LastBot Customer Service Agreement
Revision 2.0
This LastBot Customer Service Agreement ("Agreement") governs Customer's access to and use of Services provided by Provider.
KEY TERMS SUMMARY
| Topic | Summary |
|---|---|
| Ordering | Service Orders incorporate this Agreement. Auto renew by default. |
| Support | Email and portal support provided as described in Agreement. |
| Limits & AUP | Technical and commercial limits apply. Acceptable Use restrictions apply. |
| Fees | Activation and Service Fees are nonrefundable. Charges based on Provider-measured usage. |
| Data | Customer owns Customer Data. Provider owns Service Data and Services. |
| Privacy | Processing per Agreement and Provider Privacy Policy. GDPR-compliant DPA included. |
| Compliance | Do-not-contact, privacy, and export compliance obligations apply. |
| Liability | Cap equals one-year fees; standard exclusions apply. |
1. Definitions
Terms appear at first use and as specified in this section.
- Activation Fee: One-time fee for initial activation or implementation of Service.
- Agreement: This LastBot Customer Service Agreement, including all Exhibits.
- Confidential Information: Nonpublic information disclosed under this Agreement.
- Customer: The entity identified as Customer in the Agreement Details section.
- Customer Data: Information provided by or for Customer through Services.
- Customer Inputs: Customer Data required to provision or operate Service.
- Fees: All charges specified in the Price List including Activation Fees, Service Fees, and Resource Fees.
- Free Trial: A time-limited, capacity-limited no-charge evaluation of Service subject to Free Trial Constraints.
- Free Trial Constraints: Restrictions on Free Trial usage as specified in Exhibit C.
- IPR: Intellectual Property Rights.
- Laws: Applicable statutes, regulations, rules, and binding standards.
- Limits: Technical, commercial, or performance limits set out in Service Specification.
- Non-Provider Services: Third-party products or services that interoperate with Services.
- Privacy Policy: LastBot's privacy policy available at lastbot.com/privacy-policy.
- Professional Services: Any consulting, implementation, training, or other services beyond standard Services, charged separately.
- Provider: LastBot Europe Oy.
- Resources: External telecom, cloud, models, APIs, data access, licensed software, and other third-party services used to provide Services.
- Resource Fee: Usage-based metered charges for Customer's use of Resources.
- Resource Deposit: A prepaid, non-interest-bearing security posted by Customer against Resource Fees.
- Service: Provider's AI-powered customer service platform identified in this Agreement and specified in Service Specification.
- Service Data: Operational data, metrics, telemetry, transcripts, learnings, and models generated from or about Services.
- Service Fee: Recurring fee for Service as specified in Price List.
- Service Specification: Documentation describing features, limits, and requirements of a Service (see Exhibit A).
- Service Term: The period for Service as specified in Service Order Details.
- Transferable Service: Other Service tiers eligible for upgrade or downgrade as identified in Service Specification.
2. Service Provision
2.1 Service Delivery
Provider will provide Customer with access to the Services in accordance with this Agreement, the Service Specification, and the Service Order Details. Services may be delivered through automated systems, Provider personnel, subcontractors, or a combination thereof.
2.2 Provisioning
Provisioning begins after Provider receives applicable Activation Fees and any required Resource Deposit. Provider will use commercially reasonable efforts to provision Services within 5 business days of receipt of all required fees and information.
2.3 Service Access
Customer will receive administrative credentials and access to the Provider's platform to configure and manage the Service. Customer is responsible for maintaining the security and confidentiality of access credentials.
3. Support
3.1 Support Levels
Provider will provide technical support for Services as follows:
- Email Support: Available via support@lastbot.com during business hours (9:00–17:00 EET, Monday–Friday, excluding Finnish public holidays)
- Portal Support: Available 24/7 via support.lastbot.com
- Response Times: Provider will use commercially reasonable efforts to respond to support requests within 24 hours during business days
3.2 Scope of Support
Support includes assistance with Service configuration, troubleshooting, integration guidance, and resolution of Service defects. Support does not include development of custom features, Professional Services, or support for Non-Provider Services.
