifiable natural person to whom Personal Data relates.
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Service: The AI-powered content management platform operated at webgpt.com.
3. Scope and Purpose of Processing
3.1 Categories of Data Subjects
- Customer employees and authorized users
- End users of Customer chatbots and published content
- Individuals whose data appears in Customer-uploaded content (RAG knowledge bases, articles)
3.2 Types of Personal Data Processed
- Account information (email, name, username)
- Content data (articles, prompts, AI conversations, chatbot configurations)
- RAG knowledge base documents and embeddings
- Technical data (IP addresses, device information, session data)
- Billing information (processed via third-party payment processor)
- Integration credentials (encrypted API keys, OAuth tokens)
3.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the Service, including: AI content generation, chatbot operation, content publishing to connected platforms, search analysis, usage tracking, and account management.
4. Obligations of the Processor
WebGPT shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Assist the Controller in fulfilling obligations to respond to Data Subject requests
- Assist the Controller in ensuring compliance with breach notification, data protection impact assessments, and prior consultation obligations
- At the Controller’s choice, delete or return all Personal Data upon termination of the Service
- Make available all information necessary to demonstrate compliance and allow for audits
5. Security Measures
WebGPT implements the following technical and organizational security measures:
- Encryption at rest: All API keys and integration credentials are encrypted using AES-256-GCM
- Encryption in transit: All data transmitted over TLS/SSL
- Password security: User passwords hashed with bcrypt
- Access control: Role-based access, multi-user account isolation, session management with device validation
- CSRF protection: Token-based CSRF validation on all state-changing requests
- Rate limiting: Request rate limiting per user and per feature
- Session security: Device fingerprinting, concurrent session management, automatic session expiry
- Database security: MongoDB Atlas with network-level access controls and encrypted connections
- Content moderation: AI-based content moderation on applicable subscription tiers
6. Sub-processors
The Controller authorizes the use of the following sub-processors. WebGPT will notify the Controller before adding or replacing sub-processors, providing the Controller with an opportunity to object.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| MongoDB Atlas | Cloud database hosting | All application data | Cloud (configurable region) |
| OpenAI | AI text generation, embeddings, vision/OCR | Prompts, content, documents | United States |
| Anthropic | AI text generation (Claude) | Prompts, content | United States |
| Google Cloud | AI generation (Gemini), OCR (Cloud Vision, Document AI) | Prompts, content, documents | United States / EU |
| DeepSeek | AI text generation | Prompts, content | China |
| xAI | AI text generation (Grok) | Prompts, content | United States |
| Mistral AI | AI text generation | Prompts, content | EU (France) |
| Amazon Web Services | OCR (Textract) | Documents for text extraction | United States |
| Tranzila | Payment processing | Payment card data, billing details | Israel |
| GreenInvoice | Invoice generation | Invoice and billing details | Israel |
| Cloudflare | CDN, DNS, DDoS protection, bot detection | Domain data, traffic metadata | Global |
| Google Workspace | Transactional email delivery (SMTP) | Email addresses, notification content | Global |
| DataForSEO | Search engine results data | Search queries, domain URLs | United States |
| Pexels, Pixabay, Unsplash | Stock image search | Search queries | Global |
| Bright Data | Proxy services for web data collection | HTTP requests (proxied) | Global |
Customer-initiated integrations (WordPress, Telegram, X/Twitter, Facebook, Blogger, WordPress.com, Google Analytics) are activated and configured by the Customer. Data shared with these platforms is governed by the Customer’s own relationship with those services.
7. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), WebGPT ensures appropriate safeguards are in place:
- Transfers to countries with an EU adequacy decision are made on that basis
- Transfers to other countries rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), or equivalent mechanisms
- AI provider sub-processors located in the United States process data under the EU-U.S. Data Privacy Framework where applicable
The Customer acknowledges that the nature of AI services requires transmission of prompts and content to AI providers, which may process data in various jurisdictions as listed in the sub-processor table above.
8. Data Breach Notification
In the event of a Personal Data breach, WebGPT shall:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
- Provide the following information: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Document all breaches, including facts, effects, and remedial actions taken
9. Data Subject Rights
WebGPT shall assist the Controller in responding to Data Subject requests to exercise their rights under GDPR, including:
- Right of access (Article 15) — Data Subjects may request a copy of their Personal Data
- Right to rectification (Article 16) — Data Subjects may request correction of inaccurate data
- Right to erasure (Article 17) — Data Subjects may request deletion of their Personal Data
- Right to restriction (Article 18) — Data Subjects may request restriction of processing
- Right to data portability (Article 20) — Data Subjects may request their data in a structured, machine-readable format
- Right to object (Article 21) — Data Subjects may object to processing based on legitimate interests
The Service provides self-service account management including profile editing and account deletion. Data requests may also be submitted via the contact form.
10. Data Retention and Deletion
Personal Data is retained according to the following schedule:
- Usage logs: 90 days
- Billing and transaction records: 7 years (legal requirement)
- Content (articles, chatbots, conversations): Until deleted by the Customer
- Account data: Until the Customer deletes the account
- Server logs: 90 days
Upon termination of the Service or upon the Controller’s written request, WebGPT shall delete all Personal Data within 30 days, except where retention is required by applicable law.
11. Audit Rights
The Controller may, upon reasonable notice and no more than once per calendar year, conduct or commission an audit to verify compliance with this DPA. WebGPT shall cooperate with such audits and make relevant documentation available. Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of data protection obligations that cannot be limited under applicable law.
13. Term and Termination
This DPA shall remain in effect for the duration of the Controller’s use of the Service. The obligations of the Processor regarding the protection of Personal Data shall survive termination of this DPA. Upon termination, the provisions of Section 10 (Data Retention and Deletion) shall apply.
14. Contact
For questions regarding this DPA or to exercise data protection rights:
- Entity: A.M.T.H DIGITAL LTD
- Email: [email protected]
- Address: Mivtza Horev 9, Petah Tikva 2806352, Israel