Data Processing Agreement

1. Definitions

These terms have specific meanings in this DPA. Capitalized terms not defined here have the meanings assigned in the Principal Agreement or the GDPR.

• "Controller" -- you, the entity that determines the purposes and means of processing Personal Data. You decide what data to send us and why.
• "Processor" -- Dyva, the entity that processes Personal Data on your behalf and according to your instructions.
• "Sub-processor" -- any third party that Dyva engages to process Personal Data on your behalf. Listed in Section 6.
• "Personal Data" -- any information relating to an identified or identifiable natural person that Dyva processes on your behalf under this DPA.
• "Processing" -- any operation performed on Personal Data, as defined in GDPR Article 4(2). This includes collection, storage, retrieval, use, transmission, deletion, and everything in between.
• "Data Subject" -- the individual whose Personal Data is being processed.
• "Data Breach" -- a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" ("SCCs") -- the European Commission's approved clauses for international data transfers (Commission Implementing Decision (EU) 2021/914).

2. Scope and Details of Processing

2.1 Subject Matter. Dyva processes Personal Data to provide the services described in the Principal Agreement -- AI conversations, character interactions, voice processing, memory and knowledge base features, analytics, and related platform functionality.

2.2 Duration. Processing continues for the duration of the Principal Agreement, plus whatever additional time is needed to complete data return or deletion under Section 10 of this DPA.

2.3 Nature and Purpose. We collect, store, retrieve, process, analyze, transmit, and delete Personal Data as necessary to operate the Dyva platform on your behalf. This includes generating AI responses, maintaining conversation memory, processing voice input/output, providing analytics, and supporting the features you have enabled.

2.4 Categories of Data Subjects. End users of your Client Application, website, or service who interact with Dyva-powered features.

2.5 Types of Personal Data. The specific data depends on which features you use, but may include:

• Account information: email addresses, display names, profile data
• Conversation content: text messages, voice transcripts, uploaded files and images
• Voice data: audio recordings (for speech-to-text), voice samples (for cloning, if enabled)
• Usage data: message counts, feature usage patterns, session timestamps
• Knowledge base content: documents and data you upload to character knowledge bases
• Any other Personal Data you or your end users submit through the Service

3. Obligations of the Processor

Dyva commits to the following. These are not aspirational -- they are binding obligations:

• Instruction-bound processing. We process Personal Data only according to your documented instructions (the Principal Agreement and this DPA constitute your instructions), unless required by EU or Member State law to do otherwise. If law compels us to process beyond your instructions, we will inform you before doing so unless legally prohibited.
• Confidentiality. All personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty.
• Security. We implement and maintain technical and organizational security measures appropriate to the risk, as detailed in Section 5.
• Sub-processor governance. We follow the Sub-processor requirements in Section 6 before engaging any third party to process your data.
• Data Subject requests. We assist you in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) through appropriate technical and organizational measures.
• Compliance assistance. We help you meet your obligations under GDPR Articles 32-36 (security, breach notification, impact assessments, prior consultation) to the extent relevant to our processing and the information available to us.
• Data return and deletion. At your choice after the Service ends, we will either return all Personal Data in a standard, machine-readable format or securely delete it -- and confirm deletion in writing. Details in Section 10.
• Audit support. We make available all information necessary to demonstrate compliance with this DPA and support audits as described in Section 7.

4. Obligations of the Controller

Your responsibilities as the Controller:

• Lawful processing. Comply with all applicable data protection laws in your use of the Service and in the processing instructions you give to Dyva. We process data on your instructions -- make sure those instructions are lawful.
• Legal basis. Ensure you have a valid legal basis (consent, legitimate interest, contractual necessity, etc.) for providing Personal Data to Dyva and for the processing you instruct us to perform.
• Data quality. You are responsible for the accuracy, quality, and legality of the Personal Data you provide or that your end users submit through the Service.
• Transparency. Provide all required privacy notices to Data Subjects and obtain all necessary consents before their data is processed through Dyva. Your end users should know their data is being processed by an AI platform.
• Instructions. Ensure your processing instructions to Dyva do not cause us to violate any applicable law. If we believe an instruction infringes data protection law, we will inform you.

5. Security Measures

Dyva implements the following technical and organizational measures to protect Personal Data. These measures are proportionate to the risk and are subject to continuous improvement:

• Encryption in Transit: All data transmitted between clients and Dyva infrastructure is encrypted using TLS 1.2 or higher. No exceptions.
• Encryption at Rest: All databases and storage systems use AES-256 encryption at rest.
• Authentication: User passwords are hashed using bcrypt with appropriate cost factors. API access uses cryptographically generated tokens. Multi-factor authentication is available for all accounts.
• Access Controls: Production systems are accessible only to authorized personnel on a strict need-to-know basis. All production access requires multi-factor authentication. Access is logged and regularly reviewed.
• Data Minimization: IP addresses are hashed (SHA-256) before storage. Guest sessions collect no personally identifiable information. We do not retain data longer than necessary for the stated purpose.
• Infrastructure Security: Firewalls, intrusion detection, DDoS protection (via Cloudflare), and network segmentation protect the platform perimeter and internal services.
• Monitoring and Logging: We monitor systems continuously for security events, anomalous activity, and unauthorized access attempts. Security logs are retained and regularly reviewed.
• Incident Response: We maintain a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review.
• Backup and Recovery: Regular encrypted backups with tested recovery procedures ensure data durability and availability.

