DATA PROCESSING AGREEMENT

WHEREAS Irayo Technologies Private Limited provides technology integration services, software solutions, and related services (collectively, the "Services") including but not limited to CRM integrations, messaging platform integrations, data analytics, and custom software development;

WHEREAS in the course of providing Services, Irayo Technologies may process personal data on behalf of the Data Controller (you);

WHEREAS both parties are committed to compliance with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR"), the UK Data Protection Act 2018, and other applicable data protection legislation;

NOW THEREFORE the parties agree as follows:

1. Subject Matter and Scope

1.1 Purpose

This Data Processing Agreement ("DPA") defines the procedures and obligations for processing personal data by Irayo Technologies on behalf of the Data Controller in connection with the provision of Services.

1.2 Scope of Processing

The Data Processor shall process personal data only:

• As necessary to provide the contracted Services
• In accordance with documented instructions from the Data Controller
• As described in Schedule 1 (Details of Processing) attached hereto
• In compliance with applicable data protection laws

1.3 Data Controller Responsibilities

The Data Controller represents that:

• It has lawful basis for processing under Article 6 GDPR
• It has provided required privacy notices to data subjects
• It has obtained necessary consents where required
• The personal data is accurate and up-to-date

2. Data Processor Obligations

2.1 Processing Instructions

• Process personal data only on documented instructions from the Data Controller
• Immediately inform the Data Controller if instructions appear to violate applicable data protection laws
• Not process personal data for its own purposes or commercial benefit
• Implement appropriate technical and organizational measures as detailed in Schedule 2

2.2 Confidentiality and Training

• Ensure all personnel authorized to process personal data are bound by confidentiality obligations
• Provide appropriate data protection training to authorized personnel
• Limit access to personal data on a need-to-know basis
• Maintain records of personnel with access to personal data

2.3 Security Measures

• Appropriate technical and organizational security measures per Schedule 2
• Regular security assessments and vulnerability testing
• Incident response procedures for security breaches
• Business continuity and disaster recovery plans

2.4 International Transfers

• Personal data shall be processed only within the European Economic Area unless otherwise agreed
• Any transfers to third countries shall comply with Chapter V GDPR requirements
• Standard Contractual Clauses or other appropriate safeguards shall be implemented as required
• The Data Controller shall be notified of any legal requirements for international transfers

3. Data Subject Rights

3.1 Assistance with Data Subject Requests

• Requests for access, rectification, erasure, or restriction of processing
• Data portability requests
• Objections to processing
• Requests related to automated decision-making

3.2 Response Timeframes

• The Data Processor shall respond to Data Controller requests for assistance within 5 business days
• The Data Processor shall provide necessary information and access to enable compliance with data subject rights
• Direct requests from data subjects shall be forwarded to the Data Controller without delay

4. Data Breach Notification

4.1 Notification Obligations

• Notify the Data Controller within 4 hours of becoming aware of the breach
• Provide detailed information including nature, categories and approximate numbers affected
• Describe likely consequences and measures taken or proposed to address the breach
• Provide contact information for obtaining more information

4.2 Breach Response

• Take immediate steps to contain and remedy the breach
• Preserve evidence and maintain detailed incident logs
• Cooperate fully with the Data Controller's breach response efforts
• Implement measures to prevent similar incidents

5. Data Protection Impact Assessment

5.1 DPIA Assistance

• Providing detailed information about processing operations and security measures
• Sharing relevant policies, procedures, and technical documentation
• Participating in DPIA meetings and consultations as reasonably requested
• Notifying the Data Controller of any changes that may affect DPIA conclusions

6. Audits and Compliance

6.1 Audit Rights

• Conduct audits of the Data Processor's compliance with this DPA
• Review security measures and processing procedures
• Request compliance documentation and certifications
• Engage third-party auditors with appropriate confidentiality obligations

6.2 Audit Process

• Audits shall be conducted with 30 days' prior notice except in emergency situations
• Audits shall be scheduled to minimize business disruption
• The Data Processor shall provide reasonable cooperation and facility access
• Audit costs shall be borne by the Data Controller unless significant non-compliance is found

7. Sub-processors

7.1 Authorization

• The Data Controller provides general authorization for the Data Processor to engage sub-processors subject to:

• Written agreements imposing equivalent data protection obligations
• Maintaining a current list of sub-processors (available upon request)
• Providing 30 days' advance notice of any changes to sub-processors

7.2 Sub-processor Obligations

• Remain fully liable for sub-processor performance
• Conduct appropriate due diligence on sub-processors
• Monitor sub-processor compliance with data protection requirements
• Terminate sub-processor relationships if compliance cannot be ensured

7.3 Current Sub-processors

Current sub-processors are listed below and may include:

• Cloud infrastructure providers
• Third-party service providers essential to service delivery
• Technical support and maintenance providers
  
  

8. Data Retention and Deletion

8.1 Retention Period

Personal data shall be retained only as long as necessary for the purposes of processing and as specified in the main service agreement.

