Skip to content

Data Processing Addendum

Version: 1.1 Last revised: 2026-06-10 Effective as of: 2026-06-10

This English version is the legally binding and authoritative version of this Data Processing Addendum. Any translations provided are for convenience only. In the event of any conflict, discrepancy, or inconsistency, this English version shall strictly control in all instances.

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the CeroVueltas Terms of Service (the "Agreement") between SUITE IMPERIAL LLC, a New Mexico limited liability company, doing business as CeroVueltas ("CeroVueltas"), and the entity accepting the Agreement ("Customer"). This DPA applies to the extent CeroVueltas processes Personal Data on behalf of Customer in connection with the Services. By accepting the Agreement or using the Services, Customer accepts this DPA.

  • "Applicable Data Protection Laws" means all privacy and data protection laws applicable to the Personal Data processed under this DPA, including, as applicable: the California Consumer Privacy Act as amended by the CPRA ("CCPA"); other U.S. state comprehensive privacy laws (including those of Colorado, Connecticut, Texas, Utah, and Virginia) ("U.S. State Privacy Laws"); and, only where applicable to Customer's use, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss FADP, Brazil's LGPD, Argentina's Ley 25.326, and Mexico's LFPDPPP.
  • "Personal Data" means any information relating to an identified or identifiable natural person contained within Customer Data that CeroVueltas processes on Customer's behalf. The terms "Controller," "Processor," "Business," "Service Provider," "Data Subject," "Consumer," "Sell," "Share," and "Processing" have the meanings given in Applicable Data Protection Laws.
  • "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by CeroVueltas.
  • "Subprocessor" means a third party engaged by CeroVueltas to process Personal Data on Customer's behalf, including hosting providers and third-party Artificial Intelligence API providers.
  • "SCCs" means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914.

Capitalized terms not defined here have the meanings given in the Agreement.

2.1 Roles. Customer is the Controller (or Business) of Personal Data, or acts as a Processor on behalf of a third-party Controller. CeroVueltas is a Processor (or Service Provider) acting on Customer's documented instructions.

2.2 Customer Instructions. CeroVueltas shall process Personal Data only: (a) to provide, secure, maintain, and troubleshoot the Services as described in the Agreement; (b) as documented in this DPA and Annex I; and (c) per Customer's other documented, lawful instructions. The Agreement, Customer's configuration of the Services (including the Knowledge Base and routing rules), and use of the dashboard constitute Customer's instructions. CeroVueltas will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Laws.

2.3 Customer Responsibilities. Customer is solely responsible for: (a) the accuracy, quality, and lawfulness of Personal Data and the means by which it was acquired; (b) providing all legally required notices to, and obtaining all legally required consents from, End Users (including for website widgets, session capture, and automated/AI-driven communications); and (c) ensuring its instructions comply with Applicable Data Protection Laws.

To the extent CeroVueltas processes Personal Data subject to the CCPA or U.S. State Privacy Laws, CeroVueltas:

(a) acts as a Service Provider / Processor and shall process Personal Data solely for the business purposes described in the Agreement and Annex I;

(b) shall not Sell or Share Personal Data;

(c) shall not retain, use, or disclose Personal Data outside the direct business relationship with Customer or for any purpose other than the business purposes specified, except as permitted by Applicable Data Protection Laws;

(d) shall not combine Personal Data with personal information it receives from other sources, except as permitted by Applicable Data Protection Laws (e.g., for security and fraud prevention);

(e) certifies that it understands and will comply with the restrictions in this Section 3;

(f) shall notify Customer if it determines it can no longer meet its obligations under Applicable Data Protection Laws, in which case Customer may take reasonable and appropriate steps to stop and remediate unauthorized processing; and

(g) grants Customer the right to take reasonable steps to ensure CeroVueltas uses Personal Data consistently with Customer's obligations, via the audit mechanism in Section 9.

CeroVueltas shall ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations or an appropriate statutory duty of confidentiality, and access Personal Data only on a need-to-know basis.

5.1 General Authorization. Customer provides general written authorization for CeroVueltas to engage Subprocessors, including hosting infrastructure providers and third-party Artificial Intelligence API providers used for dynamic routing. The current list of material Subprocessors is maintained at our Subprocessor List.

5.2 Updates and Objection. CeroVueltas will update the Subprocessor List before adding or replacing a material Subprocessor and offers a mechanism to subscribe to update notifications. Customer may object on reasonable, documented data-protection grounds within ten (10) days of an update by written notice to privacidad@cerovueltas.com. If the parties cannot resolve the objection in good faith within thirty (30) days, Customer’s sole and exclusive remedy shall be the termination of the affected Services. Customer shall not be entitled to any refund, credit, or reimbursement for already consumed capacity, utilized usage quotas, or expired service balances upon termination under this Section.