3.3 Enhanced Support
Enhanced support options (including dedicated support contacts, faster response times, or phone support) may be available as a separately priced add-on upon mutual agreement.
4. Limits and Acceptable Use
4.1 Service Limits
Service includes technical, commercial, or performance limits set out in the Service Specification. Provider may adjust limits to protect security, integrity, and fair use. Customer will receive notice of material limit changes affecting Customer's use.
4.2 Customer Inputs and Customer Data
Service may require Customer Inputs defined in Service Specification. Service performance depends on Customer Data quality and external conditions. Provider is not liable for Service performance issues resulting from inadequate or inaccurate Customer Data.
4.3 Acceptable Use Policy
Customer must not use Service to:
- Conduct illegal or harmful activities
- Abuse or disrupt networks, spam, phishing, or distribute malware
- Bypass safety or security controls
- Generate unlawful hate speech, harassment, or incitement
- Impersonate others or intentionally mislead recipients
- Make automated decisions affecting legal rights without appropriate human oversight
- Resell, sub-license, or commercialize access to Service for third parties
- Train competing AI models using Services or Service outputs
- Exceed usage limits or attempt to circumvent metering or billing systems
4.4 No Professional Advice
Service outputs are informational only and do not constitute professional, legal, medical, financial, or other expert advice. Customer is solely responsible for decisions made based on Service outputs.
4.5 Compliance Responsibility
Customer is responsible for ensuring its use of Services complies with all applicable Laws, including but not limited to data protection, telecommunications, consumer protection, and industry-specific regulations.
5. Fees and Payment
5.1 Fees
Customer agrees to pay all Fees as specified in the Price List (Exhibit B). Fees include:
- Activation Fees: One-time charges for Service setup and activation
- Service Fees: Recurring charges for Service access
- Resource Fees: Usage-based charges for external Resources consumed
5.2 Billing and Payment Terms
- Service Fees are billed in advance for the billing period
- Resource Fees are billed monthly in arrears based on actual usage
- All Fees are calculated from usage measured by Provider's systems
- Provider's metering and logs are the final and binding record of usage for billing purposes, absent manifest error
- Invoices are due and payable within 14 days of invoice date
- Payment methods: bank transfer, credit card, or other methods as agreed
- All Fees are exclusive of taxes, which Customer is responsible for
5.3 Resource Deposits
If specified in Service Order Details, Customer must pay a Resource Deposit before Service activation. The deposit is held as security against Resource Fees and does not accrue interest. Unused deposit amounts are returned within 30 days after termination, less any undisputed amounts due.
5.4 Non-Refundable Fees
All Activation Fees and Service Fees are non-refundable, including in connection with early termination of this Agreement, except as explicitly provided in Section 5.6.
5.5 Late Payment
Unpaid undisputed amounts accrue interest at the higher of 1.5% per month or the maximum allowed by applicable law. Provider may suspend Services for non-payment in accordance with Section 6.1.
5.6 Service Transfers and Upgrades
Customer may change from one Service tier to another Transferable Service at any time by providing written notice. If the new Service Term is at least as long as the remaining term of the prior Service, Customer will receive credit for unused prepaid Service Fees and unused Resource Deposits, applied to charges for the new Service. Cash refunds are not provided.
5.7 Fee Disputes
Customer must notify Provider of billing disputes within 30 days after invoice date. Undisputed amounts must be paid when due. Provider will investigate disputed amounts in good faith and respond within 15 business days.
6. Suspension and Termination
6.1 Suspension by Provider
Provider may suspend access to Services, in whole or in part, if:
- Customer fails to pay undisputed amounts within 7 days after written notice
- Customer breaches this Agreement and fails to cure within 7 days after written notice
- Provider reasonably determines that Customer's use presents a legal, regulatory, or security risk
- Customer misuses Services, including exceeding permitted scope, interfering with system integrity, or violating Section 4.3
- Continued access could harm Provider, its systems, or other users
Suspension does not extend the Service Term or create any right to refunds or credits. Provider will provide notice before suspension where reasonably practicable, except for immediate security or legal threats.
