Data Processing Addendum (DPA)

Effective Date: May 1, 2026

Last Updated: June 18, 2026

Company: AllWeb Solutions, LLC

> How This DPA Works: This Data Processing Addendum is incorporated by reference into the AllWeb Solutions Terms of Service ("Agreement") and applies automatically to all Partner Organizations using the Platform. You do not need to sign a separate document for this DPA to take effect — by accepting the Terms of Service, you accept this DPA. Enterprise customers requiring a countersigned DPA for their own compliance purposes may request one at legal@allweb.solutions.

1. Purpose and Scope

This Data Processing Addendum ("DPA") governs the processing of Personal Data by AllWeb Solutions, LLC ("Processor") on behalf of Partner Organizations ("Controller") in connection with the Services described in the Agreement.

This DPA applies where and to the extent that AllWeb Solutions processes Personal Data originating from or relating to the Controller's end-users, customers, or employees ("Data Subjects") in the course of providing the Services. It does not apply to Personal Data that AllWeb Solutions collects directly from Users who register for Platform accounts on their own behalf — that processing is governed by the Privacy Policy.

2. Definitions

For purposes of this DPA:

"Controller" means the Partner Organization that determines the purposes and means of processing of Personal Data. The Partner Organization is the Controller in respect of its own end-users' data.

"Processor" means AllWeb Solutions, LLC, which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is protected as personal data, personal information, or a similar term under applicable data protection law.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.

"Sub-processor" means any third-party engaged by AllWeb Solutions to process Personal Data in connection with the Services.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the California Consumer Privacy Act (CCPA/CPRA), the Illinois Personal Information Protection Act (PIPA), and any other applicable state or federal privacy laws, as amended from time to time.

"Security Incident" means any confirmed unauthorized acquisition, access, use, disclosure, modification, or destruction of Personal Data.

3. Roles and Responsibilities

3.1 Controller Obligations

The Controller represents and warrants that:

  • It has a lawful basis for processing Personal Data and for transferring Personal Data to AllWeb Solutions for the purposes described in the Agreement
  • It has provided all required notices to and obtained all required consents from Data Subjects as required by Applicable Data Protection Law
  • Its instructions to AllWeb Solutions regarding the processing of Personal Data are and will remain consistent with Applicable Data Protection Law
  • It is responsible for the accuracy, quality, and legality of all Personal Data it provides to AllWeb Solutions

3.2 Processor Obligations

AllWeb Solutions agrees to:

  • Process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Agreement, unless required to do so by applicable law
  • Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organizational security measures as described in Section 6
  • Assist the Controller in responding to Data Subject rights requests as described in Section 7
  • Notify the Controller of Security Incidents as described in Section 8
  • Delete or return Personal Data upon termination of the Agreement as described in Section 9
  • Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA

4. Nature and Purpose of Processing

4.1 Subject Matter

AllWeb Solutions processes Personal Data to provide the Services described in the Agreement, including operating AI-powered chat widgets, managing knowledge base content, delivering notifications, and tracking session activity on behalf of the Controller.

4.2 Duration

AllWeb Solutions will process Personal Data for the duration of the Agreement and for such additional period as is required by applicable law or as needed to resolve disputes, enforce the Agreement, or comply with legal obligations.

4.3 Types of Personal Data Processed

The types of Personal Data processed depend on the features used by the Controller and may include:

Data CategoryDescriptionPlatform Features Involved
Conversation contentMessages and prompts submitted by end-users to AI widgetsAI chat widgets, partner support chat
Session identifiersBrowser session IDs and cookiesAll widget features
WordPress user IDsNumeric user IDs passed by the Controller's WordPress siteWordPress plugin integration
Contact informationName, email, phone submitted through escalation formsEscalation / contact forms
Booking detailsAppointment details submitted through scheduling featuresScheduling / booking features
Usage metadataTimestamps, session duration, interaction countsAll features

AllWeb Solutions does not intentionally collect sensitive personal information (as defined under CPRA or equivalent laws) through the embedded widget features unless explicitly provided by end-users in free-text fields.

4.4 Categories of Data Subjects

Data Subjects whose Personal Data may be processed under this DPA include the Controller's website visitors, customers, and end-users who interact with widgets deployed by the Controller on its own platforms.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes AllWeb Solutions to engage sub-processors to assist in providing the Services. AllWeb Solutions remains responsible for the acts and omissions of its sub-processors to the same extent as if AllWeb Solutions performed the processing directly.

AllWeb Solutions maintains an internal list of sub-processors, which includes categories of service providers such as AI language model providers, AI image and video generation services, cloud object storage providers, payment processors, and communication service providers. The current list is available to Controllers upon request submitted to legal@allweb.solutions with the subject line "Sub-processor List Request."

