Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between All Onboard ("Processor") and the organization subscribing to the platform ("Controller"). It governs the processing of personal data that the Controller submits to All Onboard in connection with the use of our services.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

3. Scope of Processing

All Onboard processes personal data on behalf of the Controller for the purpose of providing AI-powered customer support services. This includes:

  • Support conversation content (messages between end-users and AI agents)
  • Contact information (names, email addresses, identifiers from connected channels)
  • Knowledge base content uploaded by the Controller
  • Usage analytics and conversation metadata

4. Sub-processors

The Controller authorizes the Processor to engage sub-processors to assist in providing the services. A current list of sub-processors is made available to the Controller upon request and upon execution of this agreement. Sub-processors are engaged in the following categories:

  • AI language model providers (conversation processing)
  • Database hosting (isolated per-tenant data storage)
  • Vector search (knowledge base retrieval)
  • Authentication and identity management
  • Payment processing
  • Email delivery (notifications and invitations)
  • Application hosting and deployment

The Processor will notify the Controller at least 10 days before adding or replacing sub-processors and provide an opportunity to object. If the Controller raises a reasonable objection within 14 days, the parties will work in good faith to resolve the concern.

5. Data Security

All Onboard implements the following security measures:

  • Tenant isolation — Each organization receives a dedicated, isolated database. Customer data is never commingled.
  • Encryption at rest — All databases are encrypted using AES-256.
  • Encryption in transit — All data is transmitted over TLS 1.2+.
  • Credential encryption — Database credentials are encrypted with AES-256-CBC before storage.
  • Access controls — Role-based access with separate platform and operator user types.

6. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

7. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.

8. Data Retention and Deletion

Upon termination of the agreement, the Processor will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller may request data export at any time during the subscription period.

9. International Transfers

Personal data may be processed in the United States where our infrastructure and sub-processors are located. Appropriate safeguards are in place in accordance with applicable data protection laws.

10. Contact

For questions about this DPA, contact us at privacy@allonboard.ai.