6.2 Termination for Cause
Either party may terminate this Agreement upon written notice if the other party materially breaches this Agreement and fails to cure within 30 days after written notice. Provider may terminate immediately for misuse, illegal activity, or integrity or security threats.
6.3 Termination for Convenience
Either party may terminate this Agreement at the end of the then-current Service Term by providing written notice at least 30 days before the renewal date. Termination does not relieve Customer of payment obligations for the current Service Term.
6.4 Effect of Termination
Upon termination:
- All Services cease immediately
- Customer must pay all undisputed amounts accrued through the termination date
- Customer's access to the platform and Customer Data is suspended
- Each party must return or destroy the other's Confidential Information upon request, except for archival copies retained in accordance with standard data retention practices
- Provider will make Customer Data available for export for 30 days after termination, after which Provider may delete Customer Data in accordance with Section 7.3.10
- Unused Resource Deposits are returned less undisputed amounts due
6.5 Survival
Sections 4.3–4.5, 5, 6.4, 7–12, and 13–16 survive termination or expiration of this Agreement.
7. Data and Ownership
7.1 Customer Data Processing
Provider may store and process Customer Data to provide, secure, test, improve, analyze, and operate Services, keep records, and comply with Laws. Customer instructs Provider to process for these purposes and represents it has the authority and required notices and consents.
7.2 Data Ownership
- Customer Data: Customer owns all Customer Data
- Service Data: Provider owns all Service Data, including operational data, metrics, telemetry, transcripts, learnings, and models generated from Services
- Services: Provider owns all Services, modifications, and derivative works
If Provider enriches Customer Data with additional attributes or processing, Customer retains ownership of its original data; the enrichment and resulting Service Data belong to Provider.
7.3 Data Processing Agreement
This Section 7.3, together with Section 8 (Privacy), Exhibit D (Data Processing Annex), and the Privacy Policy, forms a data processing agreement under Art. 28 GDPR and equivalent laws.
7.3.1 Roles and Scope
Customer is the Controller for Customer Data. Provider is the Processor processing Customer Data on documented instructions from Customer. For Service Data, Provider acts as Controller.
Customer instructs Provider to process Customer Data to:
- Provide, secure, support, maintain, test, improve, and operate Services
- Perform analytics and measurement
- Prevent fraud and abuse
- Comply with Laws
- Perform other purposes documented in this Agreement, Service Specifications, and Customer's written instructions
Categories of data and data subjects are as described in the Privacy Policy and Service Specifications. Special-category data is not required for Services; if Customer submits it, Provider processes only under Customer's responsibility and instructions.
7.3.2 Customer Instructions
Provider will process Customer Data only on documented instructions from Customer, including:
- This Agreement and Service Specifications
- Customer-configured settings within the Service platform
- Written requests via designated support channels specified in Section 3
Acceptable instruction channels: (i) Service Order Details, (ii) admin and settings functionality in Service platform, (iii) written requests via support@lastbot.com. If Provider determines that an instruction infringes applicable Laws, Provider will notify Customer without undue delay.
7.3.3 Confidentiality
Provider ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and receive appropriate privacy and security training.
7.3.4 Security Measures
Provider implements appropriate technical and organizational measures to protect Customer Data against unauthorized access, alteration, disclosure, or destruction, as further described in Exhibit D.
7.3.5 Sub-processors
General Authorization: Customer authorizes Provider to engage sub-processors. Provider will maintain a list available upon request to info@lastbot.com.
Notice: Provider will notify Customer of material changes (new sub-processor or change materially increasing risk) at least 15 days before use. Notice is not required for: (i) Provider Affiliates under the same security program; (ii) like-for-like replacements not increasing risk; (iii) providers not accessing Personal Data; or (iv) Customer-enabled integrations.
Objection: Customer may object to a noticed material change on reasonable, specific data-protection grounds within the notice period. Provider may cure by changing the sub-processor or proposing remediation. If unresolved within 30 days, Customer may terminate the affected Service with pro-rated refund of prepaid, unused fees.
Flow-down: Provider binds sub-processors to obligations no less protective than this Section 7.3 and remains responsible for their performance.
