1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Corebee ("Processor") and the customer ("Controller") for the processing of personal data. This DPA is designed to meet the requirements of the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Definitions
- "Controller" means the customer who determines the purposes and means of the processing of personal data.
- "Processor" means Corebee, which processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, alteration, retrieval, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
3. Scope and Purpose
Corebee processes personal data on behalf of the Controller to provide AI-powered customer support services. This includes:
- Storing support conversation data
- Processing customer inquiries via AI
- Maintaining knowledge base content
- Providing analytics on support performance
4. Data Processing Details
Categories of Data Subjects
- Controller's end customers
- Controller's team members
Types of Personal Data
- Names
- Email addresses
- Support conversation content
- Usage data
Processing Activities
- Storing personal data in secure databases
- Analyzing data via AI to generate support responses
- Displaying data within the Corebee dashboard
- Reporting and analytics on support performance
Duration of Processing
Personal data will be processed for the term of the agreement between the Controller and Corebee, plus any applicable retention period required by law or as specified in the Terms of Service.
5. Processor Obligations
Corebee, as the Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that all personnel authorized to process personal data are bound by appropriate obligations of confidentiality
- Implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage
- Assist the Controller in fulfilling its obligations to respond to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection
- Delete or return all personal data to the Controller upon termination of the agreement, at the Controller's choice, unless retention is required by applicable law
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws, and allow for and contribute to audits and inspections
6. Sub-processors
Corebee engages the following sub-processors to deliver its services:
| Sub-processor | Purpose | Location |
|---|
| Supabase | Database hosting, authentication | United States |
| Vercel | Application hosting, CDN | United States |
| OpenAI | AI model inference | United States |
| Paddle | Payment processing (merchant of record) | United Kingdom |
The Controller will be notified of any changes to the list of sub-processors prior to such changes taking effect, providing the Controller with the opportunity to object to the engagement of new sub-processors.
7. Data Transfers
Personal data may be transferred to and processed in the United States. Where such transfers occur from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to provide appropriate safeguards for the protection of personal data. The Controller may request a copy of the applicable SCCs by contacting us.
8. Security Measures
Corebee implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures include:
- Encryption of personal data at rest and in transit
- Row-Level Security (RLS) for strict tenant isolation between customer organizations
- Access controls and authentication mechanisms to prevent unauthorized access
- Regular security assessments and vulnerability monitoring
For more details on our security practices, please visit our Security page.
9. Breach Notification
In the event of a personal data breach, Corebee will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.
10. Contact
For questions about this Data Processing Agreement or to submit a DPA-related request, please contact us at jonathan@corebee.ai.