Legal document · Version 2.0

Data Processing Agreement

Data Processing Agreement (DPA) · Effective from: July 7, 2026 · Suplifai

What is this document?

This Data Processing Agreement (DPA) governs how Suplifai processes third-party personal data on behalf of the Client — that is, the data of the Client's end customers who interact with the Digital Collaborators. It forms an integral part of the Terms & Conditions and responds to Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) in force and, where applicable, to the GDPR (Art. 28).

1. Definitions

  • Controller: The Client — the company that contracts Suplifai and determines the purposes and means of processing its end customers' data.
  • Processor: Suplifai — processes personal data solely under the Controller's instructions.
  • Personal Data: Any information that allows a natural person to be identified (names, phone numbers, emails, chat conversations).
  • Processing: Any operation on personal data: collection, storage, consultation, use, transmission, or deletion.
  • Sub-Processor: A third party engaged by Suplifai that participates in the processing under the conditions of this DPA.

2. Subject Matter and Scope of Processing

Suplifai will process personal data on behalf of the Client for the sole purpose of operating the contracted Digital Collaborators. The data may include:

  • Name, phone number, and conversations of end customers on WhatsApp, Instagram, or Web.
  • Order, quote, and purchase-preference information.
  • Inventory and pricing data provided by the Client's system.

Processing takes place in the territory of Mexico and, in some cases, on servers outside the country, under the conditions of Clause 8.

3. Controller's Instructions

Suplifai will process personal data solely following the Client's documented instructions, as set out in the Terms & Conditions and in the platform configuration. If Suplifai considers that an instruction infringes applicable law, it will notify the Client.

4. Suplifai's Obligations as Processor

  • Process the data solely for the purposes specified in this DPA.
  • Ensure that personnel authorized to access the data are bound by confidentiality obligations.
  • Implement the security measures described in Clause 6.
  • Assist the Client in handling its end customers' requests, including those relating to ARCO rights and to objection to automated decisions (Clause 9).
  • Notify the Client of any data-subject request within 5 business days.
  • Notify the Client of any security breach affecting its data within 72 hours of detecting it.
  • Not transfer data to unauthorized third parties without the Client's prior instruction.
  • Cooperate with the Client in compliance audits under mutually agreed conditions.

5. Client's Obligations as Controller

  • Have a legal basis for processing its end customers' data (consent, contract, or legitimate interest).
  • Inform its end customers about the use of AI tools in support, in accordance with applicable law.
  • Not instruct Suplifai to carry out processing that violates the law.
  • Handle, as Controller, the exercise of its end customers' rights.

6. Security Measures

Suplifai implements the following technical and organizational measures:

Technical

  • • Encryption in transit (TLS 1.2+)
  • • Encryption at rest (AES-256)
  • • Multi-factor authentication (MFA)
  • • Role-based access control (RBAC)
  • • Access audit logging

Organizational

  • • Least-privilege policy
  • • Confidentiality agreements with employees
  • • Periodic security reviews
  • • Incident response plan
  • • Data-protection training

7. Sub-Processors

The Client authorizes Suplifai to engage Sub-Processors for the provision of the service. Suplifai ensures that each Sub-Processor is bound by data-protection obligations equivalent to those of this DPA. We work with the following categories of Sub-Processors:

Category Purpose Location
Messaging (Meta Platforms, Inc.) WhatsApp Business API / Instagram U.S.
Cloud infrastructure Storage and infrastructure MX / U.S.
Language and AI processing Generation of AI responses U.S.

The specific, up-to-date list of Sub-Processors is available to the Client on request, by writing to legal@suplifai.com. Suplifai will notify the Client at least 10 days in advance of material changes to that list; the Client may object in writing within that period.

8. International Data Transfers

Some Sub-Processors are located outside Mexico (mainly in the United States). Such transfers are made because they are necessary for the provision of the service contracted by the Client and for the performance of the relationship between the Client and Suplifai, in accordance with the grounds provided for in the LFPDPPP in force. In all cases, Suplifai contractually binds each Sub-Processor to maintain data-protection measures equivalent to those of this DPA.

9. Automated Processing and Artificial Intelligence

The service generates responses and quotes through Artificial Intelligence on an automated basis, on behalf of the Client. Suplifai:

  • Assists the Client in handling a data subject's objection to decisions based solely on automated processing and their requests for human intervention.
  • Designs its flows to escalate to a human agent when the AI cannot resolve with certainty.
  • Does not use the Client's or its end customers' personal data to train its own models outside of service delivery.

10. Data Retention and Deletion

Upon termination of the contract, Suplifai will delete or anonymize all personal data of the Client and its end customers within 90 calendar days after termination, unless the law requires a longer retention period. The Client may request written confirmation of the deletion.

11. Audits and Assistance

Suplifai will allow the Client to conduct audits of compliance with this DPA, with 30 business days' prior notice and under mutually agreed conditions (cost and scope). Alternatively, Suplifai may provide certifications or third-party audit reports as evidence of compliance.

12. Term

This DPA has the same term as the Terms & Conditions executed between the parties and is updated in parallel with them. The version in force will always be published at this URL.

13. DPA Contact

For inquiries related to this Data Processing Agreement:

📧 legal@suplifai.com

Subject: "DPA — [Your company name]" · Response time: maximum 5 business days.