7.3.6 Personal Data Breach
Provider will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Data. Notice will describe the breach nature, likely consequences, measures taken or proposed, and point of contact. Provider will promptly take steps to mitigate and remediate.
7.3.7 Assistance
Provider will assist Customer in ensuring compliance with Articles 32–36 GDPR considering the nature of processing and information available to Provider.
7.3.8 International Transfers
EU/EEA to Non-EEA: Where processing involves transfer of Customer Data to a country without adequate protection under Applicable Data Protection Law, the parties rely on appropriate transfer tools. For transfers from the EEA, the parties incorporate EU Standard Contractual Clauses 2021/914: Module 2 (Controller → Processor), including relevant Annexes. The parties select Clause 9(a) with 30-day notification; Clause 11 not applicable; Clause 17 Option 2 (Finland law); Clause 18(b) (Finnish courts).
UK and Switzerland: For transfers from the UK, the UK ICO International Data Transfer Addendum applies. For transfers from Switzerland, Swiss FDPIC-approved terms apply.
Supplementary Measures: Provider implements reasonable supplementary measures and conducts transfer risk assessments where required. General information on global processing appears in the Privacy Policy.
7.3.9 Compliance Audits
Upon written request no more than once per 12 months, subject to confidentiality and safety restrictions, Provider will:
- Make available current third-party compliance audit reports or certifications and security questionnaires
- Permit Customer-initiated compliance audit (remote or onsite) by Customer or independent auditor bound by confidentiality, on 30 days' notice, during business hours, without unreasonably interfering with operations
Audits are at Customer's expense unless they reveal material non-compliance.
7.3.10 Deletion and Return
Upon termination, expiry, or Customer's written request, Provider will, at Customer's choice, return or delete Customer Data within 30 days, excluding standard backups retained as permitted by Laws. If applicable law requires retention, Provider will isolate Customer Data from further processing and delete as soon as legally allowed.
7.3.11 Government Requests
Unless prohibited by law, Provider will notify Customer of legally binding requests from public authorities for disclosure of Customer Data and will challenge unlawful or disproportionate requests where reasonable. Provider discloses only the minimum required by law.
7.3.12 Precedence and Liability
If conflict exists between this Section 7.3 and other Agreement provisions regarding processing of Customer Data, this Section 7.3 controls. This Agreement's liability caps apply to this Section 7.3 except where Applicable Data Protection Law prohibits limitation of liability.
7.3.13 Records
Provider maintains records of processing activities required by Laws and makes them available to supervisory authorities on request.
7.3.14 Definitions
Terms used but not defined in this Section 7.3 have meanings given in this Agreement, Privacy Policy, or Applicable Data Protection Law. "Applicable Data Protection Law" includes GDPR, UK GDPR and Data Protection Act 2018, and Swiss FADP.
8. Privacy
8.1 Privacy Policy
Processing is subject to this Agreement and Provider's Privacy Policy available at lastbot.com/privacy-policy.
8.2 Security
Provider uses reasonable technical and organizational measures as described in Section 7.3.4 and the Privacy Policy. Provider may engage subprocessors subject to confidentiality and security obligations as set forth in Section 7.3.5.
8.3 Retention and Deletion
Retention and deletion follow the Privacy Policy and Service Specifications. Upon request and subject to law and technical limits, Provider will delete or return Customer Data as set forth in Section 7.3.10.
9. Recordings and Notices
9.1 Call and Message Recordings
Calls and messages handled by or through Services may be recorded at all times, including while on hold or after transfer. Customer is responsible for ensuring compliance with applicable Laws regarding recording notifications and consents.
9.2 Automated Notices and Consents
Where required or authorized by Laws, Provider may insert automated disclosures or consent prompts in communications. Customer may configure standard disclosure messages through the Service platform.
9.3 Disclosure Example
An example disclosure message: "Calls and messages may be recorded for quality and training. By continuing, you acknowledge and consent as required by applicable law." Local variants compatible with applicable Laws may be used.