8.2 Data Return and Deletion

Upon termination of Services, the Data Processor shall:

• Return or securely delete all personal data within 90 days
• Provide certification of deletion upon request
• Retain personal data only if required by applicable law
• Delete personal data from sub-processor systems

9. Liability and Indemnification

9.1 Data Processor Liability

The Data Processor shall be liable for damages caused by processing if it:

• Fails to comply with GDPR obligations specifically directed at processors
• Acts outside or contrary to lawful instructions from the Data Controller
• Determines the purposes and means of processing in violation of GDPR

9.2 Indemnification

The Data Processor shall indemnify the Data Controller against:

• Regulatory fines and penalties resulting from Data Processor non-compliance
• Third-party claims arising from Data Processor breach of this DPA
• Costs and expenses related to Data Processor security incidents

9.3 Limitation

Total liability under this DPA shall not exceed the total fees paid for Services in the 12 months preceding the claim.

10. Data Protection Officer

10.1 Irayo Technologies DPO

10.2 DPO Role

• Monitor compliance with this DPA and applicable data protection laws
• Serve as point of contact for data protection matters
• Assist with data protection impact assessments
• Provide advice on data protection obligations

11. Third-Party Dependencies

11.1 Service Dependencies

The Data Controller acknowledges that certain Services may depend on third-party platforms and services, including but not limited to:

• HubSpot CRM platform
• WhatsApp Business API
• Other messaging and communication platforms
• Cloud infrastructure providers

11.2 Third-Party Limitations

• The Data Processor shall use reasonable efforts to minimize service disruptions
• The Data Processor is not liable for outages or security breaches of third-party services
• The Data Controller shall comply with third-party platform terms and policies
• Service level agreements may be subject to third-party availability
  
  

12. Mechanisms of Data Transfers

Any Data Transfer for the purpose of Processing by the Processor in a country outside the European Economic Area (the “EEA”) shall only take place in compliance as detailed in Schedule 1 to the DPA. Where such model clauses have not been executed at the same time as this DPA, the Processor shall not unduly withhold the execution of such template model clauses, where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement. 

SCHEDULE 1: DETAILS OF PROCESSING

Subject Matter

Processing of personal data in connection with the provision of technology integration services, software solutions, and related services.

Duration

For the term of the service agreement and any renewal periods.

Nature and Purpose of Processing

• CRM Integration Services: Synchronizing and managing customer data across platforms
• Messaging Platform Integration: Facilitating communication between businesses and customers
• Data Analytics: Analyzing customer interaction and engagement data
• Custom Software Development: Building tailored solutions requiring data processing
• Technical Support: Providing maintenance and support for implemented solutions

Categories of Data Subjects

• Customers and prospective customers of the Data Controller
• Employees and representatives of the Data Controller
• End users of the Data Controller’s services
• Business contacts and leads

Categories of Personal Data

• Contact Information: Names, email addresses, phone numbers, postal addresses
• Business Information: Company names, job titles, business contact details
• Communication Data: Message content, communication logs, interaction history
• Technical Data: IP addresses, device identifiers, usage analytics
• Account Data: User credentials, account preferences, subscription information
• Commercial Data: Purchase history, billing information, transaction records

Special Categories of Personal Data

Generally, no special categories of personal data are processed. Where such data is processed, additional safeguards and explicit consent requirements shall apply in accordance with applicable law.

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Access Control

• Role-based access control following the principle of least privilege
• Multi-factor authentication for system access
• Regular access reviews and de-provisioning procedures
• Segregation of duties for sensitive operations

Data Security

• Encryption of data in transit (TLS 1.2 or higher)
• Encryption of data at rest (AES-256 or equivalent)
• Secure key management procedures
• Regular security assessments and penetration testing

Network Security

• Firewall protection and network segmentation
• Intrusion detection and prevention systems
• Regular security monitoring and log analysis
• Secure remote access procedures

Physical Security

• Secured data centers with 24/7 monitoring
• Biometric and card-based access controls
• Environmental controls and backup power systems
• Secure disposal of storage media

Incident Management

• 24/7 security monitoring and alerting
• Documented incident response procedures
• Regular incident response testing and training
• Forensic capabilities for incident investigation

Business Continuity

• Regular data backups with tested restore procedures
• Disaster recovery plans with defined recovery objectives
• Redundant systems and failover capabilities
• Business continuity testing and plan updates

Staff Security

• Background checks for personnel with access to personal data
• Confidentiality agreements for all staff
• Regular security awareness training
• Clear data handling policies and procedures

SCHEDULE 3: SUB-PROCESSORS

Current Sub-processors