Data Processing Agreement (DPA)

Roles

The Customer is the Data Controller. Suvvy is the Data Processor.

Subject matter, duration, nature and purpose

Subject matter: provision of the Services, including AI-assisted chat processing.

Duration: for the term of the Customer’s use of the Services, and thereafter only as required for deletion/return, backups, legal obligations, or dispute resolution.

Nature of processing: collection, storage, transmission, retrieval, use, disclosure by transmission, and deletion.

Purpose: to provide the Services in accordance with the Customer’s documented instructions and the Terms.

Categories of data subjects and Personal Data

Data subjects may include: the Customer’s end users, employees, contractors, leads/clients, and other individuals whose data is submitted to the Services. Personal Data may include: chat messages and conversation content, identifiers (name, email, phone), and technical/usage data necessary to provide the Services.

Customer instructions and compliance

Suvvy shall process Personal Data only on documented instructions from the Customer, including with respect to international transfers, unless required by applicable law (in which case Suvvy will inform the Customer unless prohibited). The Customer represents it has a valid legal basis and all necessary notices/consents for providing Personal Data to the Services.

Confidentiality

Suvvy ensures persons authorised to process Personal Data are bound by confidentiality obligations.

Security

Suvvy implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Subprocessors

The Customer authorises Suvvy to engage subprocessors as described in the Subprocessors page, which may be updated from time to time.

Suvvy will impose contractual data protection obligations on subprocessors and remain responsible for their performance of processing obligations.

Suvvy ensures that all subprocessors are engaged pursuant to written data processing agreements or equivalent legally binding terms, including publicly available Data Processing Addenda published by such subprocessors.

Assistance with data subject requests

Taking into account the nature of processing, Suvvy will provide reasonable assistance to the Customer to respond to requests from data subjects to exercise their rights under applicable data protection law.

Personal data breach

Suvvy will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide information reasonably necessary to support the Customer’s compliance obligations.

Deletion / return

Upon the Customer’s request or termination of the Services, Suvvy will delete or return Personal Data, unless retention is required by applicable law, and subject to reasonable backup retention cycles.

Audits and information

Upon reasonable written request, Suvvy will make available information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits/inspections conducted by the Customer or an independent auditor, subject to reasonable confidentiality, security, and scheduling constraints.

International transfers

The Customer instructs and authorises Suvvy to process and transfer Personal Data internationally as necessary to provide the Services, including to jurisdictions where Suvvy’s subprocessors operate (e.g., United States, EU, China). Suvvy will implement appropriate contractual and security safeguards for such transfers.