10. Compliance
10.1 Customer Compliance Obligations
Customer is responsible for its use of Services and must comply with all applicable Laws, including:
- Data protection and privacy laws (GDPR, national data protection laws)
- Telecommunications regulations
- Consumer protection laws
- Do-not-contact and marketing consent requirements
- Industry-specific regulations applicable to Customer's business
10.2 Do-Not-Contact and Privacy
Customer must honor opt-out and do-not-contact requests as required by Law. Customer must obtain all required consents for communications and maintain appropriate records.
10.3 Export Controls and Sanctions
Customer must comply with export, re-export, import, and sanctions Laws as updated from time to time and must not use Service for prohibited end-uses or with prohibited parties.
10.4 Sector Restrictions
Customer represents that it is not primarily engaged in the following sectors without Provider's prior written approval: firearms and weapons; gambling and betting; adult entertainment; alcohol; recreational drugs; high-risk financial services and unlicensed money services; surveillance and spyware; or any sanctioned entities or jurisdictions.
11. Free Trial
11.1 Free Trial Terms
If Free Trial is selected in Service Order Details, Customer may evaluate Service at no charge for the specified period, subject to Free Trial Constraints in Exhibit C.
11.2 Free Trial Limitations
Free Trials are subject to capacity and feature limitations as specified in Exhibit C. Free Trials are intended for evaluation purposes only.
11.3 Auto-Conversion
If any Free Trial Constraint is exceeded, the Free Trial automatically converts to a paid Service. Upon auto-conversion, Customer is bound to this Agreement and applicable Service Specification as if it had executed a paid Service Order. Provider will invoice Customer for all usage from the conversion date.
11.4 Free Trial Termination
Either party may terminate a Free Trial at any time without notice or liability. If Customer does not convert to paid Service before Free Trial expiration, access will be suspended and Customer Data may be deleted in accordance with Section 7.3.10.
12. Integrations with Non-Provider Services
12.1 Third-Party Integrations
If Customer enables Non-Provider Services (third-party applications, APIs, or services) to integrate with or access the Service, Customer permits those services to access Customer Data as necessary for the integration.
12.2 Customer Responsibility
Customer is solely responsible for:
- Compliance with third-party terms and conditions
- Security and privacy of data shared with Non-Provider Services
- Any fees charged by Non-Provider Services
- Performance and availability of Non-Provider Services
12.3 No Provider Warranty
Provider does not warrant interoperation or continued availability of Non-Provider Services and may cease related features without liability or refunds if third-party services become unavailable or incompatible.
13. Intellectual Property
13.1 Provider IP Rights
Services, any modifications, and derivative works are Provider's exclusive property. Provider retains all right, title, and interest in Services, Service Data, Provider's technology, algorithms, models, and know-how.
13.2 Customer Data Rights
Customer retains all right, title, and interest in Customer Data. Customer grants Provider a limited license to use Customer Data solely to provide Services in accordance with this Agreement.
13.3 Service Data Rights
Provider owns all Service Data, including operational data, metrics, telemetry, transcripts, aggregated or anonymized data, learnings, and models generated from Services. Provider may use Service Data to improve Services, develop new products, and for other business purposes.
13.4 No Transfer of Rights
This Agreement does not assign, license, or transfer any IPR of either party to the other party, unless explicitly set out in this Agreement.
13.5 Feedback
If Customer provides suggestions, ideas, or feedback about Services, Provider may use such feedback without obligation or compensation to Customer.
14. Changes to Agreement and Services
14.1 Unilateral Amendments
Provider may amend this Agreement, Price List, or Service Specifications with at least 30 days' written notice to Customer. If Customer objects, Customer may terminate this Agreement by written notice received before the effective date of the amendment, with termination effective on the amendment date.
14.2 No Retroactive Changes
No unilateral amendment retroactively alters disputed resolution terms for pending disputes or removes a right already exercised without Customer's written agreement.
14.3 Service Changes
Provider may add new features, modify existing features, or discontinue features with 30 days' notice, except where a third-party Resource provider changes terms or discontinues a Resource on shorter notice, in which case Provider will provide as much notice as reasonably practicable.
14.4 Price Changes
Changes to Fees take effect on the next renewal date after notice. Customer's continued use after the effective date constitutes acceptance of changed Fees.
