Data Processing Agreement
Last updated: 4 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("you", the Controller) and Limelai Limited, a company registered in England and Wales (company no. 16486216), trading as comxbot("we", the Processor), under which we process personal data on your behalf when you use the comxbot service.
This is our standard DPA. A countersigned copy for your records, or review of your own paper, can be arranged by emailing dpo@comxbot.com. Where you and we have signed a separate negotiated DPA, that document prevails over this one.
1. Definitions
"UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018. "Controller", "Processor", "data subject", "personal data", "processing" and "personal data breach" have the meanings given in the UK GDPR. "Customer Personal Data" means personal data we process on your behalf under the agreement, as described in Annex 1. "Sub-processor" means a third party engaged by us to process Customer Personal Data.
2. Roles and scope
You are the Controller and we are the Processor in respect of Customer Personal Data. Typically, when you deploy an assistant to your own website or channels, you are the Controller of the visitor and learner data processed through that assistant, and we act as your Processor. We process Customer Personal Data only to provide and support the service and as set out in this DPA. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.
3. Processing on documented instructions
We will process Customer Personal Data only on your documented instructions, including the agreement, this DPA, your configuration and use of the service, and any further written instructions you give, unless required to process by applicable law (in which case we will inform you of that legal requirement before processing, unless the law prohibits this). We will inform you if, in our opinion, an instruction infringes the UK GDPR.
4. Confidentiality
We ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and access Customer Personal Data only on a need-to-know, least-privilege basis.
5. Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to individuals, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our current measures are described in Annex 2.
6. Sub-processors
You give general authorisation for us to engage Sub-processors to process Customer Personal Data. Our current Sub-processors are listed at comxbot.com/sub-processors (Annex 3). We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA. Where we intend to add or replace a Sub-processor, we will give you prior notice (by updating that page and, on request, by email) so that you may object on reasonable data-protection grounds. We remain responsible for the acts and omissions of our Sub-processors.
7. International transfers
Most Customer Personal Data is processed in the UK and the European Union. Where Customer Personal Data is transferred outside the UK (for example, to a Sub-processor in the United States), we ensure an appropriate safeguard is in place under the UK GDPR — typically the UK Addendum to the EU Standard Contractual Clauses, or another mechanism recognised under the UK GDPR — together with any supplementary measures required.
8. Assistance with data subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (including access, rectification, erasure, restriction, portability and objection). The service also provides self-service tools to export and delete workspace data. If we receive a request relating to your Customer Personal Data directly, we will, unless legally required to respond, advise the data subject to contact you and inform you of the request.
9. Personal data breaches
We maintain an incident-response process for suspected or actual personal data breaches. If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay after becoming aware, and provide you, in phases where necessary, with information reasonably available to us to help you meet your own obligations — including, so far as known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. To report a suspected security issue, contact dpo@comxbot.com.
10. Data protection impact assessments
Taking into account the nature of processing and the information available to us, we will provide reasonable assistance with your data protection impact assessments and any prior consultation with the ICO.
11. Return or deletion of data
On termination of the service, and at your choice, we will delete or return Customer Personal Data and delete existing copies, unless applicable law requires storage. Customer Personal Data is also subject to the configurable retention and automatic-deletion settings in the service. After account closure, residual data is deleted in line with our published retention periods, save where retention is required by law (for example, billing records).
12. Audits and information
We will make available to you information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits are subject to reasonable notice, confidentiality, and frequency and scope limits to protect the security and privacy of other customers; we may satisfy audit requests by providing relevant documentation and responses to a reasonable security questionnaire.
13. Liability, term and precedence
This DPA is part of, and subject to, the agreement, including its limitations and exclusions of liability. It takes effect when you accept the agreement or first use the service, and continues for as long as we process Customer Personal Data. In the event of conflict between this DPA and the agreement on the subject of data protection, this DPA prevails. This DPA is governed by the laws of England and Wales.
Annex 1 — Details of processing
Subject matter and duration
Provision of the comxbot AI assistant service, for the duration of the agreement plus any retention period.
Nature and purpose
Hosting and processing of your knowledge content; receiving and answering questions through assistants you deploy; logging conversations with sources and confidence; and related analytics, support and security functions.
Categories of data subjects
Your staff and authorised users; and the visitors, enquirers and learners who interact with assistants you deploy.
Types of personal data
Account and contact details; the content of questions and answers and any personal data a user chooses to include in a conversation; lead and enquiry details you collect; and, where you enable relevant features, learner profile information. You control what personal data is included in your knowledge sources and collected through your assistants. You should not submit special category data unless necessary, and you are responsible for having a lawful basis to do so.
Annex 2 — Technical and organisational measures
Our current security measures include:
- Encryption in transit (TLS 1.2+) and encryption at rest. Stored third-party credentials (such as AI provider keys) are additionally encrypted using authenticated AES-256-GCM encryption.
- Tenant isolation: customer data is segregated by workspace, and access is scoped to the authenticated workspace.
- Access control: role-based access (Owner, Admin, Member) on a least-privilege basis, with optional single sign-on (SSO) for customer organisations.
- Audit logging of workspace changes, and conversation logging with sources and confidence for accountability.
- Rate limiting and abuse protections on public endpoints.
- Data minimisation and retention: configurable retention periods with automatic deletion of expired conversations and logs.
- Safeguarding controls (for education customers): risk detection with escalation to a Designated Safeguarding Lead and separate logging of alerts.
- Organisational measures: confidentiality obligations on personnel, least-privilege access, and review of security measures.
As security is iterative, these measures may be updated provided the level of protection is not materially reduced.
Annex 3 — Sub-processors
Our current Sub-processors, what they do, where they process data and the applicable transfer safeguards are published and kept up to date at comxbot.com/sub-processors.
comxbot is a product of Limelai Limited, a company registered in England and Wales. Company number: 16486216. Registered office: 86-90 Paul Street, London, EC2A 4NE.