This Data Processing Addendum (“DPA”) is incorporated into the Platform Agreement (“Agreement”) between Cyrenza, Inc. (“Cyrenza” or “Data Processor”) and Customer (“Data Controller”). This DPA applies where Cyrenza processes Personal Data on behalf of Customer in connection with the Services.
1.1. “Applicable Data Protection Law” means all laws and regulations relating to the processing of Personal Data applicable to either party’s performance under the Agreement, including GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and other applicable privacy legislation.
1.2. “Data Controller” means Customer, the entity that determines the purposes and means of processing Personal Data.
1.3. “Data Processor” means Cyrenza, the entity that processes Personal Data on behalf of the Data Controller.
1.4. “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
1.5. “Personal Data” means any information relating to a Data Subject that is processed by Cyrenza on behalf of Customer through the Services, as part of Customer Data.
1.6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.7. “Subprocessor” means any third party engaged by Cyrenza to process Personal Data on behalf of Customer.
1.8. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA.
1.9. “DPA Data” means Customer Data that is provided through the Services and that constitutes Personal Data.
1.10. “Instructions” means any (i) documented communication from Customer which includes actions taken or input provided through the Services; or (ii) agreement between Customer and Cyrenza that requires Cyrenza to provide the Services; or (iii) the Documentation.
1.11. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, or dissemination. “Process,” “Processes,” and “Processed” will be interpreted accordingly.
1.12. “US State Privacy Law” means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the CCPA/CPRA, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), and other comparable state privacy legislation as enacted.
2.1. This DPA applies to the processing of Personal Data by Cyrenza on behalf of Customer in connection with the provision of the Services.
2.2. Customer is the Data Controller. Customer determines the purposes and means of processing Personal Data through the Services.
2.3. Cyrenza is the Data Processor. Cyrenza processes Personal Data only in accordance with Customer’s documented instructions and Applicable Data Protection Law.
2.4. Categories of Data Subjects may include Customer’s employees, contractors, clients, end users, and other individuals whose data is submitted to the Services.
2.5. Categories of Personal Data may include names, email addresses, contact information, employment data, financial data, and any other categories of Personal Data that Customer uploads to or processes through the Services.
2.6. Processing Activities include storage, retrieval, AI-assisted analysis, embedding generation, search indexing, and generation of Artifacts, as necessary to provide the Services.
3.1. Customer is responsible for ensuring that it has a lawful basis for processing Personal Data through the Services.
3.2. Customer is responsible for providing appropriate privacy notices to Data Subjects whose Personal Data is processed through the Services.
3.3. Customer shall ensure that all Personal Data submitted to the Services has been collected in compliance with Applicable Data Protection Law.
4.1. Cyrenza will process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data outside the EEA, unless required to do so by applicable law. In such case, Cyrenza will inform Customer of the legal requirement before processing, unless prohibited by law.
4.2. Cyrenza will ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Cyrenza will implement and maintain the technical and organizational security measures described in the Security Addendum.
4.4. Cyrenza will not use Personal Data for any purpose other than providing the Services, and will not sell, share, or otherwise make Personal Data available to third parties except as provided in this DPA.
4.5. Cyrenza does not use Customer Data (including Personal Data) to train, fine-tune, or improve its foundational AI models.
4.6. Cyrenza will promptly notify Customer in writing if it cannot comply with the requirements of this DPA.
4.7. Cyrenza will promptly inform Customer if, in Cyrenza’s opinion, an instruction from Customer infringes Applicable Data Protection Law.
5.1. Customer authorizes Cyrenza to engage Subprocessors to assist in providing the Services. A current list of Subprocessors is maintained at the Subprocessor List.
5.2. Cyrenza will provide at least thirty (30) days’ advance notice before engaging a new Subprocessor that processes Personal Data, by updating the Subprocessor List and notifying Customer via email.
5.3. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of Personal Data by notifying Cyrenza in writing within fifteen (15) days of receiving notice (the “Objection Notice”). In such case, Cyrenza shall have the right to cure the objection through one of the following options: (i) Cyrenza will offer an alternative to provide the Services without such Subprocessor; (ii) Cyrenza will take the corrective steps requested by Customer in the Objection Notice and proceed to use the Subprocessor; (iii) Cyrenza may cease to provide, or Customer may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Services that would involve the use of such Subprocessor; or (iv) Customer may cease providing Personal Data to Cyrenza for processing. If none of the above options are commercially feasible, in Cyrenza’s reasonable judgment, and the objection has not been resolved to the satisfaction of the parties within thirty (30) days of Cyrenza’s receipt of the Objection Notice, then either party may terminate the affected Services and Customer will be refunded any prepaid but unused fees for the applicable subscriptions covering periods following the date of such termination. Other than accepting such cure as may be offered by Cyrenza, such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
5.4. Cyrenza will enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those set forth in this DPA.
5.5. Cyrenza remains responsible for the acts and omissions of its Subprocessors.
6.1. Cyrenza will inform Customer, to the extent legally permitted, if Cyrenza receives any legally binding request for disclosure of Personal Data by a law enforcement or government authority. If Cyrenza is legally prohibited from notifying Customer, Cyrenza will use best efforts to request a waiver of the prohibition and will document that request. Cyrenza will notify Customer once the prohibition expires or has been lifted, with the aim of providing as much relevant information to Customer as reasonably possible.