5.2 Changes to Sub-processors

AllWeb Solutions will provide the Controller with at least 30 days' prior written notice (via email to the Controller's account email address) of any addition or replacement of a Sub-processor that may materially affect the processing of Personal Data. The Controller may object to the addition or replacement of a Sub-processor by providing written notice to legal@allweb.solutions within 30 days of receiving notice. If the Controller objects and AllWeb Solutions cannot accommodate the objection, AllWeb Solutions will notify the Controller, and the Controller may terminate the Agreement without penalty within 60 days of receiving that notification, limited to the portion of the Services affected by the objection.

6. Security Measures

AllWeb Solutions implements and maintains commercially reasonable technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including:

  • Encryption of data in transit using TLS/HTTPS
  • Encrypted storage of sensitive credentials and authentication tokens
  • Access controls limiting personnel access to Personal Data on a need-to-know basis
  • Regular monitoring and logging of access to production systems
  • Logical separation of Controller data from other Controller accounts

AllWeb Solutions does not guarantee that its security measures will be impenetrable or that unauthorized access will never occur. The Controller is responsible for implementing appropriate security measures on its own systems, platforms, and applications.

7. Data Subject Rights

7.1 Assistance with Rights Requests

AllWeb Solutions will, taking into account the nature of the processing, provide reasonable assistance to the Controller in fulfilling Data Subject rights requests (such as rights of access, correction, deletion, and portability) to the extent AllWeb Solutions holds relevant Personal Data and the request cannot be fulfilled by the Controller acting on its own.

7.2 Forwarding Requests

If AllWeb Solutions receives a Data Subject rights request that is identifiable as relating to a Controller's end-user, AllWeb Solutions will promptly forward the request to the Controller. AllWeb Solutions will not respond directly to Data Subject requests on the Controller's behalf unless separately instructed in writing.

7.3 Costs

AllWeb Solutions may charge the Controller reasonable costs for providing assistance under this Section if the volume or complexity of requests exceeds what is reasonably incidental to the Services.

8. Security Incident Notification

8.1 Notification Timeline

AllWeb Solutions will notify the Controller of a confirmed Security Incident affecting the Controller's Personal Data without undue delay, and in any event within 72 hours of AllWeb Solutions becoming aware that a Security Incident has occurred.

8.2 Content of Notification

The notification will include, to the extent available at the time of notification:

  • A description of the nature of the Security Incident
  • The categories and approximate number of Data Subjects affected
  • The categories and approximate volume of Personal Data records affected
  • The likely consequences of the Security Incident
  • Measures taken or proposed by AllWeb Solutions to address the Security Incident

AllWeb Solutions may provide information in phases as it becomes available. The Controller is responsible for determining whether and how to notify its own end-users and regulatory authorities.

8.3 Cooperation

AllWeb Solutions will cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of the Security Incident.

9. Deletion and Return of Data

9.1 Upon Termination

Upon termination or expiration of the Agreement, AllWeb Solutions will, at the Controller's written election, either:

  • Delete all Personal Data processed under this DPA within a commercially reasonable period not to exceed 90 days; or
  • Return to the Controller a copy of the Personal Data in a structured, commonly used format, to the extent technically feasible, and then delete such Personal Data

AllWeb Solutions may retain Personal Data for longer periods where required by applicable law, and will notify the Controller of any such retention obligation.

9.2 Certification

Upon the Controller's written request, AllWeb Solutions will provide written confirmation that deletion or return has been completed in accordance with this Section.

10. Audit Rights

AllWeb Solutions will make available to the Controller information reasonably necessary to demonstrate AllWeb Solutions' compliance with this DPA, upon written request submitted to legal@allweb.solutions with at least 30 days' advance notice. AllWeb Solutions may require the Controller to execute a reasonable non-disclosure agreement as a condition of providing such information. Audits shall be conducted at the Controller's expense, no more than once per calendar year, and shall be conducted in a manner that minimizes disruption to AllWeb Solutions' operations.

11. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA is intended to limit either party's liability to the other in cases of willful misconduct, fraud, or obligations imposed by Applicable Data Protection Law that cannot be limited by contract.

12. Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall govern with respect to the subject matter of data processing. In all other respects, the Agreement continues in full force.

13. Governing Law

This DPA is governed by the laws of the State of Illinois, without regard to conflict-of-law principles. Disputes arising under this DPA are subject to the dispute resolution provisions of the Agreement.

14. Contact

For data processing inquiries, sub-processor list requests, audit requests, or to report a data protection concern:

AllWeb Solutions, LLC — Data Protection

8745 W. Higgins Rd., Suite 110

Chicago, IL 60631

Email: legal@allweb.solutions

Subject Line: "DPA Inquiry"

Data Processing Addendum © 2026 AllWeb Solutions, LLC. All rights reserved.