This Data Processing Agreement ("DPA") explains how BYTELOOM (PVT) LTD, operating Control Tower, processes personal data on behalf of customers who connect Control Tower to an Intercom workspace.
The customer is the controller or processor of the personal data in its Intercom workspace. BYTELOOM (PVT) LTD acts as a processor or subprocessor for the limited purpose of providing Control Tower.
Control Tower processes Intercom conversation data to provide risk monitoring, risk scoring, alerts, dashboard review, escalation workflows, QA review, audit history, subscription management, and support. Processing continues while the customer account is active and for the retention periods described in our Privacy Policy.
Data subjects may include the customer's Intercom end users, leads, customers, support agents, managers, administrators, and billing contacts.
We process personal data only to provide Control Tower, comply with documented customer instructions, maintain security, comply with applicable law, and support billing, troubleshooting, abuse prevention, and customer support.
Access to production systems is limited to authorized personnel who need access to operate, secure, or support the service. Personnel with access to customer data are required to protect that data and use it only for authorized purposes.
Control Tower uses technical and organizational measures described in our Security Overview, including HTTPS/TLS in transit, encrypted Intercom OAuth tokens, managed PostgreSQL, access controls, production configuration checks, and retention/deletion controls.
We use subprocessors only where needed to provide the service:
Control Tower may process data outside the country where the customer or data subject is located. Where required, we will support appropriate transfer mechanisms such as standard contractual clauses or equivalent safeguards.
We will assist customers with reasonable requests to access, correct, export, restrict, or delete personal data processed by Control Tower. Requests can be sent to support@controltower.live.
Customers may request deletion of organization data from the Control Tower dashboard or by contacting support. After deletion, personal conversation data is removed from active systems except where limited records must be retained for billing, legal, tax, fraud prevention, dispute resolution, or security purposes.
If we become aware of a confirmed or suspected personal data breach affecting Control Tower customer data, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware of the breach. Where the breach involves Intercom data or the Intercom Developer Platform, we will notify Intercom within 72 hours as required by Intercom's developer terms.
Notices will include the information reasonably available to us, such as the nature of the incident, affected data categories, affected customers, mitigation steps, and recommended customer actions.
Upon reasonable written request, we will provide information needed to demonstrate compliance with this DPA, subject to confidentiality, security, and operational limitations.
For DPA, privacy, or data protection questions, contact support@controltower.live. Security concerns can be reported to security@controltower.live.