15. Indemnification
15.1 Indemnification by Provider
Provider will defend and indemnify Customer against third-party claims alleging personal injury or property damage caused by Provider's negligence or willful misconduct.
15.2 Indemnification by Customer
Customer will defend and indemnify Provider against third-party claims alleging:
- Personal injury or property damage caused by Customer's negligence or willful misconduct
- Customer's breach of this Agreement
- Unauthorized, illegal, or fraudulent use of Services by Customer or its end users
- Customer Data infringement of third-party rights
15.3 Claims Process
The indemnified party must:
- Provide prompt written notice of the claim
- Allow the indemnifying party to control defense and settlement
- Cooperate reasonably in the defense
Consent is required for any settlement imposing admission, payment, or non-monetary obligations on the indemnified party. If control is not assumed within 60 days, the indemnified party may defend at the indemnifying party's cost and risk.
16. Limitation of Liability
16.1 Exclusion of Consequential Damages
No party is liable for indirect, incidental, consequential, exemplary, special, or punitive damages, including lost profits, data loss, delays, or third-party network failures, except for intentional acts or gross negligence.
16.2 Liability Cap
Except for intentional acts or gross negligence, each party's aggregate liability for all claims is capped at one times (1×) the Fees paid and payable by Customer to Provider in the 12 months before the event giving rise to liability.
16.3 Exceptions to Cap
The liability cap does not limit or exclude:
- Customer's obligation to pay unpaid Fees, charges, or interest due to Provider
- Either party's indemnification obligations under Section 15
- Liability that cannot be limited under applicable law (including personal injury or data protection violations)
16.4 Allocation of Risk
The parties acknowledge that the Fees reflect the allocation of risk set forth in this Agreement and that neither party would enter into this Agreement without these limitations on liability.
17. General Provisions
17.1 Governing Law and Venue
This Agreement is governed by the laws of Finland, without regard to conflict of law principles. Any disputes arising from this Agreement will be subject to the exclusive jurisdiction of the courts of Helsinki, Finland.
17.2 Injunctive Relief
Any breach of this Agreement may cause irreparable harm for which monetary damages would be inadequate. Each party is entitled to seek injunctive or equitable relief, including specific performance, in any court of competent jurisdiction worldwide, without necessity of posting bond or proving actual damages.
17.3 Confidentiality
Each party must protect the other's Confidential Information with at least reasonable care and use it only for purposes of this Agreement. Exceptions: information that is public, known without restriction, lawfully disclosed by a third party, or independently developed.
17.4 Force Majeure
No party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, pandemics, power outages, strikes, acts of government, or supplier failures, provided it mitigates impact and resumes performance promptly.
17.5 Subcontractors
Provider may use subcontractors and remains responsible for their acts and omissions. Provider remains liable for subcontractor performance as if performed by Provider directly.
17.6 Assignment
Neither party may assign this Agreement without the other's prior written consent, except to an Affiliate or successor in a merger, reorganization, consolidation, or sale of substantially all assets or equity. Any attempted assignment in violation of this section is void.
17.7 Notices
All notices must be in writing and sent by email, registered mail, or courier to the addresses specified in Agreement Details. Notices are deemed received on delivery (or email confirmation for email notices).
- Notices to Provider: info@lastbot.com
- Notices to Customer: the email address in Agreement Details or as updated in writing
17.8 Entire Agreement and Order of Precedence
This Agreement constitutes the entire agreement between the parties on the subject matter and supersedes all prior or contemporaneous agreements, understandings, representations, and warranties, whether written or oral.
Order of Precedence: In the event of conflict: (1) this Agreement; (2) Service Specifications (Exhibit A); (3) other Exhibits; (4) Privacy Policy.
17.9 Amendments
Amendments must be in a signed writing that expressly states it amends this Agreement, except for unilateral amendments permitted under Section 14.
17.10 Severability
If any provision is held unenforceable, the remaining provisions remain in effect, and the provision will be enforced to the maximum extent permitted by law.
17.11 No Waiver
No failure or delay in exercising any right operates as a waiver of that right. No waiver is effective unless in writing and signed by the waiving party.
17.12 Independent Contractors
The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship.
