Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms defined in the GDPR and not defined here have the meanings given to them in the GDPR.

• "Controller" means you, the AYBIZA customer, who determines the purposes and means of processing personal data through the AYBIZA platform.
• "Processor" means AYBIZA LLC, which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by AYBIZA on behalf of the Controller under this DPA.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
• "GDPR" means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
• "UK GDPR" means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• "Sub-Processor" means any third party engaged by AYBIZA to process personal data on the Controller's behalf.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module 2 (Controller to Processor).
• "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018.
• "Services" means the AYBIZA platform — including Agents (AI Business Agents), Parties (Business Platform), and Bridges (Connection Workspace) — and all associated services provided under the Terms of Service.
• "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

2. Scope and Roles

2.1 AYBIZA as Processor

This DPA applies to the processing of personal data by AYBIZA as Processor on behalf of the Controller in connection with providing the Services. The subject matter, nature, purpose, duration, categories of data, and categories of data subjects are set out in Schedule 1 to this DPA.

AYBIZA processes personal data only to the extent necessary to provide the Services and will not process personal data for any other purpose without the Controller's prior written consent.

2.2 AYBIZA as Controller

AYBIZA independently acts as data controller for the following categories of data, which are not governed by this DPA but by AYBIZA's Privacy Policy at aybiza.com/privacy:

• Customer account registration data (name, email, job title, company)
• Business verification (KYB) data
• Billing and subscription records
• Platform usage analytics (aggregated)
• Legal acceptance records

3. Controller Instructions

AYBIZA processes personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law. In such cases, AYBIZA will inform the Controller of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest.

The Controller's instructions are set out in the Terms of Service, this DPA, and any configuration settings the Controller establishes within the AYBIZA platform. The Controller warrants that its instructions comply with applicable data protection law and that it has obtained all necessary consents and provided all required notices to data subjects.

If AYBIZA believes that a Controller instruction infringes the GDPR, UK GDPR, or other applicable data protection law, AYBIZA will promptly notify the Controller and may suspend the relevant processing until the instruction is clarified or revised.

4. Confidentiality of Processing

AYBIZA ensures that persons authorized to process personal data under this DPA:

• Are bound by enforceable confidentiality obligations (whether contractual or statutory)
• Process personal data only as necessary to perform their responsibilities in connection with the Services
• Receive appropriate training on data protection obligations

These obligations survive the termination of the individual's engagement with AYBIZA.

5. Security Measures

AYBIZA implements and maintains the technical and organizational security measures set out in Schedule 2 to this DPA, appropriate to the risk presented by the processing, in particular protecting against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

AYBIZA regularly tests, assesses, and evaluates the effectiveness of its security measures and will update them as necessary to address identified risks and evolving threats. Material changes to security measures will not reduce the overall level of protection.

The Controller is responsible for implementing appropriate security measures with respect to its own systems, end-user access credentials, API key management, and any personal data it transfers to AYBIZA.

6. Sub-Processors

6.1 General Authorization

The Controller provides general written authorization for AYBIZA to engage the Sub-Processors listed in Schedule 3 to this DPA.

6.2 Sub-Processor Obligations

AYBIZA will:

• Impose data protection obligations on each Sub-Processor by way of a written contract that provides at least the same level of protection for personal data as this DPA
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations
• Conduct due diligence on the data protection practices of prospective Sub-Processors before engagement

6.3 Changes to Sub-Processors

AYBIZA will notify the Controller of intended changes to Sub-Processors (additions or replacements) at least 30 days in advance by updating Schedule 3 and notifying registered account contacts by email.

The Controller may object to a new Sub-Processor within 14 days of notification on reasonable grounds related to data protection. If the Controller objects:

• AYBIZA will use commercially reasonable efforts to make available an alternative Sub-Processor or configuration that avoids the processing of personal data by the objected-to Sub-Processor
• If no alternative is reasonably available and the parties cannot resolve the objection within 30 days, either party may terminate the affected Services with 30 days' written notice
• AYBIZA will not engage the objected-to Sub-Processor for the Controller's data until the objection period has elapsed without objection, or any objection has been resolved

6.4 BYOK (Bring Your Own Keys)

When the Controller supplies its own API keys for third-party LLM or other providers ("BYOK"), data flows directly to the Controller's chosen provider under the Controller's own agreement with that provider. Such providers are not AYBIZA Sub-Processors for BYOK requests. The Controller is solely responsible for ensuring those providers comply with applicable data protection law.

7. Assistance to the Controller

7.1 Data Subject Requests

Taking into account the nature of the processing, AYBIZA assists the Controller with fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, portability, restriction, and objection).