6.2. Cyrenza will inform Customer of any notice, inquiry, or investigation by a supervisory authority with respect to Personal Data processed under this DPA.
6.3. Cyrenza does not voluntarily provide Personal Data to law enforcement or government authorities and discloses Personal Data only when legally compelled to do so by valid legal process.
6.4. Cyrenza’s procedures for responding to law enforcement and government requests are further described in the Law Enforcement Request Policy.
7.1. Cyrenza will assist Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, portability, restriction, and objection), taking into account the nature of the processing.
7.2. If Cyrenza receives a Data Subject request directly (including “verifiable consumer requests” as defined by the CCPA/CPRA), Cyrenza will promptly redirect the Data Subject to Customer. Other than to acknowledge receipt or identify the Data Subject, Cyrenza will not respond to any Data Subject request without prior written authorization from Customer, unless otherwise required by law.
7.3. Cyrenza will provide reasonable technical and organizational assistance to Customer in fulfilling Data Subject requests.
8.1. Cyrenza will implement and maintain the technical and organizational security measures described in the Security Addendum, including:
8.2. Cyrenza will regularly test, assess, and evaluate the effectiveness of its security measures.
9.1. Cyrenza will notify Customer of a confirmed Personal Data Breach without undue delay, and in any event within forty-eight (48) hours of confirmation.
9.2. Notification will include, to the extent available:
9.3. Cyrenza will cooperate with Customer and take reasonable steps to assist in the investigation and mitigation of the breach.
9.4. Notification shall not be construed as an acknowledgment of fault or liability.
10.1. Cyrenza will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Cyrenza.
11.1. Customer authorizes Cyrenza to transfer Personal Data to countries outside the EEA, UK, or Switzerland as necessary to provide the Services, subject to appropriate safeguards.
11.2. For transfers to countries without an adequacy decision, Cyrenza relies on the Standard Contractual Clauses as further described in the Data Transfers Addendum.
11.3. Details of transfer mechanisms and supplementary measures are set forth in the Data Transfers Addendum, which is incorporated into this DPA.
12.1. Cyrenza will make available to Customer, on request, information necessary to demonstrate compliance with this DPA.
12.2. Customer (or a qualified independent auditor appointed by Customer) may conduct an audit of Cyrenza’s processing activities, subject to:
12.3. Cyrenza may satisfy audit requests by providing existing third-party audit reports, certifications, or compliance documentation.
13.1. To the extent applicable under US State Privacy Law, Cyrenza certifies that it understands and will comply with its obligations under US State Privacy Law.
13.2. Cyrenza will only process Personal Data for the purposes set out in this DPA, the Agreement, or the Instructions, unless otherwise permitted by law.
13.3. Cyrenza will not “sell” or “share” (as defined by the CCPA/CPRA) Personal Data received from Customer.
13.4. Cyrenza will not retain, use, or disclose Personal Data outside of the direct business relationship between Cyrenza and Customer, unless otherwise required or permitted by law.
13.5. Cyrenza will process Personal Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law.
13.6. Cyrenza will not combine any Personal Data with Personal Data that Cyrenza receives from or on behalf of a third party other than Customer, or collects from Cyrenza’s own interactions with individuals, provided that Cyrenza may combine Personal Data as permitted under US State Privacy Law or if directed to do so by Customer.
13.7. Cyrenza will not attempt to reidentify any deidentified data Customer provides to Cyrenza, except for the sole purpose of determining whether the deidentification processes are compliant with Applicable Data Protection Law.
13.8. Cyrenza grants Customer the right to take reasonable and appropriate steps to (i) ensure that Cyrenza uses Personal Data in a manner consistent with Applicable Data Protection Law and (ii) stop and remediate unauthorized use of Personal Data.
13.9. Cyrenza acts as a “Service Provider” as defined under the CCPA/CPRA, and equivalent processor roles under other US State Privacy Laws, with respect to Personal Data it processes on behalf of Customer.
13.10. Cyrenza will assist Customer in responding to verifiable consumer requests and equivalent data subject rights requests under all applicable US State Privacy Laws.
14.1. In the event that new legislation or regulations are implemented that specifically govern the use of artificial intelligence solutions, both parties agree to review this DPA to ensure compliance with such legislation and regulations.
14.2. If substantial modifications are required to the terms and conditions of this DPA to render it or the parties’ performance under it compliant with any regulations implemented following its effective date, both parties shall negotiate in good faith to make necessary amendments.
14.3. Should new regulations render the continued provision of Services under this Agreement infeasible or unlawful, either party may initiate termination by providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.
14.4. The termination of this DPA due to the aforementioned regulations shall not relieve either party from any outstanding obligations or liabilities incurred prior to the termination.
14.5. If any provision of this DPA is found to be inconsistent with future regulations, such provision shall be interpreted in a manner consistent with the applicable laws, or if necessary, deemed null and void without affecting the validity of the remaining provisions.
15.1. Upon termination of the Agreement, Cyrenza will maintain Customer Data (including Personal Data) for thirty (30) days to allow for data export.
15.2. After the data export period, Cyrenza will delete Personal Data in accordance with its data retention policies, except where retention is required by applicable law.
15.3. Upon request, Cyrenza will provide written confirmation of deletion.
16.1. This DPA takes effect on the date the Agreement is executed and remains in effect for as long as Cyrenza processes Personal Data on behalf of Customer.
16.2. Obligations that by their nature should survive (including confidentiality, data return and deletion, and audit rights) will survive termination.