Data Processing Agreement
Version 1.0 — Effective date: April 21, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Ayliea ("Processor" or "Ayliea") and the customer named in the master agreement ("Controller" or "Customer") (together, the "Parties"). It governs the Processing of Personal Data undertaken by Ayliea on Customer's behalf in connection with the Services.
If there is a conflict between this DPA and any other term of the agreement between the Parties, this DPA controls with respect to the Processing of Personal Data. This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) and equivalent provisions under UK and Swiss data protection law.
References to the "master agreement" below mean the separately-executed services agreement between the Parties, or — where no separate agreement exists — Ayliea's Terms of Service.
Customers with specific DPA requirements that this template does not cover may propose amendments by contacting privacy@ayliea.com.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Regulation. For this DPA:
- "Applicable Data Protection Law"means the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR as retained in UK law, and the Swiss Federal Act on Data Protection, each as amended or replaced, and any other privacy or data protection law applicable to the Processing.
- "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Category Data", and "Supervisory Authority" have the meanings in Article 4 of the GDPR.
- "Services" means the Ayliea platform and related services provided to Customer under the master agreement.
- "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two — Controller to Processor), together with any required supplementary measures.
- "Sub-processor"means any Processor engaged by Ayliea that Processes Personal Data on Customer's behalf.
2. Subject Matter, Nature, Purpose, and Duration
Subject matter.Ayliea's Processing of Customer's Personal Data in connection with providing the Services.
Nature and purpose of Processing.Ayliea Processes Personal Data solely to (a) provide the Services to Customer; (b) support, maintain, and improve the Services; (c) comply with Customer's documented lawful instructions; and (d) comply with Applicable Data Protection Law.
Duration. Processing continues for the duration of the master agreement, plus any post-termination retention period required by Section 11.
Categories of Data Subjects.Customer's end users of the Services, Customer's employees and contractors, and other individuals whose Personal Data Customer submits to the Services.
Categories of Personal Data.Identifiers (name, email address), assessment content (including free-form text that may contain additional Personal Data at Customer's discretion), evidence attachments, authentication metadata, organization memberships, and service usage metadata. A full enumeration is in Annex I (Section 14).
Ayliea does not solicit or require Customer to provide Special Category Data or data relating to criminal convictions. Customer is responsible for determining whether such data may be submitted and for ensuring any such submission complies with Applicable Data Protection Law.
3. Role of the Parties
Customer is the Controller of Personal Data it submits to the Services. Ayliea is the Processor with respect to Processing of Personal Data on Customer's behalf. Where Ayliea Processes Personal Data for its own purposes (for example, billing, fraud prevention, improvement of the Services in aggregated or anonymized form, and compliance with law), Ayliea acts as an independent Controller; such Processing is governed by Ayliea's Privacy Policy and is out of scope for this DPA.
4. Customer Instructions
Ayliea Processes Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by Applicable Data Protection Law. The master agreement, this DPA, and Customer's configuration of the Services constitute Customer's documented instructions.
Ayliea will inform Customer if, in Ayliea's opinion, an instruction infringes Applicable Data Protection Law.
5. Confidentiality
Ayliea ensures that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Sub-processors
General authorization. Customer provides a general authorization for Ayliea to engage Sub-processors, subject to this Section 6.
Current Sub-processors. The current list of Sub-processors is set out in Annex III (Section 16). Ayliea maintains a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA.
New Sub-processors.Ayliea will provide notice of any intended addition or replacement of Sub-processors by updating the list with at least 15 days' advance notice before the new Sub-processor begins Processing. Customer may object on reasonable data protection grounds by emailing privacy@ayliea.com within the notice period. If the Parties are unable to resolve the objection, Customer may terminate the portion of the Services that relies on the contested Sub-processor with pro-rata refund of prepaid fees for the terminated portion.
Liability.Ayliea remains fully liable to Customer for the performance of each Sub-processor's data protection obligations.