The Controller is primarily responsible for responding to data subject requests. AYBIZA will:

• Promptly forward any data subject requests received directly to the Controller's registered contact address (within 48 hours of receipt)
• Provide reasonable technical assistance to enable the Controller to retrieve, correct, or delete personal data
• Not independently respond to data subject requests unless instructed by the Controller or required by law

7.2 Other Compliance Assistance

AYBIZA also assists the Controller, at the Controller's cost and to a reasonable extent, in ensuring compliance with:

• Security obligations under Articles 32-34 GDPR
• Data breach notification obligations
• Data protection impact assessments (Article 35 GDPR)
• Prior consultation with supervisory authorities (Article 36 GDPR)

Such assistance takes into account the nature of processing and the information available to AYBIZA.

8. Personal Data Breach Notification

AYBIZA will notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Personal Data Breach involving personal data processed under this DPA. This 48-hour notification commitment is stricter than the 72-hour requirement under GDPR Article 33 and is intended to give the Controller maximum time to assess and respond.

The breach notification will include, to the extent then known:

• A description of the nature of the breach, including the categories and approximate number of data subjects affected
• The categories and approximate volume of personal data records affected
• The name and contact details of the AYBIZA point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

AYBIZA will cooperate with the Controller in investigating and mitigating the breach and will provide additional information as it becomes available. AYBIZA will not inform any third party of a Personal Data Breach without the Controller's prior written consent, unless required by applicable law.

AYBIZA is not liable for notification obligations the Controller owes to supervisory authorities or data subjects arising from the breach. Those obligations remain with the Controller as data controller.

9. Deletion and Return of Personal Data

Upon termination or expiry of the Terms of Service:

• Data export period: AYBIZA will make available a complete data export in machine-readable format (JSON or CSV) for 30 days following termination.
• Deletion: After the 30-day export period, AYBIZA will permanently delete all personal data processed under this DPA within 30 days, unless applicable law requires retention for a longer period. Deletion includes all copies in production systems, backups, and disaster recovery systems.
• Certification: AYBIZA will provide written certification of deletion upon the Controller's request.

Notwithstanding the above, AYBIZA retains KYB data, legal acceptance records, and billing records for the retention periods specified in the Privacy Policy to satisfy its own legal obligations as a data controller. Such retained data is processed solely for compliance purposes and not for any other purpose.

10. Audit Rights

AYBIZA makes available all information reasonably necessary to demonstrate compliance with the obligations of this DPA and allows for and contributes to audits and inspections, subject to the following conditions:

• Frequency: The Controller may conduct or commission one audit per calendar year.
• Notice: Minimum 30 days written notice to AYBIZA.
• Timing: Audits will be conducted during normal business hours (Monday–Friday, 9:00 AM–5:00 PM ET, excluding US federal holidays).
• Scope: Limited to AYBIZA's processing of the Controller's personal data and compliance with this DPA.
• Confidentiality: The Controller (or its auditor) must execute a confidentiality agreement acceptable to AYBIZA before the audit commences.
• Cost: The Controller reimburses AYBIZA's reasonable costs of facilitating the audit, including personnel time and any required infrastructure access.
• Auditor qualifications: Third-party auditors must be independent, qualified, and not a direct competitor of AYBIZA.

AYBIZA may satisfy audit obligations by providing current third-party audit reports (SOC 2 Type II, ISO 27001, or equivalent) in lieu of a direct on-site audit, where such reports cover the subject matter and time period of the requested audit. The Controller may only reject such reports and insist on a direct audit where the reports are materially insufficient to address the Controller's reasonable concerns.

11. International Data Transfers

Where personal data originating in the EEA, UK, or Switzerland is transferred to AYBIZA in the United States or to Sub-Processors in third countries that lack an adequacy decision, the following transfer mechanisms apply:

11.1 EEA Transfers

The Standard Contractual Clauses (Module 2, Controller to Processor) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are hereby incorporated into this DPA by reference and apply to transfers of EEA personal data to AYBIZA in the United States. The annexes to the SCCs are populated by the information in Schedules 1, 2, and 3 of this DPA. For the purposes of the SCCs:

• Clause 7 (Docking clause): The optional docking clause is included.
• Clause 9(a) (Sub-processor authorization): Option 2 (general written authorization) applies, with the notification period set at 30 days.
• Clause 11 (Redress): The optional language is not included.
• Clause 17 (Governing law): The laws of Ireland.
• Clause 18 (Forum): The courts of Ireland.

