Data Processing Addendum
Effective date: June 21, 2026 · Last updated: June 21, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between BolivAI LLC (“BolivAI”, “Processor”), a Wyoming, USA limited liability company, and the business customer (“Customer”, “Controller”) that uses the BolivAI platform at bolivai.cloud (the “Services”). It governs BolivAI’s processing of personal data relating to the Customer’s end‑customers (“End‑Customer Data”) on the Customer’s behalf. Where the Customer is subject to the EU/UK GDPR, this DPA incorporates Article 28 requirements. The English version is authoritative.
Roles. The Customer is the controller of End‑Customer Data and BolivAI is the processor, acting only on the Customer’s documented instructions (the Services configuration, this DPA, and the Terms). For BolivAI account data, BolivAI is the controller — see the Privacy Policy.
1. Subject matter, duration, nature & purpose
BolivAI processes End‑Customer Data to provide the Services the Customer configures — receiving and replying to messages across WhatsApp, Instagram, Messenger, and web chat; voice calls; bookings; lead generation; content; and analytics — for the duration of the agreement and until deletion or return under §8.
2. Types of personal data & data subjects
| Data subjects | The Customer’s end‑customers, leads, and contacts. |
|---|---|
| Categories of data | Identifiers (name, phone number, messaging handle, email), message and conversation content, voice‑call audio and transcripts, appointment and reservation details, lead and business‑directory information, and related metadata. |
| Special categories | Not requested by BolivAI. The Customer should not configure the Services to collect special‑category data unless it has a lawful basis. |
3. Processor obligations
- Process End‑Customer Data only on the Customer’s documented instructions, including for international transfers, unless required by law (in which case BolivAI notifies the Customer unless legally prohibited).
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement the technical and organizational security measures in §4.
- Respect the sub‑processor conditions in §5.
- Assist the Customer, taking into account the nature of processing, to respond to data‑subject requests (§6) and to meet its security, breach‑notification, and data‑protection‑impact‑assessment obligations.
- Delete or return End‑Customer Data on termination (§8).
- Make available information necessary to demonstrate compliance and allow for reasonable audits (§7).
4. Security measures
BolivAI maintains measures appropriate to the risk, including: encryption in transit (TLS) and at rest; row‑level access controls that isolate each Customer’s data by tenant; scoped API keys and least‑privilege access; signed/verified webhooks; secrets held server‑side only; logging and monitoring; and regular review of access. No system is 100% secure, but BolivAI works to protect the data and improve its safeguards.
5. Sub‑processors
The Customer authorizes BolivAI to engage sub‑processors to provide the Services, under contracts imposing data‑protection obligations no less protective than this DPA. Current sub‑processors include OpenAI (language models), ElevenLabs (voice), Twilio (telephony), Meta Platforms (WhatsApp/Instagram/Messenger), Stripe (payments), Supabase (database, auth, storage), Vercel (hosting), Hostinger/n8n (workflow infrastructure), Google (Analytics and, if connected, Calendar/Workspace), Daily.co (video), and Zep (conversation memory). The full, current list is in the Privacy Policy. BolivAI will give notice of intended changes and the Customer may object on reasonable data‑protection grounds.
6. Data‑subject requests
Taking into account the nature of the processing, BolivAI assists the Customer with appropriate technical and organizational measures to fulfill the Customer’s obligation to respond to data‑subject requests (access, rectification, erasure, restriction, portability, objection). If BolivAI receives such a request directly, it will, where permitted, refer the data subject to the relevant Customer. See the deletion route in the Data Deletion page.
7. Audits
BolivAI makes available information reasonably necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, no more than once per year (and following a personal‑data breach), on reasonable prior notice, during business hours, and subject to confidentiality.
8. Deletion & return
On expiry or termination, and at the Customer’s choice, BolivAI deletes or returns End‑Customer Data and deletes existing copies within 30 days, unless law requires storage. The Customer may also delete specific records in‑product at any time.
9. Personal‑data breach
BolivAI notifies the Customer without undue delay after becoming aware of a personal‑data breach affecting End‑Customer Data, with the information reasonably available to assist the Customer’s own notification obligations.
10. International transfers
BolivAI is operated from the United States and uses providers in various countries. Where End‑Customer Data is transferred internationally, BolivAI relies on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) where required, which are incorporated by reference for such transfers.
11. General
In case of conflict between this DPA and the Terms of Service regarding the processing of End‑Customer Data, this DPA prevails. All other terms of the agreement remain in effect. Liability is subject to the limitations in the Terms of Service. To execute a countersigned copy, contact info@bolivai.com.
12. Contact
BolivAI LLC · Wyoming, United States
Email: info@bolivai.com
See also our Privacy Policy and Terms of Service.