Data Processing Agreement
Between [COMPANY LEGAL NAME] ("Processor") and the Customer ("Controller").
1. Roles & instructions
Where you process personal data of your users/contacts through the Service, you are the Controller and we are your Processor. We process only on your documented instructions.
2. Nature of processing
The Service interprets your users' requests against your Odoo. We transmit to the AI model only (a) the schema shape of your database and (b) the text of the request — never the values of your business records. Confirmed actions run locally in your Odoo under the user's permissions.
3. Our obligations
Confidentiality; the security measures in the annex; assistance with data-subject requests and breach/DPIA duties; and deletion or return of data on termination.
4. Sub-processors
You authorize: Stripe (payments); [LLM provider / self-hosted host] (generating responses); [hosting provider]. We give notice of changes so you may object on reasonable grounds. If the LLM is self-hosted, no request data leaves our infrastructure to an external LLM provider.
5. Transfers, breach, deletion, audit
Cross-border transfers use a lawful mechanism (e.g. SCCs). We notify you of a personal data breach without undue delay. On termination we delete or return data within [30] days. We make available information to demonstrate compliance.
Annex — security measures
Hashed API keys/passwords; TLS in transit; least-privilege access; rate limiting and audit logging; data minimization (schema shape + request text only); backups, monitoring, and key rotation.