Data Processing Agreement

1. Definitions

• Controller: the Customer (the founder / SaaS business using PlotUI).
• Processor: Polara Venture Studio (OPC) Private Limited, operating PlotUI.
• Data Subjects: end-users of the Customer's product who interact with the PlotUI widget.
• Personal Data: any information relating to an identified or identifiable natural person entered into or processed by the widget (e.g., message content that contains a name or email).
• Processing: any operation performed on Personal Data, including storage, retrieval, and deletion.

2. Subject matter and nature of processing

The Processor processes Personal Data solely to provide the PlotUI in-app support widget on behalf of the Controller. This includes: storing widget conversation messages, matching messages against the knowledge graph, generating AI responses, escalating unresolved queries to the Controller's support email, and providing the Controller with query analytics.

3. Instructions

The Processor shall process Personal Data only on documented instructions from the Controller (as set out in these Terms and DPA and as configured by the Controller in the dashboard), unless required by applicable law.

4. Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

The Processor implements appropriate technical and organisational measures including:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for database backups
• Per-organisation HMAC signing keys for widget embed tokens
• Per-organisation origin allow-lists to prevent unauthorised widget embedding
• Role-based access controls within the Processor's infrastructure

6. Sub-processors

The Controller grants general authorisation to engage the sub-processors listed in the Privacy Policy §5. The Processor shall notify the Controller of any intended changes (addition or replacement of sub-processors) with at least 14 days' notice, giving the Controller the opportunity to object.

7. Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, restriction, portability) within commercially reasonable time. The Controller remains the primary point of contact for its end-users.

8. Retention and deletion

Widget conversation data is automatically deleted after 180 days. Upon termination of the agreement or account deletion, the Processor shall delete all Personal Data within 30 days and confirm deletion on request. Knowledge graph data (which contains no Personal Data by design) follows the same schedule.

9. Data breach notification

The Processor shall notify the Controller without undue delay — and no later than 72 hours after becoming aware — of any Personal Data breach that may affect the Controller's obligations under applicable data protection law.

10. International transfers

Personal Data is processed in the United States. Where the Controller is established in the EU/EEA, transfers to the US are made under the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission. A copy of the applicable SCCs is available on request.

11. Audits

The Processor shall provide the Controller with all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with 30 days' notice and at the Controller's cost.

12. Governing law

This DPA is governed by the same law as the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the subject matter of data protection.

13. Contact & signed copies

For a countersigned PDF, custom DPA, or any data protection enquiry, contact hello@plotui.com. We respond within 3 business days.