Book a demo

Data Processing Agreement

Mar 10, 2026

(UK GDPR & Data Protection Act 2018)

This Data Processing Agreement (“Agreement”) forms part of the contract for services (“Principal Agreement”) between:

(1) [Dealership Group or OEM Name], a company incorporated in England and Wales with registered number [●] and registered office at [●] (“Controller”); and

(2) EasiChat Limited, a company incorporated in England and Wales with registered number 13941463 and registered office at Beacon House, South Road, Weybridge, Surrey, KT13 9DZ (“Processor”).

Together, the “Parties”.

  1. Definitions and Interpretation

1.1 In this Agreement, the following terms have the meanings given in the UK GDPR:

  • “UK GDPR” means the UK General Data Protection Regulation.
  • “Data Protection Laws” means the UK GDPR and the Data Protection Act 2018, together with any applicable guidance from the ICO.
  • “Personal Data”“Processing”“Controller”“Processor”“Data Subject”“Personal Data Breach” have the meanings set out in the UK GDPR.

1.2 “Dealership Data” means any Personal Data processed by the Processor on behalf of the Controller under the Principal Agreement.

  1. Roles of the Parties

2.1 The Controller is the Controller of the Dealership Data.
2.2 The Processor acts solely as a Processor and shall process Dealership Data only on documented instructions from the Controller.

  1. Scope of Processing

3.1 The Processor shall process Dealership Data only for the purpose of providing chatbot and related support services, including (where applicable):

  • Handling customer enquiries via website chat, SMS, WhatsApp, social media, or other messaging channels
  • Booking test drives, service appointments, and sales callbacks
  • Capturing lead and enquiry information
  • Providing analytics and performance reporting

3.2 The nature, duration, categories of data, and categories of Data Subjects are set out in Schedule 1.

  1. Processor Obligations

The Processor shall:

4.1 Process Dealership Data only on documented instructions from the Controller, including regarding transfers outside the UK.

4.2 Ensure that persons authorised to process Dealership Data:

  • Are subject to a duty of confidentiality; and
  • Receive appropriate data protection training.

4.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures described in Schedule 2.

4.4 Not engage another processor (Sub-processor) without prior written authorisation from the Controller in accordance with Clause 7.

4.5 Assist the Controller, taking into account the nature of processing, with:

  • Data Subject rights requests (Articles 15–22 UK GDPR);
  • Data protection impact assessments;
  • Consultations with the ICO where required.

4.6 Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

4.7 At the Controller’s choice, delete or return all Dealership Data upon termination of the Principal Agreement, unless retention is required by law.

4.8 Make available all information reasonably necessary to demonstrate compliance with this Agreement and allow audits as set out in Clause 10.

  1. Controller Obligations

The Controller warrants that:

5.1 It has a lawful basis for processing and sharing the Dealership Data with the Processor.
5.2 It has provided all required privacy information to Data Subjects.
5.3 Its instructions comply with Data Protection Laws.

  1. Confidentiality

6.1 The Processor shall keep Dealership Data confidential and shall not disclose it to third parties except as permitted by this Agreement or required by law.

  1. Sub-processors

7.1 The Controller grants the Processor general authorisation to use Sub-processors listed in Schedule 3.

7.2 The Processor shall:

  • Impose data protection obligations on Sub-processors no less protective than this Agreement; and
  • Remain fully liable for the acts and omissions of its Sub-processors.

7.3 The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller a reasonable opportunity to object.

  1. International Transfers

8.1 The Processor shall not transfer Dealership Data outside the UK unless:

  • The Controller has authorised the transfer; and
  • Appropriate safeguards are in place (such as the UK International Data Transfer Agreement or adequacy regulations).
  1. Liability

9.1 Each Party shall be liable for fines, claims, or losses arising from its own breach of Data Protection Laws.
9.2 Nothing in this Agreement limits liability where such limitation is not permitted by law.

  1. Audit and Compliance

10.1 The Processor shall allow the Controller, on reasonable notice and subject to confidentiality, to audit compliance with this Agreement.
10.2 Audits shall be limited to once per year unless required due to a Personal Data Breach or regulatory request.

  1. Term and Termination

11.1 This Agreement remains in force for the duration of the Principal Agreement.
11.2 Termination of the Principal Agreement automatically terminates this Agreement.

  1. Governing Law and Jurisdiction

12.1 This Agreement is governed by the laws of England and Wales.
12.2 The courts of England and Wales shall have exclusive jurisdiction.

Schedule 1 – Details of Processing

Subject Matter:
Provision of chatbot and customer engagement services for motor dealerships.

Duration:
For the term of the Principal Agreement.

Categories of Data Subjects:

  • Customers and prospective customers
  • Website visitors
  • Vehicle owners
  • Employees contacting the dealership

Categories of Personal Data:

  • Names
  • Contact details (phone, email, messaging IDs)
  • Vehicle information (registration, model, service needs)
  • Enquiry and conversation content
  • Appointment and booking details

Special Category Data:

None anticipated (unless explicitly instructed).