7. Security of Processing
Ayliea implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, cost of implementation, nature, scope, context, and purposes of Processing. Current measures are described in Annex II (Section 15) and include, at minimum:
- TLS in transit for all Personal Data
- Row-Level Security enforcement in the database
- Encryption at rest for sensitive Personal Data columns using per-organization Data Encryption Keys wrapped by a Master Key stored outside the database
- Multi-factor authentication for authorized Ayliea personnel accessing production systems
- Audit logging of administrative actions
- File upload quarantine and malware scanning
- Sanitized error logs (no passwords, tokens, or Personal Data)
- Documented Incident Response Plan with a 72-hour breach notification commitment
Ayliea reviews and updates these measures as needed. Ayliea may update Annex II to reflect improved measures, provided the overall level of protection is not diminished.
8. Data Subject Rights
Ayliea provides functionality in the Services that enables Customer to comply with Data Subject rights requests, including:
- Right of access (Article 15) and data portability (Article 20)— Customer's end users can export their own data as structured JSON from the Services.
- Right to rectification (Article 16) — end users can edit profile data directly.
- Right to erasure (Article 17) — Customer or end user can initiate account deletion; a 30-day soft-delete window allows recovery, after which data is purged from primary systems by scheduled maintenance.
Where Ayliea receives a request directly from a Data Subject, Ayliea will, without undue delay, inform the Data Subject that Ayliea is a Processor and forward the request to Customer where Customer is identifiable. Ayliea will not respond to the Data Subject on substance, except to confirm receipt and forward.
To the extent Customer is unable to fulfill a Data Subject request using the Services' self-service features, Ayliea will provide reasonable assistance taking into account the nature of Processing.
9. Assistance with Obligations
Ayliea, taking into account the nature of Processing and the information available to Ayliea, provides reasonable assistance to Customer in complying with Customer's obligations under Articles 32 to 36 of the GDPR, including assistance with Data Protection Impact Assessments and prior consultation with Supervisory Authorities.
10. Personal Data Breach Notification
Ayliea notifies Customer of a Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within 72 hours after Ayliea becomes aware of it. Awareness means Ayliea has reasonable certainty that a Personal Data Breach has occurred; it is not the moment Ayliea receives a first signal.
The notification will include, to the extent then known:
- the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
- the likely consequences of the Personal Data Breach;
- the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and
- contact details for obtaining more information (privacy@ayliea.com).
Ayliea will provide additional details as the investigation proceeds. Ayliea's notification of a Personal Data Breach is not an acknowledgment of fault or liability.
11. Deletion and Return of Personal Data
On termination of the master agreement, Customer may choose, within 30 days, either:
- Return— Ayliea will provide Customer with a downloadable export of Customer's Personal Data in structured, machine-readable format (JSON), or
- Deletion— Ayliea will delete all Personal Data from active production systems within 30 days of Customer's instruction or 30 days after termination if no instruction is received.
After deletion, any residual copies in backup systems managed by Ayliea's infrastructure Sub-processor expire under that Sub-processor's normal retention cycles. Such residual data is protected by the same security measures as primary storage and is not Processed for any other purpose. Ayliea will provide a written statement of deletion on request.
Notwithstanding the above, Ayliea may retain Personal Data to the extent required by Applicable Data Protection Law, provided Ayliea maintains the security and confidentiality of such data and Processes it only for the purpose and duration of the legal requirement.
12. Audit Rights
Ayliea maintains documentation demonstrating compliance with this DPA and makes that documentation available to Customer on reasonable request, including:
- this DPA;
- the current Sub-processor list;
- Annex II technical and organizational measures;
- summary reports of any third-party certifications or audits Ayliea has obtained (SOC 2, ISO 27001, etc.) once available; and
- a summary of the most recent Incident Response Plan tabletop or exercise, when one has been completed, on request under a non-disclosure agreement.
Where Customer determines the above documentation is insufficient, Customer may request, not more than once per year and on at least 30 days' written notice, an on-site audit conducted by Customer or a mutually-agreed third-party auditor bound by confidentiality obligations. The scope of any such audit is limited to Ayliea's Processing of Customer's Personal Data. Customer bears the cost of the audit unless the audit identifies a material breach of this DPA.
