Data Processing Agreement

Last updated: April 18, 2026

About this Agreement

This Data Processing Agreement (“DPA”) forms part of the DracoCam Terms of Service between Chicha Technology, LLC (“DracoCam”, “we”, “Processor”) and the customer accepting the Terms of Service (“you”, “Controller”). It reflects the parties’ agreement on the processing of Personal Data in connection with the DracoCam security-monitoring Service (the “Service”).

This DPA is designed to meet the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, and comparable data-protection laws. Where you act as a data controller of Personal Data processed through the Service, DracoCam acts as your data processor for that Personal Data.

1. Definitions

Terms used but not defined in this DPA (including “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Sub-processor”, and “Supervisory Authority”) have the meanings given to them in the GDPR.

“Customer Personal Data” means Personal Data processed by DracoCam on your behalf through the Service, including video recordings, audio captures, camera metadata, event detections, account details, and usage logs.

2. Subject matter, duration, and purpose

DracoCam will process Customer Personal Data only to provide, secure, and improve the Service in accordance with your documented instructions — including the instructions embedded in your use of the Service, the Terms of Service, and this DPA.

  • Subject matter: provision of the DracoCam security-monitoring Service.
  • Duration: for the term of the Terms of Service, plus any period during which Customer Personal Data remains in DracoCam’s possession pending deletion or return.
  • Nature and purpose: capturing, transmitting, storing, analyzing, and notifying you of events from connected cameras and sensors that you operate.
  • Types of Personal Data: video and audio recordings of your premises and of persons within range of your cameras; camera and device identifiers; account email; billing records; IP address and session logs.
  • Categories of Data Subjects: you, your household members, employees, visitors, and any other persons whose image, voice, or activity is captured by a camera you operate.

3. Controller instructions

DracoCam will process Customer Personal Data only on your documented instructions, unless required to do otherwise by applicable law. If DracoCam is required by law to process Customer Personal Data other than on your instructions, we will — unless legally prohibited — inform you of that legal requirement before processing.

You are responsible for the lawfulness of the processing you instruct, including obtaining any consents, notices, or legal bases required to record video or audio of Data Subjects in your jurisdiction.

4. Confidentiality of personnel

DracoCam ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5. Security measures

DracoCam implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. Current measures include:

  • Encryption in transit (TLS 1.2 or above) for all data transferred between the DracoCam agent, our backend, and your browser.
  • Encryption at rest for video recordings and account data stored in Google Cloud Storage and Firestore.
  • Per-user, JWT-based authentication with Firebase Authentication, custom-claim–gated access to subscription features, and optional multi-factor authentication.
  • Principle of least privilege for internal access to production systems; access reviews conducted at least annually.
  • Signed, platform-specific agent builds (Developer ID on macOS, Azure Trusted Signing on Windows, detached signatures on Linux) to protect the integrity of the on-device agent.
  • Logging and monitoring of administrative access to production systems.

6. Sub-processors

You provide general authorization for DracoCam to engage sub-processors to support the provision of the Service. DracoCam’s current sub-processors are:

  • Google Cloud Platform / Firebase (Google LLC, USA / EU regions) — authentication, database (Firestore, Realtime Database), object storage (Cloud Storage), hosting, cloud functions, push notifications.
  • Stripe, Inc. (USA) — billing and payment processing. Card data is handled by Stripe directly; DracoCam does not store card numbers.
  • Google Cloud Run (Google LLC) — hosting of the DracoBot support widget backend.
  • Apple Inc. — notarization service for the macOS agent build artifact only; no Customer Personal Data is shared with Apple as part of notarization.
  • Microsoft Corporation — Azure Trusted Signing for Windows agent signing; no Customer Personal Data is shared as part of signing.

DracoCam will notify you of any intended addition or replacement of sub-processors at least 30 days in advance via email or a prominent notice in the Service, giving you the opportunity to object on reasonable grounds related to data protection. If you object and we cannot reasonably accommodate your objection, you may terminate the affected portion of the Service.

DracoCam imposes on each sub-processor written obligations substantially equivalent to those set out in this DPA.

7. International transfers

DracoCam and its sub-processors may process Customer Personal Data in the United States and other countries outside the European Economic Area and the United Kingdom. Where such transfers occur from the EEA, the UK, or Switzerland, DracoCam relies on:

  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) incorporated by reference into this DPA; and
  • where applicable, the UK International Data Transfer Addendum and Swiss FDPIC guidance; and
  • where applicable, our participation or our sub-processors’ participation in recognized adequacy frameworks (including the EU–US Data Privacy Framework via our sub-processors).

8. Data subject rights

Taking into account the nature of the processing, DracoCam will — by appropriate technical and organizational measures, and insofar as possible — assist you in fulfilling your obligations to respond to requests from Data Subjects exercising their rights under applicable data-protection law (including rights of access, rectification, erasure, restriction, objection, and portability).

You retain primary responsibility for responding to Data Subject requests. DracoCam does not respond directly to Data Subjects on your behalf unless required by law.

9. Personal Data breach notification

DracoCam will notify you without undue delay — and in any event within 72 hours after becoming aware — of any confirmed Personal Data breach affecting Customer Personal Data. Notification will include, to the extent known, the nature of the breach, the approximate number of records and Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

10. DPIAs and prior consultation

DracoCam will provide reasonable assistance to enable you to carry out data-protection impact assessments and, where required, to consult your Supervisory Authority, taking into account the information available to DracoCam and the nature of the processing.

11. Return and deletion of Customer Personal Data

Upon termination or expiry of the Service, or upon your earlier written request, DracoCam will — at your choice — delete or return all Customer Personal Data and delete existing copies, unless retention is required by applicable law. Routine deletion of video recordings in accordance with your configured retention settings is not considered a request for return or deletion under this section.

12. Audits

DracoCam will make available to you all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice (no more than once in any 12-month period, except following a Personal Data breach or regulatory request), DracoCam will allow for and contribute to audits conducted by you or an auditor you mandate. Audits must be conducted during normal business hours, must not unreasonably interfere with the Service, and must be subject to appropriate confidentiality obligations. DracoCam may satisfy its audit obligations by providing recent third-party attestations or reports (for example, SOC 2 reports of its sub-processors) where these reasonably address your audit objectives.

13. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service or the Privacy Policy, this DPA prevails with respect to the processing of Customer Personal Data covered by the GDPR.

15. Contact

To exercise rights under this DPA, to request a signed countersigned copy, or for any privacy-related question, please contact us with the subject line “DPA”.