Data Processing Agreement

1. Definitions

The following terms have the meanings set forth below, consistent with the Israeli Protection of Privacy Law, 1981 and Amendment 13:

• Personal Data (מידע אישי): Any information relating to an identified or identifiable natural person.
• Database Owner (בעל מאגר מידע): The entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Database Owner.
• Data Holder/Processor (מעבד מידע): The entity that processes Personal Data on behalf of the Database Owner. Under this DPA, FRENZY.BOT is the Data Holder.
• Data Subject (נושא המידע): An identified or identifiable natural person whose Personal Data is processed.
• Basic Security Level (רמת אבטחה בסיסית): The default security level as defined under the Privacy Protection Regulations (Data Security), 5777-2017.

2. Scope

This DPA applies whenever FRENZY.BOT processes Personal Data on behalf of the Customer in connection with the Service.

Processing is governed by the Israeli Protection of Privacy Law, 1981 and the Privacy Protection Regulations (Data Security), 5777-2017 (Amendment 13).

The default security level applied to all Customer accounts is Basic. Higher security levels (Medium or High) require a separate written agreement and may involve additional costs.

3. Roles and Responsibilities

Customer (Database Owner)

The Customer is the Database Owner and is responsible for:

• Registering the database with the Israeli Privacy Protection Authority, if required by law
• Providing appropriate privacy notices to end users
• Obtaining all necessary consents from Data Subjects
• Configuring security settings appropriate to the sensitivity of the data processed
• Ensuring compliance with applicable privacy laws in the Customer's jurisdiction

FRENZY.BOT (Data Holder/Processor)

FRENZY.BOT processes Personal Data solely as necessary to deliver the Service, in accordance with the Customer's instructions and this DPA. FRENZY.BOT will not process Personal Data for any other purpose.

4. Security Measures

FRENZY.BOT implements the following security measures to protect Personal Data:

• SSL/TLS encryption in transit for all widget and dashboard traffic
• Fernet symmetric encryption for sensitive settings (API keys, OAuth tokens, TOTP secrets)
• bcrypt password hashing with per-user salts
• Role-based access controls (RBAC) with per-bot membership permissions
• IP restriction options for dashboard access
• Encrypted backups (AES-256-CBC or password-protected archives)
• Server hardening: SSH port randomization, UFW firewall, kernel tuning, Docker isolation

The Customer may configure additional security settings through the management dashboard to meet their specific requirements.

5. Subprocessors

The Customer authorizes FRENZY.BOT to use the following subprocessors in connection with the Service:

• OpenRouter, Inc. — AI model routing and inference
• Graphiti (Zep Inc.) — Temporal knowledge graph and agent memory (self-hosted)
• Google LLC — Identity provider (Google OAuth for frenzy.bot sign-in)
• BunnyCDN (Bunny.net) — Release storage and token-auth CDN distribution
• Qdrant Solutions GmbH — Vector database (self-hosted on Customer server)
• WAHA (self-hosted) — WhatsApp HTTP API gateway
• Hetzner Online GmbH — Default VPS hosting (Customer servers)
• Cloudflare, Inc. — DNS, CDN, and DDoS protection

An updated list of subprocessors is available upon written request. Self-hosted components (Loki/Grafana logging stack, Caddy + Coraza WAF, and Postfix email) run entirely on FRENZY.BOT infrastructure and are therefore not listed as separate subprocessors.

6. Infrastructure Administrative Access

FRENZY.BOT operates a managed hosting model in which all client virtual private servers (VPS) are provisioned within a centralized Hetzner Cloud project owned and administered by FRENZY.BOT. This architecture is consistent with the standard operational model used by managed hosting and platform-as-a-service providers worldwide (e.g., WP Engine, Cloudways, Heroku, Render).

As part of this model, FRENZY.BOT maintains the following administrative access capabilities over client infrastructure:

• Cloud Management Console: Full server management including power control, console access, resizing, deletion, snapshots, and networking configuration
• Cloud API: Programmatic access to all server management functions via a centralized API key
• VNC Console: Root shell access to any client VPS via the hosting provider's remote console
• SSH Keys: Direct root SSH access to client servers for provisioning, maintenance, and support
• Firewall Management: Ability to view and modify firewall rules for any client server
• Server Snapshots: Ability to create full disk snapshots of any client server
• Server Lifecycle: Ability to create, suspend, or permanently delete any client VPS and all associated data

This administrative access cannot be independently revoked by the Client and is inherent to the managed service model. The Client acknowledges and consents to this access as a condition of using the Service.

Principle of Least Privilege

FRENZY.BOT applies the principle of least privilege to all administrative access:

• Justified Access: Administrative access is exercised only for legitimate business purposes including provisioning, maintenance, security patching, and client-requested support
• Limited Access: Only authorized FRENZY.BOT personnel have access to the Hetzner Cloud API key, web console, and SSH credentials
• Audited Access: All use of privileged access is logged and auditable (see Section 7)
• Proportional Access: FRENZY.BOT does not access client data, applications, or databases unless required to fulfill a specific support request or security obligation

Legal Basis and Client Safeguards

Under a managed hosting model, the Service Provider requires ongoing administrative access to client infrastructure for legitimate operational purposes including:

• Provisioning new servers and scaling resources
• Applying operating system and security patches
• Responding to infrastructure incidents and outages
• Managing hosting provider billing and resource allocation

This access model is compliant with the Israeli Privacy Protection Regulations (Amendment 13) and GDPR Article 28, provided that: (a) this DPA explicitly discloses and governs such access; (b) all privileged access is audited (see Section 7); (c) the Client is informed of the access scope; and (d) the Client retains the right to terminate the Service and export all data at any time.