13. International Transfers
Where Ayliea transfers Personal Data to a third country (a country outside the European Economic Area, the United Kingdom, or Switzerland) that is not subject to an adequacy decision, the transfer is governed by the Standard Contractual Clauses, Module Two (Controller to Processor), incorporated by reference into this DPA, with the following selections:
- Docking clause (Clause 7): applies
- Clause 9 (Sub-processors): Option 2 — General written authorization. The advance-notice period required by Clause 9(a) is 15 days, as set out in Section 6 of this DPA
- Clause 11(a) (Redress): optional independent dispute resolution body — Ayliea does not opt in; Data Subjects may lodge complaints with the competent Supervisory Authority under Clause 11(a)
- Clause 17 (Governing law): the law of Ireland
- Clause 18(b) (Choice of forum): the courts of Ireland
For transfers subject to the UK GDPR, the Parties also incorporate the UK International Data Transfer Addendum (issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018) with the SCCs as the Approved EU SCCs.
For transfers subject to Swiss data protection law, references in the SCCs to "Member State" include Switzerland and the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
14. Annex I — Details of Processing
I.A. List of Parties.Customer as Controller; Ayliea as Processor; contact point for each Party as specified in the master agreement. Ayliea's data protection contact: privacy@ayliea.com.
I.B. Description of transfer.
- Categories of Data Subjects: Customer's authorized end users, Customer's employees, Customer's contractors, and other individuals whose Personal Data Customer submits to the Services.
- Categories of Personal Data: name, email address, password hash (authentication metadata only — plaintext passwords are never transmitted or stored), multi-factor authentication enrollment status, hashed multi-factor authentication recovery codes, organization membership, assessment answers, evidence notes and attachments, usage and audit metadata, push notification tokens (if opted in), support correspondence, and any other Personal Data Customer elects to submit.
- Sensitive data: Ayliea does not solicit Special Category Data. Customer is responsible for restricting such data from the Services or ensuring lawful basis where submitted.
- Frequency of transfer: on a continuous basis for the duration of the Services.
- Nature and purpose of Processing: as set out in Section 2.
- Retention: as set out in Section 11 and the Ayliea Privacy Policy.
- Transfers to Sub-processors: each Sub-processor receives only the Personal Data necessary to perform its function (Annex III / Section 16).
I.C. Competent Supervisory Authority.For EU transfers, the Supervisory Authority of the Member State in which the Data Subject is habitually resident. For UK transfers, the UK Information Commissioner's Office.
15. Annex II — Technical and Organizational Measures
Pseudonymization and encryption. TLS for all Personal Data in transit. Encryption at rest for sensitive Personal Data fields (including user names, invitation emails, collaborator identity fields, support ticket subjects, and webhook signing secrets) using AES-256-GCM envelope encryption with per-organization Data Encryption Keys wrapped by a Master Key held outside the database. Authentication token storage on end-user devices using hardware-backed keychain (iOS), encrypted SharedPreferences (Android), or secure HTTP-only cookies (web).
Confidentiality, integrity, availability, and resilience. Database Row-Level Security policies as the primary authorization control. Multi-factor authentication (TOTP) required for administrative access. Rate limiting on authentication and sensitive API endpoints. Malware quarantine and scanning of uploaded files before they become accessible. Time-limited signed URLs for file access. Principle of least privilege for service accounts and administrative roles.
Recovery from incidents.Documented Incident Response Plan with defined severity classifications, containment playbooks, and recovery procedures. Database backup capability is provided by Ayliea's infrastructure Sub-processor; specific frequency and retention depend on Ayliea's current plan tier and are being formalized as part of SOC 2 readiness.
Regular testing and evaluation. Security reviews of changes affecting authentication, authorization, or Personal Data handling. Continuous dependency vulnerability monitoring. Incident Response Plan tabletop exercises on a planned quarterly cadence; the first exercise is scheduled for 2026-Q3.