6. Sub-Processors

6.1 Authorized Sub-processors. By accepting this DPA, you authorize Dyva to use the following Sub-processors. We are transparent about who touches your data:

6.2 Changes to Sub-processors. We will notify you at least 14 days before adding or replacing a Sub-processor, via email to the address associated with your account. If you object on reasonable data protection grounds, we will work with you in good faith to address the concern. If we cannot resolve it, you may terminate the affected portion of the Service without penalty.

6.3 Sub-processor Obligations. Every Sub-processor is bound by a written agreement imposing data protection obligations at least as protective as those in this DPA. We do not hand off your data without equivalent safeguards. Dyva remains fully liable for each Sub-processor's compliance with the obligations under this DPA.

7. Audits

7.1 Right to Audit. You have the right to audit our compliance with this DPA. You may conduct one audit per calendar year with at least 30 days' written notice. Audits must be conducted during normal business hours, subject to reasonable confidentiality requirements, and must not unreasonably disrupt our operations or compromise the security of other customers' data.

7.2 Audit Scope. Audits may cover: (a) our technical and organizational security measures; (b) our Sub-processor management; (c) our data processing activities under this DPA; and (d) our compliance with your documented instructions.

7.3 Alternative Evidence. In lieu of an on-site audit, Dyva may provide: (a) relevant security certifications or third-party audit reports (e.g., SOC 2 Type II, when available); (b) results of penetration testing; or (c) detailed written responses to your reasonable audit questions. We prefer this approach because it is faster, less disruptive, and gives you the same assurance.

7.4 Cost. Each party bears its own costs for audits. If you require an on-site audit beyond one per year, you will reimburse Dyva's reasonable costs for facilitating it.

8. Data Breach Notification

8.1 Notification Timeline. We will notify you of a Data Breach affecting Personal Data processed under this DPA within 72 hours of becoming aware of it. No delays, no excuses. If we cannot provide full details within 72 hours, we will provide what we have and supplement it as more information becomes available.

8.2 Notification Content. Our breach notification will include, to the extent available at the time:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of our point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including steps to mitigate its effects
• A timeline of events as we understand them

8.3 Cooperation. We will cooperate fully with your breach investigation and response efforts. This includes: (a) providing additional information as it becomes available; (b) taking commercially reasonable steps to contain and remediate the breach; (c) preserving relevant evidence; and (d) assisting with notifications to supervisory authorities and Data Subjects where required.

8.4 What Is Not a Breach. For clarity, unsuccessful security incidents (blocked attacks, failed login attempts, port scans) that do not result in unauthorized access to Personal Data are not Data Breaches under this DPA.

9. International Data Transfers

9.1 Dyva's Location. Dyva is based in the United States. Personal Data processed under this DPA is stored and processed primarily in the United States.

9.2 Transfer Mechanisms. When Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to the United States, we rely on:

• EU-U.S. Data Privacy Framework -- where applicable and to the extent Dyva is certified
• Standard Contractual Clauses (SCCs) -- Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference

By accepting this DPA, you execute the Standard Contractual Clauses with Dyva as the data importer and you as the data exporter. The details in Sections 1 and 2 of this DPA serve as the Annex I information required by the SCCs.

9.3 UK and Swiss Transfers. For UK transfers, the SCCs apply as amended by the UK International Data Transfer Addendum. For Swiss transfers, the SCCs apply as adapted for the Swiss Federal Act on Data Protection. References to GDPR are read as references to the applicable local law.

9.4 Supplementary Measures. In addition to the SCCs, Dyva implements the technical security measures described in Section 5 as supplementary measures to ensure an adequate level of data protection for transferred data.

10. Termination and Data Deletion

10.1 Your Options. When the Principal Agreement ends, you have 30 days to request either: (a) return of all Personal Data in a commonly used, machine-readable format (JSON, CSV, or equivalent); or (b) secure deletion of all Personal Data with written confirmation.

10.2 Default Action. If you do not make a request within 30 days, we will securely delete all Personal Data. We will confirm deletion in writing.

10.3 Legal Retention. We may retain Personal Data only to the extent required by applicable law (tax records, legal holds, regulatory requirements). Any retained data remains subject to the confidentiality and security obligations of this DPA until it is deleted.

10.4 Sub-processor Data. We will ensure that all Sub-processors delete or return Personal Data in accordance with this section.

11. Liability

11.1 Liability Cap. Each party's total aggregate liability under this DPA is subject to the liability limitations and exclusions set forth in the Principal Agreement.

11.2 Data Subject Rights. Nothing in this DPA limits either party's liability to Data Subjects under applicable data protection law. GDPR fines and Data Subject compensation claims are not subject to contractual liability caps where prohibited by law.

11.3 Indemnification. Each party will indemnify the other for damages arising from its breach of this DPA, to the extent such damages are not excluded by the liability limitations in the Principal Agreement.

12. Governing Law

This DPA is governed by the laws specified in the Principal Agreement. Exception: where data protection law requires otherwise (for example, GDPR-related claims are governed by the law of the applicable EU/EEA Member State, and UK GDPR claims by English law). For the Standard Contractual Clauses, the governing law is as specified in the SCCs themselves.

13. Contact

Data protection inquiries: [email protected]

Legal matters: [email protected]

Security incidents: [email protected]

For Data Subject access requests or deletion requests submitted by your end users, contact us at [email protected] with the subject line "DSAR" and we will respond within 5 business days.