5.3 Flow-Down. CeroVueltas shall impose data protection obligations on Subprocessors that are materially no less protective than this DPA and remains liable for its Subprocessors' performance to the same extent it would be liable if performing the services itself, subject to the limitations in the Agreement.

5.4 No AI Training. Consistent with Section 10.2 of the Agreement, CeroVueltas does not use Personal Data, Customer Data, Knowledge Base content, or End User messages to train AI or machine learning models, and selects third-party AI Subprocessors whose published policies prohibit using API data to train their general-purpose foundation models. Customer acknowledges that these Subprocessors may temporarily retain API logs strictly for security, abuse-monitoring, and trust-and-safety purposes, in accordance with their respective policies.

6.1 Measures. CeroVueltas shall implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Data against Security Incidents, as described in Annex II. CeroVueltas may update these measures, provided the updates do not materially reduce the overall level of protection.

6.2 Security Incident Notification. CeroVueltas shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after confirming a Security Incident affecting Customer's Personal Data. The notification will include, to the extent known: the nature of the incident, categories and approximate volume of affected data, likely consequences, and measures taken or proposed. CeroVueltas' notification is not an acknowledgment of fault or liability. Customer is solely responsible for any legally required notifications to regulators, Data Subjects, or Consumers.

Taking into account the nature of the processing, CeroVueltas shall provide reasonable assistance to Customer with: (a) responding to Data Subject / Consumer requests (access, deletion, correction, portability, opt-out) — where such requests are received directly by CeroVueltas, it will redirect the requester to Customer; (b) data protection impact assessments and prior consultations with supervisory authorities, where required by GDPR; and (c) Customer's compliance with its security and breach-notification obligations.

Administrative Fees: Any manual, technical, or customized administrative assistance provided by CeroVueltas under this Section that exceeds a simple automated platform function or basic redirect (including, without limitation, manually extracting conversation histories or compiling technical documentation) shall be strictly subject to an administrative service fee of $150 USD per hour, billed in minimum one (1) hour increments, which must be paid by Customer fully in advance prior to the execution of such assistance.

Upon termination or expiration of the Agreement, CeroVueltas shall, within thirty (30) days, delete or anonymize all Personal Data from active production systems, except where retention is required by applicable law or for tax/financial auditing (not to exceed seven (7) years for such records). Personal Data in automated backups will be deleted or overwritten within ninety (90) days. During the term, Customer may export Customer Data via the dashboard or available APIs.

9.1 Audit Reports. Upon written request, no more than once per twelve (12) months, CeroVueltas shall, within forty-five (45) days of receiving such request, make available documentation reasonably necessary to demonstrate compliance with this DPA. Such documentation shall be strictly limited to standard security summaries, FAQs, or general policy overviews as CeroVueltas generally makes available to its customers at that time.

9.2 Regulatory and Mandatory Audits. Where Applicable Data Protection Laws grant Customer a mandatory, non-waivable legal right to conduct an audit that cannot be reasonably satisfied by the documentation provided under Section 9.1, Customer may initiate such an audit strictly subject to the following cumulative conditions:

(a) Customer must provide CeroVueltas with a written notice of at least sixty (60) calendar days along with a detailed audit plan;

(b) The audit must be conducted exclusively by an independent, certified third-party auditor (strictly restricted to a recognized "Big Four" accounting and auditing firm) approved by CeroVueltas in writing, and bound by a strict non-disclosure agreement; internal employees, personnel, or direct/indirect competitors of Customer are absolutely prohibited from acting as auditors;

(c) The scope of the audit shall be strictly limited to a remote desktop review of customized compliance evidence, redacted system logs, and security architecture walkthroughs provided via remote screen-sharing by CeroVueltas personnel;

(d) EXPLICIT PROHIBITION OF ACCESS: Under no circumstances shall the auditor or Customer be granted any physical or logical access to any systems, infrastructure, networks, software, databases, environments, personnel, or any other physical or digital assets, resources, or proprietary information of any kind, whether owned or utilized by CeroVueltas. The audit is strictly confined to the remote visual review of evidence explicitly provided or displayed by CeroVueltas;

(e) Customer shall bear one hundred percent (100%) of all costs, fees, and expenses incurred by the external auditor; and

(f) Customer shall pay CeroVueltas a mandatory administrative and operational disruption fee of $1,500 USD per day (or part thereof) during which the audit review is executed, which must be paid entirely in advance. CeroVueltas reserves the right to immediately suspend or terminate the audit if the review causes system instability, risks intellectual property exposure, or violates operational security boundaries.

10.1 Processing Location. The Services are hosted and operated in the United States. Customer acknowledges and instructs that Personal Data will be processed in the United States and in the jurisdictions of the Subprocessors listed in our Subprocessor List.

