EMPIEZA CON UNA PRUEBA GRATUITA DE 15 DIAS DEMO
LOG IN SIGN UP

Data Processing Agreement (DPA)

Data Processing Agreement between MuseRelay and its customers under GDPR Article 28.

Inicio Data Processing Agreement (DPA)

Last updated: 16/04/2026
Version: 1.0

1. Parties

Controller: the Customer, the natural or legal person holding the MuseRelay account.

Processor: Muse Layer LLC, operator of the MuseRelay platform (the "Processor"), with registered office at 5203 Juan Tabo Blvd, Ste 2B, Albuquerque, NM 87111, USA.

EU representative (Art. 27 GDPR): Screen Art S.L.U. (Spain).

2. Subject Matter

This Agreement governs the processing of personal data that the Processor performs on behalf of the Controller in the context of providing the MuseRelay service, in accordance with Regulation (EU) 2016/679 (GDPR) and other applicable regulations.

3. Nature, purpose and duration of processing

  • Nature: hosting, storage, transmission, AI-based processing and querying of data.
  • Purpose: provision of the conversational platform services contracted by the Controller.
  • Duration: for the duration of the main contract and any legal retention periods.

4. Types of data and categories of data subjects

  • Identification and contact data of the Controller's end users (name, email, phone when provided).
  • Conversation content exchanged through the bot.
  • Technical metadata: IP address, device, language, date and time.
  • Categories of data subjects: customers, leads, visitors and employees of the Controller using the bot.

The Controller agrees not to provide the Processor with special categories of data (Art. 9 GDPR) unless a specific written agreement with additional security measures is in place.

5. Processor's obligations

  1. Process personal data only on documented instructions from the Controller, unless required by law.
  2. Ensure confidentiality through formal commitments with all authorized personnel.
  3. Apply the technical and organizational measures described in Annex II.
  4. Assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, objection, restriction).
  5. Notify the Controller, without undue delay and within 72 hours at most, of any personal data breach.
  6. Delete or return data to the Controller upon termination, except as required by law.
  7. Make available to the Controller the information necessary to demonstrate compliance.
  8. Allow audits and provide relevant documentation in accordance with clause 9.

6. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed at /subprocessors. Any addition, removal or replacement will be notified to the Controller with at least 30 days notice when reasonably possible, allowing the Controller to object on legitimate grounds. In such case the parties will negotiate in good faith a solution and, failing that, the Controller may terminate the contract without penalty.

7. International data transfers

When a subprocessor operates outside the European Economic Area, processing is covered by Standard Contractual Clauses approved by the European Commission (Decision 2021/914) or, where applicable, the EU-US Data Privacy Framework for adhering US providers.

8. Return and deletion of data

Upon termination of the contract, the Processor will, at the Controller's choice, return or delete personal data within 30 days, except where retention is legally required.

9. Audit

The Controller may audit the Processor's compliance through: (i) compliance questionnaires, (ii) documentation of valid external certifications or audits, or (iii) on-site audit with 30 days notice, once a year at most, except in the case of a duly evidenced security breach.

10. Liability

Each party is liable to the other and to data subjects under Article 82 GDPR for damages caused by breach of its respective obligations. The exclusions and limitations of liability of the main contract also apply to this Agreement, unless mandatory law prohibits it.

11. Effective date

This Agreement takes effect upon acceptance by the Controller during signup or when they begin using the service (whichever occurs first), and remains in force for the duration of the contractual relationship.

Annex I — Controller details

The Controller's identification details are those provided during signup and maintained in the Fiscal data section of the organization panel.

Annex II — Technical and organizational measures of the Processor

  • TLS 1.3 encryption in transit and at-rest encryption of integration tokens (API keys, OAuth) using AES-256.
  • Logical isolation per organization (multitenancy with domain-based identification).
  • Role-based access control, password hashing with bcrypt, revocable sessions.
  • Audit logs of sensitive events (configuration changes, administrative access, exports).
  • Daily encrypted backups with minimum 7-day retention.
  • Documented incident response procedure with notification within 72 hours.
  • Periodic dependency reviews and security patches.
  • Confidentiality agreements with all personnel with access to data.

Annex III — List of subprocessors

The up-to-date list of subprocessors is available at /subprocessors and is kept current.

12. Legal version in force

This page presents the DPA content in the site format. The version formally accepted by customers during registration is available in immutable, versioned format at /legal/dpa/v1.

13. Contact

For any inquiries related to this Agreement: privacy@muserelay.com · DPO: dpo@muserelay.com

Actualizado: 16 April, 2026