Data Processing Agreement (DPA)
Last updated: April 2026 · Pursuant to GDPR Article 28
This Data Processing Agreement forms part of the
Terms of Service between MsgBox (the
Processor) and you, the site owner (the
Controller). By using MsgBox, you accept this DPA.
1. Definitions
- "Controller" — the website owner who uses MsgBox to provide a chat widget to their visitors and determines the purposes and means of processing personal data.
- "Processor" — MsgBox / NBPlugins, which processes personal data on behalf of the Controller.
- "Personal Data" — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" — any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" — the individual whose Personal Data is processed (your website visitors).
2. Subject Matter & Nature of Processing
MsgBox processes Personal Data to provide the AI chat widget service, including:
- Receiving and storing chat messages from website visitors
- Transmitting messages to AI providers to generate responses
- Storing contact form submissions (name, phone, email)
- Delivering push notifications to the site owner
- Logging IP addresses for rate limiting and security
3. Categories of Personal Data Processed
| Category | Examples |
|---|
| Identification data | Name, phone number, email (from contact forms) |
| Communication data | Chat message content |
| Technical data | IP address, browser language, session ID |
Important: MsgBox does not process special categories of data (sensitive data under GDPR Article 9) by design. You must not use the chat widget to collect health data, religious beliefs, political opinions, or other sensitive categories.
4. Categories of Data Subjects
Visitors to the Controller's website who interact with the MsgBox chat widget.
5. Duration of Processing
Processing continues for the duration of the service agreement. Upon termination, all Personal Data is deleted within 30 days unless a longer retention period is required by law.
6. Processor Obligations
MsgBox shall:
- Process Personal Data only on documented instructions from the Controller (i.e., as required to provide the service)
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 8)
- Not engage new Sub-processors without informing the Controller (see Section 7)
- Assist the Controller in responding to Data Subject requests where technically feasible
- Delete or return all Personal Data at the end of the service relationship
- Provide all information necessary to demonstrate compliance with GDPR Article 28
7. Sub-processors
MsgBox may engage third-party sub-processors to provide parts of the service, including:
- AI infrastructure providers — Chat messages are transmitted to third-party infrastructure providers in order to generate responses. Messages are not stored permanently by these providers.
- Email delivery providers — Used to send transactional emails (e.g. welcome emails, password resets).
- Push notification providers — Used to deliver real-time notifications to site owners.
The list of sub-processors may change from time to time. All sub-processors are bound by appropriate data protection agreements. Data transfers outside the EEA are made under Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms.
8. Technical & Organisational Security Measures
MsgBox implements the following measures in accordance with GDPR Article 32:
- Encryption in transit: All data transmitted via HTTPS / TLS 1.2+
- Encryption at rest: Chat messages and contact form data encrypted with AES-256-CBC; unique encryption key per site
- Access control: Admin access restricted by IP whitelist; dashboard access requires authenticated session
- Password security: Passwords hashed with bcrypt (cost factor 12+)
- Rate limiting: Multi-layer rate limiting to prevent abuse and enumeration attacks
- Audit logging: Failed login attempts and security events logged
- Data minimisation: Only data necessary to deliver the service is collected
9. Data Subject Rights Assistance
If a Data Subject (website visitor) submits a request to the Controller regarding their rights (access, erasure, portability, etc.), the Controller may contact MsgBox at support@nbplugins.com to request the relevant data or deletion. MsgBox will respond within 5 business days.
10. Personal Data Breach Notification
MsgBox will notify the Controller without undue delay — and no later than 48 hours after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects. Notification will include:
- The nature of the breach
- Categories and approximate number of individuals and records affected
- Likely consequences
- Measures taken or proposed to address the breach
The Controller remains responsible for notifying the relevant supervisory authority within 72 hours as required by GDPR Article 33.
11. Controller Obligations
As the Controller, you are responsible for:
- Having a valid legal basis for collecting and processing your visitors' data through the chat widget
- Providing your website visitors with an appropriate privacy notice that discloses the use of MsgBox
- Ensuring your use of MsgBox complies with all applicable data protection laws in your jurisdiction
- Not inputting special category data (health, religion, etc.) into the widget
- Responding to Data Subject requests from your visitors
12. Audit Rights
The Controller may, with 30 days' written notice, request information necessary to demonstrate MsgBox's compliance with this DPA. Such audits shall be conducted during normal business hours, no more than once per year, at the Controller's expense.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. MsgBox is not liable for processing carried out by the Controller outside MsgBox's instructions.
14. Governing Law
This DPA is governed by the laws of the State of Israel. Where the Controller is established in the EU/EEA, EU data protection law applies to the extent required by GDPR.
15. Updates to This DPA
MsgBox may update this DPA to reflect changes in law or the service. Significant changes will be notified by email. Continued use of the service after notification constitutes acceptance.