← Back

Data Processing Addendum

Effective: June 27, 2026

This Data Processing Addendum ("DPA") forms part of the Chat-Tok Terms of Service between you ("Customer", the data controller) and Chat-Tok ("Processor"). It governs processing of personal data subject to the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA).

1. Roles

Customer is the controller of personal data about its TikTok audience (commenters, message senders, contacts) that is sent into Chat-Tok. Chat-Tok is the processor and processes that data only on Customer's documented instructions, which include the automations and workflows Customer configures in the product.

2. Subject matter & duration

Subject matter: provision of the Chat-Tok service. Duration: the term of the underlying subscription plus up to 30 days for deletion. Nature & purpose: storage, automated reply, AI generation, analytics. Categories of data subjects: Customer's TikTok audience and team members. Categories of personal data: public TikTok profile data, message content, contact details voluntarily submitted to forms, and any data Customer chooses to upload.

3. Sub-processors

Customer authorizes Chat-Tok to engage the sub-processors listed in our Privacy Policy. We will give at least 30 days' email notice before adding a new sub-processor and provide a mechanism to object.

4. Security measures

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest (managed by Supabase/Postgres)
  • Row-level security enforced at the database
  • Least-privilege access for personnel and audit logging
  • Hardened secret management and rotation
  • Daily managed backups with 7-day retention

Chat-Tok does not currently hold SOC 2, ISO 27001 or HIPAA attestations. Customers requiring those frameworks should evaluate accordingly.

5. International transfers

Personal data may be transferred to the United States and other jurisdictions where our sub-processors operate. Transfers from the EEA, UK and Switzerland rely on the EU Standard Contractual Clauses (2021/914), incorporated by reference. The UK International Data Transfer Addendum applies for UK transfers.

6. Data subject rights

Customers can export or delete data subject records via the product (Settings → Privacy & data) or by emailing support@ordex-systems.com. We assist Customer in responding to data subject requests within 30 days.

7. Breach notification

Chat-Tok will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer data, including known facts, scope and mitigation steps.

8. Deletion & return

On termination Customer may export all data within 30 days, after which Chat-Tok will delete personal data from production systems within 30 additional days and from backups on the standard backup-rotation cycle.

9. Contact

For DPA-related requests email support@ordex-systems.com.