Data Processing Agreement
Version 1.0 Β· Last updated: 1 March 2025
This Data Processing Agreement ("DPA") governs how Altezzo Labs Pvt Ltd ("Rubo", the Processor) processes personal data on behalf of brokers (the Controller) using the Rubo platform. It is GDPR Article 28 compliant and forms part of the main Service Agreement.
Parties
Data Controller (Broker)
The broker organisation using the Rubo platform. As Controller, you determine the purposes and means of processing your clients' personal data.
1. Background and Purpose
The Controller operates an insurance or real estate brokerage business and uses the Rubo software platform ("the Service") to manage client communications via automated messaging channels.
In providing the Service, the Processor will process personal data on behalf of the Controller as described in this Agreement. This DPA forms part of, and is incorporated into, the main Service Agreement. In the event of conflict, this DPA shall take precedence with respect to data protection matters.
Controller responsibilities: The Controller determines the purposes and means of processing personal data and is responsible for ensuring a lawful basis under GDPR Article 6 (and Article 9 where special categories apply), and for providing required privacy notices to data subjects.
Processor responsibilities: The Processor processes personal data solely on the documented instructions of the Controller and shall not process personal data for any purpose other than those specified in this Agreement.
2. Categories of Data Subjects and Personal Data
2.1 Data Subjects
- Insurance and real estate clients of the Controller
- Prospective clients who have initiated contact via supported channels
2.2 Categories of Personal Data
| Category | Examples | Sensitivity |
|---|---|---|
| Identity data | Full name, username | Standard |
| Contact data | Phone, email, Telegram ID | Standard |
| Communication data | Chat messages, conversation history | Standard |
| Financial data | Policy references, claim information | Sensitive |
| Health data | Medical information in insurance queries | Special Category (Art. 9) |
| Location data | Country, city (inferred from context) | Standard |
Where data subjects provide health or other special category data in insurance queries, the Controller confirms it has obtained explicit consent under GDPR Article 9(2)(a) or relies on another applicable lawful basis.
3. Nature, Purpose, and Duration of Processing
3.1 Nature of Processing
- Storage of conversation messages in encrypted EU-based databases
- Analysis of message content by AI systems to generate response drafts
- Retrieval and display of conversation history to authorised broker staff
- Automated consent collection via configurable first-message workflow
- Generation of analytics and reporting data (aggregated and anonymised)
3.2 Purposes of Processing
- Enabling the Controller to respond to client enquiries via the Rubo platform
- Maintaining records of client communications for regulatory compliance
- Training and improving AI models (only with Controller's explicit opt-in consent)
3.3 Duration
Personal data shall be retained for the duration of the Controller's active subscription, plus a maximum of 30 days following termination to allow data export. The Controller may configure shorter retention periods within platform settings. Upon contract termination or written request, all personal data will be securely deleted within 30 days unless applicable law requires longer retention.
4. Sub-processors
The Processor uses the following sub-processors. The Controller provides general written authorisation for their engagement, subject to the notification requirements below.
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database storage and authentication | EU (Frankfurt, Germany) |
| Anthropic PBC | AI language model inference (Claude) | United States (SCCs) |
| Stripe Inc. | Payment processing (billing data only) | United States (SCCs) |
| Vercel Inc. | Web application hosting | EU region configured |
| Resend Inc. | Transactional email delivery | United States (SCCs) |
| Railway Corp. | Bot worker service hosting | United States (SCCs) |
The Processor shall notify the Controller at least 30 days before engaging a new sub-processor or making material changes to an existing arrangement. The Controller may object within 14 days; if no objection is raised, consent is deemed given.
All sub-processors are bound by data processing agreements imposing obligations equivalent to those in this DPA. Where sub-processors are located outside the EEA, appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions, or equivalent) are in place.
5. Controller Instructions
The Processor shall process personal data only in accordance with the Controller's documented instructions, including those set out in this DPA. The Controller's ongoing use of the platform constitutes documented instructions for all processing described herein.
