Legal

Data Processing Agreement

Last updated: May 25, 2026Effective: May 25, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Controller”) and VYRA DATA INC. (“Processor”) and applies to the processing of personal data by VYRA Data in the course of providing the Insights SaaS and related services to the Customer.

This DPA is designed to satisfy Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the equivalent provisions of the UK Data Protection Act 2018 (“UK GDPR”).

A counter-signed copy is available on request to support@vyradata.com with the subject “DPA Request”.

1. Definitions

  • Applicable Data Protection Law means the GDPR, UK GDPR, the Canadian Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”), Quebec Law 25, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other privacy or data-protection law applicable to the processing.
  • Customer Personal Data means personal data processed by Processor on behalf of Controller in connection with the Services.
  • Personal Data Breach has the meaning given by GDPR Article 4(12).
  • SCCs means the Standard Contractual Clauses issued by the European Commission Implementing Decision (EU) 2021/914.
  • UK IDTA means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
  • Terms not defined here have the meanings given by Applicable Data Protection Law.

2. Scope and roles

Controller is the data controller and Processor is the data processor in respect of Customer Personal Data. Each party will comply with its obligations under Applicable Data Protection Law.

Processor will process Customer Personal Data only on documented instructions from Controller, including:

  • To provide the Services described in the Terms.
  • To carry out the configuration choices made by Controller in the application.
  • To comply with Applicable Data Protection Law, in which case Processor will inform Controller of that legal requirement before processing, unless prohibited from doing so.

3. Processor obligations

Processor will:

  • Ensure persons authorized to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex 3 and the Security Overview).
  • Assist Controller with data subject requests (Section 7) and security obligations under GDPR Articles 32–36.
  • Make available all information necessary to demonstrate compliance and to allow for audits (Section 9).
  • Notify Controller without undue delay of a Personal Data Breach (Section 8).
  • On request, return or delete Customer Personal Data on termination (Section 10).

4. Subprocessors

Controller grants Processor a general authorization to engage subprocessors. The current list is maintained at /subprocessors and named in the Privacy Policy.

Processor will provide at least 30 days’ notice before engaging a new subprocessor that will process Customer Personal Data. Controller may object to the engagement within that notice period on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith, Controller may terminate the affected portion of the Services.

Processor will impose contractual obligations on each subprocessor that are no less protective than this DPA, and remains liable to Controller for the acts and omissions of its subprocessors.

5. International transfers

Where Customer Personal Data subject to the GDPR is transferred to a third country not covered by an adequacy decision, the parties agree to incorporate the SCCs (Module Two: Controller-to-Processor) by reference. For onward transfers from Processor to its subprocessors, Module Three (Processor-to-Processor) applies.

For transfers from the United Kingdom, the parties incorporate the UK IDTA. Annex 2 records the SCC and IDTA options selected.

For Quebec residents under Law 25, Processor will conduct a privacy impact assessment for transfers outside Quebec where the data warrants one and will make the assessment available to Controller on request.

6. Security measures

Processor implements the technical and organizational security measures described in Security Overview and Annex 3 below, including encryption in transit and at rest, access controls (RBAC + MFA), audit logging, vulnerability management, and incident response.

7. Data subject requests

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Controller's obligation to respond to requests for exercising data subject rights under Applicable Data Protection Law.

If Processor receives a request directly from a data subject, Processor will promptly forward the request to Controller and, unless legally required, will not respond on Controller's behalf.

8. Personal data breaches

Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by GDPR Article 33(3) to the extent it is then available, and Processor will provide updates as further information becomes known.

9. Audits and assessments

Processor will make available to Controller, on request and not more than once per twelve-month period (except where required by a supervisory authority or following a Personal Data Breach):

  • The most recent third-party penetration test summary.
  • Independent attestations or certifications, when issued (SOC 2, ISO 27001 — see Security Overview).
  • Reasonable written responses to Controller's security questionnaire.
  • Where reasonably required by Applicable Data Protection Law, an on-site audit by Controller or an independent auditor, on at least 30 days’ notice, during business hours, subject to confidentiality and security controls.

10. Deletion and return on termination

On termination of the Services, Customer may export Customer Personal Data via the in-app export tools (Terms §39). After the 30-day post-termination window, Processor will delete Customer Personal Data from primary storage, and Customer Personal Data held in backups will roll off within 35 days.

Processor may retain Customer Personal Data to the extent and for the duration required by Applicable Data Protection Law, in which case Processor will continue to apply the security measures of this DPA to such retained data.

Annex 1 — Processing details

  • Subject matter: Provision of the Insights SaaS and related services described in the Terms.
  • Duration: For the term of the Services and any post-termination period described in Section 10.
  • Nature and purpose: Hosting, storing, transmitting, processing, analyzing, and displaying Customer Personal Data to provide the Services. AI-assisted drafting via Vyn (see Privacy §5).
  • Types of Customer Personal Data: Names, contact details, account credentials, business contact information, billing identifiers, IP addresses, device and usage data, OAuth tokens, customer-supplied content, AI prompts and outputs.
  • Categories of data subjects: Customer authorized users (employees, contractors), Customer prospects and leads where Customer chooses to load them, end users represented in OAuth-connected platform data.

Annex 2 — SCCs and UK IDTA

Where the SCCs apply (EU Implementing Decision 2021/914), the parties select:

  • Module Two for transfers from Controller (in EU/EEA) to Processor (in a third country).
  • Module Three for onward transfers from Processor to its subprocessors.
  • Clause 7 (docking clause): applicable.
  • Clause 9 (general authorization), with 30-day notice as set out in Section 4.
  • Clause 11(a) (independent redress mechanism): not selected.
  • Clause 17 (governing law): the law of the EU Member State in which Controller is established, or where the Controller is not established in the EU, the law of Ireland.
  • Clause 18 (forum): the courts of the EU Member State whose law governs.

For transfers originating in the United Kingdom, the parties incorporate the UK IDTA (Version A1.0, issued under section 119A of the Data Protection Act 2018), with the SCCs above as the Approved EU SCCs to which the IDTA attaches.

Annex 3 — Technical and organizational security measures

Processor implements the following measures:

  • Encryption of Customer Personal Data in transit using TLS 1.3.
  • Encryption of OAuth tokens and credentials at rest using AES-256-GCM.
  • Encryption of database backups using AES-256.
  • Role-based access control (RBAC), least-privilege access for staff, mandatory MFA for administrators.
  • Audit logging of authentication, authorization changes, exports, and administrative actions.
  • Vulnerability management program with monthly scans and annual third-party penetration tests.
  • Documented incident response process with on-call rotation.
  • Background checks for staff with access to production systems.
  • Physical security delegated to AWS (us-east-2) and Cloudflare per their published controls.
  • 35-day rolling backup retention with restore drills.

See Security Overview for the public-facing summary.