Data Processing Agreement

This page summarizes how WebSage processes personal data on your behalf under the GDPR. It is a plain-language summary; a full Data Processing Agreement (DPA) is available for signature on request.

For the customer and conversation data you upload or that your end users provide through the chat widget, you are the data controller and WebSage acts as your data processor. We process that data only on your documented instructions and only to provide the service.

For data we determine the purpose of ourselves — for example, your account and billing details — WebSage acts as the controller, as described in our Privacy Policy.

• Process personal data only on your documented instructions.
• Keep personal data confidential and ensure staff are bound by confidentiality.
• Apply appropriate technical and organizational security measures — see our Security page.
• Assist you with data-subject requests and with your own GDPR obligations.
• Delete or return personal data at the end of the service, on your choice.

We engage a limited set of subprocessors (such as our EU hosting, storage, and AI providers) to deliver the service. The current list of subprocessors is available on request; the categories of providers we use are also described in our Privacy Policy. We require subprocessors to provide at least the same level of data protection that we commit to here.

We host customer data in the European Union. Where any processing involves a transfer outside the EU, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

If your organization requires a countersigned DPA, email legal@websage.app with your company details. We will share the agreement for signature and, where relevant, the current subprocessor list.