If the Processor is required to process data for any other purpose by EU or Member State law, the Processor shall inform the Controller before processing unless the law prohibits disclosure.
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject rights requests under GDPR Chapter III:
Right of access (Art. 15)
Export all data held for a client via the platform's GDPR export tool
Right to erasure (Art. 17)
Permanent deletion of all client data via the platform's GDPR delete tool
Right to rectification (Art. 16)
Correction of inaccurate data via the platform interface
Right to restriction (Art. 18)
Flagging data for restricted processing
Right to portability (Art. 20)
Export in machine-readable JSON format
The Processor shall respond to forwarded data subject requests within 72 hours. Self-service tools are available under Settings > Privacy for handling data subject access requests (DSARs).
7. Security Measures
7.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption for all database storage |
| Encryption in transit | TLS 1.3 for all network communications |
| Access control | Role-based access control (RBAC) with least-privilege principles |
| Authentication | Multi-factor authentication enforced for all staff |
| Key management | Cryptographic keys rotated quarterly |
| Data isolation | Each broker tenant's data is logically isolated via row-level security |
| Audit logging | All sensitive operations logged with immutable audit trail |
7.2 Organisational Measures
| Measure | Implementation |
|---|---|
| Staff training | Annual GDPR and security awareness training |
| Data minimisation | Only minimum necessary data collected and retained |
| Privacy by design | GDPR considerations built into every development cycle |
| Vendor assessment | Security reviews conducted for all sub-processors |
| Incident response | Documented incident response procedure with defined escalation paths |
8. Personal Data Breaches
The Processor shall notify the Controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting Controller data.
Notification shall include, to the extent available:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Processor shall cooperate fully with the Controller in notifying supervisory authorities and data subjects where required under GDPR Articles 33 and 34.
9. Data Protection Impact Assessments
The Processor shall assist the Controller in carrying out Data Protection Impact Assessments (DPIAs) under GDPR Article 35 where processing is likely to result in high risk. DPIAs may be required for large-scale processing of special category data, systematic profiling, or use of new AI technologies.
10. Confidentiality
The Processor shall ensure that persons authorised to process personal data are subject to contractual or statutory obligations of confidentiality. Access to personal data is limited to personnel who require access for the purposes of this Agreement.
11. Return and Deletion of Data
Upon termination of the Service Agreement, at the Controller's choice, the Processor shall:
- Provide a full export of all personal data in JSON format, and/or
- Securely and permanently delete all personal data
Deletion shall be completed within 30 days of the termination date or written request. The Processor shall provide written confirmation of deletion upon request. Anonymised, aggregated data may be retained for service improvement purposes.
12. Audit Rights
The Controller may audit the Processor's compliance with this DPA upon 30 days' written notice, no more than once per calendar year. The Processor shall make available all information necessary to demonstrate compliance with GDPR Article 28.
The Controller may request the results of any independent security audit or certification (e.g., ISO 27001, SOC 2) in lieu of conducting their own audit.
13. International Transfers
Where personal data is transferred outside the European Economic Area (EEA), the Processor ensures such transfers comply with GDPR Chapter V, including through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules (BCRs)
Details of international transfers are described in Section 4 (Sub-processors above). All primary data storage remains within the EU (Frankfurt, Germany) via Supabase.
14. Governing Law and Amendments
This DPA is interpreted in accordance with the EU General Data Protection Regulation (GDPR) 2016/679 and applicable national implementing legislation. The governing law and jurisdiction shall be as agreed in the Controller's main Service Agreement.
This DPA may be amended by mutual written agreement. The Processor may update this DPA to reflect changes in data protection law or processing activities, with 30 days' prior notice to the Controller.
Request a Signed DPA
Enterprise and Business customers may request a countersigned version of this DPA. Contact our privacy team to initiate the process.
This DPA is provided for informational purposes. A countersigned agreement is required for contractual effect. We recommend having this document reviewed by qualified data protection legal counsel before execution.