The Client may terminate the Service in accordance with the Terms of Service. Upon termination, the Client may export all data via the management dashboard prior to account closure (see Section 9).

Automated Backups and Disaster Recovery

FRENZY.BOT creates automated daily snapshots of each client VPS for disaster recovery purposes. Snapshots are full disk images and may contain all data stored on the server, including databases, file uploads, configuration files, and application logs.

The following safeguards apply to all automated backups:

• Retention Period: Snapshots are retained for 7 days. Older snapshots are automatically deleted — no data is hoarded beyond the retention window
• Encryption at Rest: Snapshots are stored on Hetzner's encrypted storage infrastructure
• Data Residency: Snapshots remain in the same Hetzner datacenter region as the source VPS
• Audit Logging: All snapshot creation and deletion operations are logged (see Section 7)
• Deletion on Termination: When the Service is terminated for a client, all snapshots associated with that client's VPS are permanently deleted as part of the decommissioning procedure (see Section 9)

If a Client exercises their right to data erasure, automated backup snapshots containing erased data may persist for up to 7 days until the normal retention cycle purges them. During this period, erased data will not be actively restored from any backup. This approach is consistent with industry-standard backup retention practices (ISO 27001 A.8.10) and is documented here as required by Amendment 13 and GDPR Article 17(3)(e).

7. Audit Logging and Accountability

FRENZY.BOT maintains audit logs for administrative actions performed on client infrastructure. The following actions are logged:

• VPS Provisioning and Deletion: Logged by Hetzner Cloud audit trail
• VNC Console Access: Logged by Hetzner Cloud audit trail and centrally by FRENZY.BOT
• Server Power Actions: Start, stop, and reboot events logged by Hetzner Cloud audit trail
• Firewall Changes: All rule modifications logged by Hetzner Cloud audit trail
• Snapshot Operations: Automated daily backup creation, manual snapshots, deletion, and restoration logged by Hetzner Cloud audit trail and centrally by FRENZY.BOT
• API Usage: All Hetzner Cloud API calls logged by the provider's audit system
• SSH Connections: All SSH connections to client servers are logged centrally by FRENZY.BOT

Audit logs are retained for a minimum of 12 months. The Client may request access to audit logs pertaining to their infrastructure upon written request.

Logs are aggregated to a dedicated, centralized logging server that is separate from client infrastructure. Log transport is encrypted via TLS, and access to the logging platform is restricted by IP allowlist to authorized FRENZY.BOT personnel only. This architecture ensures tamper-evident log storage, consistent with ISO 27001 controls A.8.15 (Logging) and A.8.16 (Protection of Log Information).

8. Data Subject Rights

The Customer is responsible for handling Data Subject requests (access, correction, deletion) in accordance with applicable law.

FRENZY.BOT will assist the Customer in fulfilling Data Subject requests where technically feasible, upon written request. The management dashboard provides tools for the Customer to view, export, and delete end-user data.

9. Data Retention and Deletion

The Customer controls data retention through their server and dashboard settings.

Upon termination of the Service:

• The Customer may export their data via the dashboard before account closure
• FRENZY.BOT will delete or anonymize Customer data within 30 days of termination, unless retention is required by law
• All automated backup snapshots for the Customer's VPS will be permanently deleted
• All SSH keys and access credentials associated with the Customer's server will be revoked and deleted
• All deletion actions are logged in the audit trail

Since FRENZY.BOT uses a self-hosted model, the Customer retains physical and logical control over their data at all times.

Data Erasure and Backup Retention: If the Customer requests deletion of specific data under applicable data protection law, that data will be deleted from the live server immediately. Automated backup snapshots containing the deleted data may persist for up to 7 days until the normal retention cycle purges them. During this retention window, deleted data will not be actively restored from any backup.

10. Data Breach Notification

In the event of a security incident involving Personal Data, FRENZY.BOT will:

• Notify the Customer without undue delay upon becoming aware of the breach
• Provide available details about the nature and scope of the breach
• Cooperate with the Customer in investigating and remediating the incident

FRENZY.BOT reserves the right to notify the Israeli Privacy Protection Authority directly if legally required to do so.

11. Liability

Liability under this DPA is governed by the liability provisions of the main Terms of Service.

The Customer agrees to indemnify FRENZY.BOT for any claims, damages, or penalties arising from the Customer's failure to comply with their obligations as Database Owner, including failure to register their database, provide required notices, or obtain necessary consents.

12. Governing Law

This DPA is governed by the laws of the State of Israel. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in Tel Aviv, Israel.

In the event of a conflict between this DPA and the Terms of Service regarding data protection matters, the provisions of this DPA shall prevail.