Data Processing Agreement
This Data Processing Agreement ("DPA") is part of the agreement between Dyva, Inc. ("Processor," "Dyva+," "we") and you ("Controller," "you") for the Dyva+ Service, including API access (the "Principal Agreement"). It applies when Dyva+ processes Personal Data on your behalf.
This DPA complies with GDPR Article 28, the UK GDPR, and other applicable data protection laws.
1. DEFINITIONS
These terms have the following meanings. Undefined capitalized terms have the meanings from the Principal Agreement or GDPR.
- "Personal Data" -- any information about an identifiable person that Dyva+ processes on your behalf.
- "Processing" -- any operation on Personal Data, as defined in GDPR Article 4(2).
- "Sub-processor" -- any third party Dyva+ engages to process Personal Data on your behalf.
- "Data Subject" -- the person whose Personal Data is being processed.
- "Data Breach" -- a security breach causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
2. SCOPE AND DETAILS OF PROCESSING
2.1 Subject Matter. Dyva+ processes Personal Data to provide the Service -- AI conversations, memory features, voice processing, and analytics.
2.2 Duration. Processing continues for the life of the Principal Agreement, plus whatever time is needed to complete data deletion under this DPA.
2.3 Nature and Purpose. We collect, store, retrieve, use, transmit, and delete Personal Data to provide AI companion services, conversation memory, analytics, and related features.
2.4 Data Subjects. End users of your Client Application or Dyva+ account who interact with the Service.
2.5 Types of Personal Data. Account info (email, display name), conversation content (messages, voice transcripts), usage data (message counts, feature usage), and any other Personal Data submitted through the Service.
3. OBLIGATIONS OF THE PROCESSOR
Dyva+ will:
- Process Personal Data only according to your documented instructions (the Principal Agreement and this DPA), unless required by law -- in which case we will tell you before processing, unless legally prohibited from doing so
- Ensure everyone authorized to process Personal Data is bound by confidentiality obligations
- Maintain technical and organizational security measures appropriate to the risk, as described in Section 5
- Follow the Sub-processor requirements in Section 6
- Help you respond to Data Subject requests through appropriate technical and organizational measures
- Help you meet your obligations under GDPR Articles 32 through 36, based on the nature of processing and the information available to us
- At your choice, delete or return all Personal Data after the Service ends, and delete existing copies unless law requires retention
- Provide all information needed to demonstrate compliance with this DPA and support audits, including inspections by you or your appointed auditor, subject to Section 7
4. OBLIGATIONS OF THE CONTROLLER
You will:
- Comply with applicable data protection laws in your use of the Service and your processing instructions to Dyva+
- Have a lawful basis for providing Personal Data to Dyva+
- Be responsible for the accuracy, quality, and legality of Personal Data you provide
- Give all required notices to and obtain all required consents from Data Subjects
5. SECURITY MEASURES
Dyva+ maintains these security measures:
- Encryption in Transit: All data between clients and Dyva+ servers is encrypted with TLS 1.2 or higher
- Encryption at Rest: Databases are encrypted at rest with AES-256
- Authentication: Passwords are hashed with bcrypt. API access uses cryptographically generated tokens
- Access Controls: Production access is restricted to authorized personnel on a need-to-know basis with multi-factor authentication
- Data Minimization: IP addresses are hashed (SHA-256) before storage. Guest sessions collect no personally identifiable information
- Monitoring: We monitor systems for security events and anomalous activity
- Incident Response: We maintain a plan for identifying, containing, and remediating security incidents
6. SUB-PROCESSORS
6.1 Authorized Sub-processors. By accepting this DPA, you authorize Dyva+ to use the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| AI Processing Provider | Conversation and response generation | United States |
| Voice Processing Provider | Text-to-speech voice synthesis | United States |
| Speech Processing Provider | Speech-to-text transcription | United States |
| Stripe, Inc. | Payment processing | United States |
| Infrastructure Provider | Cloud hosting and data storage | United States |
6.2 Changes. We will notify you at least 14 days before adding or replacing a Sub-processor, giving you a chance to object. If you object on reasonable data protection grounds, we will discuss it in good faith. If we cannot resolve the issue, you may terminate the affected portion of the Service.
6.3 Sub-processor Obligations. Every Sub-processor is bound by data protection obligations at least as protective as this DPA. Dyva+ remains fully liable for each Sub-processor's performance.
7. AUDITS
7.1 Right to Audit. You may audit our compliance with this DPA once per calendar year with 30 days' written notice. Audits happen during business hours, are subject to reasonable confidentiality requirements, and must not unreasonably disrupt our operations.
7.2 Alternative. Instead of an on-site audit, Dyva+ may provide: (a) relevant security certifications or audit reports (e.g., SOC 2 Type II, if available); or (b) written answers to your reasonable audit questions.
8. DATA BREACH NOTIFICATION
8.1 Notification. We will notify you within 72 hours of becoming aware of a Data Breach affecting Personal Data processed under this DPA.
8.2 Content. The notification will include, to the extent available: (a) a description of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) the steps taken or proposed to address and mitigate the breach; and (d) a contact point for further information.
8.3 Cooperation. We will cooperate with you and take commercially reasonable steps to help investigate, mitigate, and remediate the breach.
9. INTERNATIONAL DATA TRANSFERS
Dyva+ is based in the United States. When Personal Data from the EEA, UK, or Switzerland is transferred to the US, we rely on the EU-U.S. Data Privacy Framework (where applicable) or the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference. By accepting this DPA, you execute the Standard Contractual Clauses with Dyva+ as the data importer and you as the data exporter.
10. TERMINATION AND DATA DELETION
When the Principal Agreement ends, we will -- within 30 days of your written request -- either: (a) return all Personal Data in a commonly used, machine-readable format; or (b) securely delete all Personal Data and confirm deletion in writing. We may retain Personal Data only as required by law, and any retained data stays subject to this DPA's confidentiality and security obligations.
11. LIABILITY
Each party's liability under this DPA is subject to the liability limits in the Principal Agreement. Nothing here limits either party's liability to Data Subjects under applicable data protection law.
12. GOVERNING LAW
This DPA is governed by the laws specified in the Principal Agreement, unless data protection law requires otherwise (e.g., GDPR-related claims are governed by the applicable EU/EEA Member State's law).
13. CONTACT
Questions about this DPA? Contact our Data Protection Officer at [email protected] or [email protected].
Helpful?