10.2 EEA/UK/Swiss Transfers. Solely to the extent Customer transfers Personal Data subject to the GDPR, UK GDPR, or Swiss FADP to CeroVueltas, the SCCs are incorporated by reference as follows:

Item Application
Module Module Two (Controller → Processor); Module Three (Processor → Processor) where Customer is a Processor
Clause 7 (Docking) Not applicable
Clause 9 (Subprocessors) Option 2 (general authorization), notice period per Section 5.2
Clause 11 (Redress) Optional language not applicable
Clause 17 (Governing Law) Laws of Ireland
Clause 18 (Forum) Courts of Ireland
Annexes I–II Completed by Annexes I–II of this DPA
UK transfers UK International Data Transfer Addendum (IDTA Addendum) applies, with tables completed by this DPA
Swiss transfers SCCs adapted as required by the Swiss FDPIC (references to GDPR read as FADP; supervisory authority is the FDPIC)

10.3 Customer Responsibility. Customer, as Controller, remains responsible for determining the lawfulness of international transfers for its specific use case and Data Subjects. CeroVueltas makes no representation that any Subprocessor jurisdiction is deemed "adequate."

11.1 Each party's liability arising out of or related to this DPA (including the SCCs) is strictly subject to the exclusions and overarching limitations of liability set forth in the Agreement (Terms of Service), including the liability caps, indemnification procedures, class-action waivers, and arbitration provisions thereof. This DPA does not modify, supersede, enlarge, or diminish any limitation of liability or dispute resolution provision of the Agreement.

11.2 In the event of conflict: (a) the SCCs prevail over this DPA solely with respect to transfers they govern; (b) this DPA prevails over the Agreement solely with respect to the technical mechanics of processing Personal Data; and (c) the Agreement (Terms of Service) strictly prevails in all other respects, including, without limitation, all matters of liability, damages, dispute resolution, and governing law.

This DPA is effective for as long as CeroVueltas processes Personal Data on Customer's behalf. CeroVueltas may update this DPA as reasonably necessary to reflect changes in Applicable Data Protection Laws or the Services, per Section 21.6 of the Agreement. Except where the SCCs require otherwise, this DPA is governed by the laws specified in Section 19 of the Agreement.

Item Description
Data exporter Customer (Controller or Processor)
Data importer SUITE IMPERIAL LLC d/b/a CeroVueltas (Processor), New Mexico, USA
Categories of Data Subjects End Users communicating with Customer via WhatsApp or website widgets; Customer's authorized personnel and account users
Categories of Personal Data Names, phone numbers, WhatsApp profile names and IDs, message content, conversation metadata, contact data, account credentials, billing contact details, and any Personal Data Customer includes in the Knowledge Base or Customer Data
Sensitive Data None intended. Customer shall not submit sensitive/special-category data unless legally permitted and contractually agreed in writing
Nature and Purpose Hosting, inbound message routing, vector encoding (RAG), AI-driven response generation via third-party APIs, dashboard analytics, support, security, and troubleshooting
Duration Term of the Agreement plus the deletion periods in Section 8
Frequency Continuous
Competent Supervisory Authority (SCCs) Determined per Clause 13 of the SCCs based on the data exporter's establishment
  • Encryption & Pseudonymization: TLS 1.2+ in transit; AES-256-GCM at rest for databases and critical communications. Cryptographic pseudonymization utilized for PII identifiers in database queries.
  • Access Control: SSO integration via Identity Providers (e.g., Google/Facebook/Email) with support for provider-level MFA; role-based access; logical tenant separation (Strict database-level scoping per Customer ID).
  • Session Security: Zero-Trust session management utilizing secure prefixed cookies, Strict SameSite policies, CSRF tokenization, and strict idle session timeouts.
  • DDoS & Abuse Prevention: Automated rate limiting with atomic tracking and strict payload size restrictions to mitigate abuse and resource exhaustion.
  • AI Security: Automated prompt injection detection mechanisms and dynamic sanitization protocols to mitigate adversarial inputs and RAG Poisoning.
  • Automated PII Redaction: Automatic masking of Personally Identifiable Information (Emails, Phone numbers, Passwords) in system audit logs prior to database ingestion.
  • Infrastructure & Secret Management: Hosting on reputable cloud providers maintaining recognized certifications (e.g., SOC 2, ISO 27001). Centralized, cloud-backed secret management to prevent credential exposure. Strict Content Security Policy (CSP) enforcement.
  • Vulnerability Management: Periodic patching, dependency review, and secure baseline deployment workflows (Zero-Downtime pipelines).
  • Business Continuity: Automated backups; documented incident-response and fallback routing procedures for dynamic APIs.
  • Data Lifecycle: Automated GDPR/SOC2 deletion protocols (e.g., 72-business-hour purge window) and backup-overwrite processes per Section 8.

The current list of material Subprocessors (hosting and AI providers) is maintained at our Subprocessor List, which is incorporated by reference.

Contact: privacidad@cerovueltas.com | legal@cerovueltas.com

SUITE IMPERIAL LLC, New Mexico, USA