17.13 Attorney's Fees
In any action to enforce this Agreement, the prevailing party is entitled to recover reasonable attorneys' fees and costs.
17.14 Execution
This Agreement may be executed in counterparts and by electronic signatures, each of which is deemed an original and all of which together form one instrument.
17.15 Headings
Headings are for convenience only and do not affect interpretation.
Exhibit D: Data Processing Annex
D.1 Subject Matter and Duration
- Subject Matter: Processing of Customer Data to provide AI-powered customer service platform
- Duration: For the Service Term and 30 days thereafter for deletion/return
D.2 Nature and Purpose of Processing
Nature: Automated processing, storage, analysis, and generation of responses using AI/ML models
Purpose:
- Provide customer service automation (chat, voice, email, WhatsApp)
- Train and improve AI models for Customer's specific use case
- Generate analytics and insights
- Maintain Service security and integrity
- Comply with legal obligations
D.3 Types of Personal Data
Customer Data may include:
- Contact Information: Names, email addresses, phone numbers, mailing addresses
- Identification Data: Customer IDs, account numbers, usernames
- Communication Content: Chat messages, voice recordings and transcripts, email content, WhatsApp messages
- Technical Data: IP addresses, device identifiers, browser information, session data
- Transaction Data: Order history, payment information (if processed), purchase records
- Usage Data: Service interaction logs, timestamps, feature usage
- Custom Data: Any additional data Customer configures Service to process
D.4 Categories of Data Subjects
- Customer's end customers and service users
- Customer's employees and representatives
- Third parties communicating with Customer through Services
D.5 Sub-processors
Current Sub-processors (as of agreement date):
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | EU (Ireland), US |
| OpenAI / Microsoft Azure | AI/ML models | EU, US |
| Twilio | Voice and messaging | US, EU |
| Google Cloud Platform | Cloud services | EU, US |
Note: This list is subject to change. Provider will maintain current list and notify Customer of material changes per Section 7.3.5.
D.6 International Data Transfers
Transfer Mechanisms:
- EU Standard Contractual Clauses 2021/914 (incorporated by reference in Section 7.3.8)
- EU-US Data Privacy Framework (where applicable)
- UK International Data Transfer Addendum (for UK transfers)
- Swiss-approved transfer mechanisms (for Swiss transfers)
Data Locations: Customer Data may be processed in the European Economic Area, United Kingdom, Switzerland, and United States. Customer may request data residency requirements; additional fees may apply.
D.7 Technical and Organizational Measures
Access Control
- Role-based access control (RBAC)
- Multi-factor authentication for administrative access
- Regular access reviews and least-privilege principles
- Automated access logging
Data Security
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Regular vulnerability scanning and penetration testing
- Security incident response procedures
- Annual third-party security audits
Data Integrity
- Automated backup and recovery procedures
- Database replication and redundancy
- Data validation and integrity checks
- Version control and change management
Operational Security
- 24/7 security monitoring and alerting
- Intrusion detection and prevention systems
- DDoS protection and rate limiting
- Security awareness training for personnel
- Background checks for personnel with data access
Availability and Resilience
- Multi-region infrastructure deployment
- Automated failover capabilities
- 99.9% uptime SLA (for paid services)
- Disaster recovery and business continuity plans
- Regular testing of recovery procedures
Compliance
- GDPR compliance framework
- Regular compliance assessments
D.8 Assistance Obligations
Provider will assist Customer with:
- Data Subject Requests: Portal for data export, deletion, and rectification within 5 business days
- Data Protection Impact Assessments: Provide relevant technical and organizational measures documentation
- Prior Consultations: Assist with supervisory authority consultations as reasonably requested
- Security Incidents: 72-hour breach notification and ongoing incident updates
- Audits: Annual audit rights with 30 days' notice (Section 7.3.9)
D.9 Contact Information
Provider Data Protection Contact:
Email: privacy@lastbot.com
Address: Kimmeltie 10, 90630 Oulu, Finland
Contact Information
LastBot Europe Oy
Kimmeltie 10
90630 Oulu, Finland
Email: info@lastbot.com
Business ID: 3361305-7