User authentication.Email-and-password authentication with a minimum 12-character password policy aligned to NIST SP 800-63B. TOTP multi-factor authentication available to all users and required for organization owners when the organization's multi-factor authentication enforcement policy is enabled. Administrative access logged to an append-only audit log.
Data protection in transit. HTTPS/TLS enforced at all ingress points; HTTP redirects to HTTPS. Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and other hardening headers on public endpoints.
Data protection at rest.Per-organization Data Encryption Keys ensure cross-tenant isolation even in the event of a bulk export of the database. Retention controls documented in Ayliea's Privacy Policy.
Physical security. All Personal Data is Processed on cloud infrastructure operated by Sub-processors listed in Annex III. Ayliea does not operate physical Personal Data Processing facilities.
Events logging. Application errors and security-relevant events logged to Sentry with Personal Data sanitization. Database-level audit logs for administrative and sensitive operations. Authentication events logged by the auth provider.
System configuration. Infrastructure-as-code for all deployed resources. Default-deny Row-Level Security policies. Default-enabled Content Security Policy and security headers.
IT security governance. Written policies including this DPA, Incident Response Plan, Privacy Policy, and Terms of Service. Periodic review of Sub-processors and vendor data processing agreements.
Certifications. SOC 2 Type I certification planned; details will be published on this site when available.
Data minimization and quality. Only data necessary for the Services is collected; new data collection undergoes privacy review before shipping. Validation at system boundaries. Users can correct their own Personal Data directly.
Retention and erasure.30-day soft-delete window followed by scheduled permanent deletion from primary systems. Any backups are subject to the infrastructure Sub-processor's retention cycle; residual backup data is not Processed for any other purpose. JSON export and account deletion accessible to end users from the Services.
Accountability. Audit logging of administrative actions. This DPA and its Sub-processor list available at this URL. Privacy inquiries routed to privacy@ayliea.com.
16. Annex III — Sub-processors
Current Sub-processors authorized under this DPA. New Sub-processors are announced at least 15 days before they begin Processing. Customers may subscribe to Sub-processor change notifications by emailing privacy@ayliea.com.
| Sub-processor | Role / Data Handled | Location |
|---|---|---|
| Supabase Inc. | Application database, authentication, file storage, Edge Functions | United States (AWS regions) |
| Vercel Inc. | Application hosting, CDN, edge compute | United States, global edge |
| Stripe Inc. | Payment processing | United States |
| Resend, Inc. | Transactional and marketing email delivery | United States |
| Anthropic, PBC | AI model API (Claude) for generating assessment recommendations and risk classifications (commercial API default retention: 30 days; zero-retention option available by contract) | United States |
| Upstash, Inc. | Rate limiting key-value store (no Personal Data) | United States |
| Sentry (Functional Software, Inc.) | Error tracking | United States |
| PostHog Inc. | In-app product analytics (pseudonymized events) | United States / EU |
| Google LLC | Website analytics (Google Analytics 4); file-hash malware lookup (VirusTotal) | United States |
| Umami | Anonymous website analytics (no cookies, no Personal Data) | United States |
| Cal.com, Inc. | Scheduling for sales and consulting calls | United States |
| Expo (650 Industries, Inc.) | Push notifications to mobile devices | United States |
17. Miscellaneous
Order of precedence. In case of conflict: (1) mandatory provisions of Applicable Data Protection Law; (2) the SCCs where applicable; (3) this DPA; (4) the master agreement.
Modifications.Ayliea may modify this DPA to reflect changes in Applicable Data Protection Law or to improve Ayliea's commitments. Material changes will be communicated to Customer with at least 15 days' advance notice. Changes that do not materially reduce the level of protection afforded to Data Subjects may be made without advance notice by updating the effective date.
Entire agreement. This DPA, together with the master agreement, constitutes the entire agreement between the Parties with respect to the subject matter.
Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in full effect.
Governing law and jurisdiction. The governing law and jurisdiction of the master agreement apply to this DPA, except as required by Applicable Data Protection Law or as otherwise set out in Section 13 for SCCs.
18. Contact
Questions about this DPA or requests to enter into a signed copy should be directed to privacy@ayliea.com.