Data Processing Agreement ·
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and DSYP Group, operator of Caliradi.ai (the "Processor"), and applies when we process personal data on your behalf in providing the Caliradi Service.
For most customers: By accepting our Terms of Service, you also accept this DPA. No separate signature is required for our standard tiers. Enterprise customers requiring a counter-signed DPA can request one at support@ydygroup.com.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679):
- Controller — you, the Caliradi customer who determines the purposes and means of processing.
- Processor — DSYP Group, processing personal data on your behalf.
- Data Subject — your end customers, employees, or contacts whose personal data is processed.
- Sub-processor — any third party we engage to process personal data (see Section 7).
2. Scope & subject matter
We process personal data only to provide the Caliradi Service to you and as instructed by you. The duration of processing is the term of your subscription, plus any retention period required by law.
3. Categories of personal data & data subjects
| Category of data | Data subjects |
|---|---|
| Contact details (name, email, phone) | Your customers, prospects, leads |
| Communication content (chat, email) | Your customers, prospects |
| Transaction records | Your paying customers |
| Usage and behavioral data | Your website visitors |
4. Processor obligations
We will:
- Process personal data only on your documented instructions, including for international transfers.
- Ensure that personnel authorized to access personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (Section 6).
- Assist you in responding to data-subject requests (access, deletion, portability, etc.).
- Assist you with data-protection impact assessments and prior consultations with supervisory authorities.
- Notify you of personal data breaches without undue delay, and within 72 hours where feasible.
- Return or delete personal data at the end of services, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow audits (Section 8).
5. Controller obligations
You will:
- Process personal data in compliance with applicable laws.
- Have a valid legal basis for the processing instructed (consent, contract, legitimate interest, etc.).
- Provide accurate and lawful instructions for processing.
- Inform Data Subjects about how their data is processed, including this DPA where relevant.
6. Security measures
We implement and maintain the following technical and organizational measures:
- Encryption. TLS 1.2+ in transit, AES-256 at rest.
- Access control. Role-based access, MFA for production systems, least-privilege principle.
- Network security. Cloudflare WAF, DDoS protection, IP allowlisting for admin access.
- Monitoring. Audit logging, intrusion detection, automated anomaly alerts.
- Backups. Daily encrypted backups, 30-day retention, tested quarterly for restorability.
- Personnel. Background checks, signed confidentiality agreements, mandatory security training.
- Vendor management. Security review and DPA in place with each sub-processor.
- Incident response. Documented playbook, 24/7 on-call, post-mortem reviews.
- Compliance. Working toward SOC-2 Type II certification.
7. Sub-processors
You authorize us to engage the following sub-processors for the purposes described:
| Sub-processor | Purpose | Location |
|---|---|---|
| Netlify, Inc. | Hosting & CDN | USA |
| Anthropic PBC | AI inference (Kaira chatbot & agents) | USA |
| Airtable, Inc. | CRM database | USA |
| Stripe, Inc. | Payment processing | USA, Ireland |
| Cloudflare, Inc. | Network security & DNS | Global |
| Resend / SendGrid | Transactional email | USA |
We will notify you at least 14 days before adding or replacing a sub-processor. You may object on reasonable data-protection grounds; if no resolution is reached, you may terminate the affected portion of the Service.
8. Audits
Once per year, with at least 30 days' written notice, you may audit our compliance with this DPA. We may satisfy audit obligations by providing recent third-party audit reports (e.g., SOC-2). Audits must respect confidentiality and not disrupt operations.
9. International transfers
Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor) and the UK International Data Transfer Addendum, as applicable. These are incorporated by reference into this DPA.
10. Data subject requests
If a Data Subject contacts us directly with a request to exercise their rights, we will refer them to you and notify you. We will reasonably assist you in responding within the legal timeframes.
11. Liability
The liability cap and indemnification provisions of our Terms of Service apply to claims arising under this DPA, except where mandatory data-protection law requires otherwise.
12. Term & termination
This DPA continues for as long as we process personal data on your behalf. Provisions intended to survive (confidentiality, audit, liability, return/deletion of data) survive termination.
13. Contact
DSYP Group · Data Protection Office
Email: support@ydygroup.com
Legal: support@ydygroup.com