11.2 UK Transfers

The UK International Data Transfer Addendum (UK IDTA), as issued by the ICO under Section 119A of the Data Protection Act 2018 (version in force at the date of this DPA), is hereby incorporated into this DPA and applies to transfers of UK personal data to AYBIZA in the United States, supplementing the SCCs for UK transfers. For the purposes of the UK IDTA:

• Table 1: The parties are as identified in the preamble to this DPA.
• Table 2: The version of the Approved EU SCCs incorporated is as referenced in Section 11.1 above.
• Table 3: Populated by the information in Schedules 1, 2, and 3 of this DPA.
• Table 4: Either party may terminate the UK IDTA as set out in Section 19 of the UK IDTA.

11.3 Supplementary Measures

In addition to the SCCs and UK IDTA, AYBIZA implements supplementary technical and organizational measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), pseudonymization where feasible, strict access controls, and documented policies for responding to government access requests. AYBIZA will notify the Controller if it receives a government access request relating to the Controller's personal data, unless legally prohibited from doing so.

12. HIPAA (Healthcare Data)

Where the Controller is a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and uses AYBIZA Services to process Protected Health Information ("PHI"):

• A separate Business Associate Agreement ("BAA") is required and is available for Enterprise customers on qualifying configurations.
• The BAA is executed as part of the Enterprise onboarding process and governs the processing of PHI.
• In the event of conflict between this DPA and the BAA with respect to PHI, the BAA governs.
• The Controller must not transmit PHI to AYBIZA without an executed BAA in place.
• AYBIZA's infrastructure is designed to support HIPAA requirements on qualifying configurations, including encryption, access controls, audit logging, and data isolation. AYBIZA does not warrant HIPAA compliance absent an executed BAA and applicable configuration.

13. CCPA Provisions

To the extent that AYBIZA processes personal information subject to the CCPA on behalf of the Controller:

• AYBIZA is a "Service Provider" as defined by the CCPA and processes personal information only for the business purposes specified in this DPA and the Terms of Service.
• AYBIZA does not sell or share (as defined by the CCPA) personal information received from or on behalf of the Controller.
• AYBIZA does not combine personal information received from the Controller with personal information received from other sources, except as permitted by the CCPA.
• AYBIZA certifies that it understands the restrictions set forth in this Section and will comply with them.
• The Controller may take reasonable steps to ensure AYBIZA uses personal information in a manner consistent with the Controller's obligations under the CCPA.

14. Term and Termination

This DPA is effective from the date the Controller accepts the Terms of Service and remains in force for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, subject to:

• The obligations set out in Section 9 (Deletion and Return of Personal Data)
• Any surviving obligations under the SCCs or UK IDTA
• AYBIZA's retention obligations as an independent data controller (KYB, billing, legal acceptance records)

15. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in the Terms of Service limits either party's liability for breaches of applicable data protection law that cannot be limited by contract.

16. Order of Precedence

In the event of conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA governs. In the event of conflict between this DPA and the SCCs or UK IDTA with respect to international transfers, the SCCs or UK IDTA (as applicable) govern. In the event of conflict between this DPA and a BAA with respect to PHI, the BAA governs.

17. Amendments

AYBIZA may update this DPA to reflect changes in applicable data protection law, regulatory guidance, or AYBIZA's sub-processor list. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Services after the effective date of a material change constitutes acceptance.

18. Contact

Data protection inquiries: [email protected]
Security inquiries: [email protected]
AYBIZA LLC
32222 Tamina Rd Ste A5-11, The Woodlands, TX 77354
Registered Agent: Registered Agents Inc, 30 N Gould St Ste R, Sheridan, WY 82801

Schedule 1 — Details of Processing

Subject Matter

Processing of personal data in connection with the provision of the AYBIZA platform — including Agents (AI Business Agents), Parties (Business Platform), and Bridges (Connection Workspace) — and all associated services.

Nature and Purpose of Processing

Personal data is processed to:

• Route and conduct AI agent conversations across voice, SMS, email, chat, and messaging channels (Agents)
• Store and manage contact records, CRM data, deals, support tickets, project records, HR records, and financial records (Parties)
• Facilitate internal team chat and agent workspace interactions (Bridges)
• Generate transcripts, recordings, and analytics of agent interactions
• Process speech-to-text and text-to-speech for voice conversations
• Process text through large language models to generate agent responses
• Deliver all other features of the Services as configured by the Controller

Duration of Processing

For the duration of the Terms of Service, plus the 30-day data export period following termination, plus up to 30 additional days for complete deletion.

Categories of Personal Data

• Contact identification data: name, email address, phone number, postal address
• Conversation data: voice recordings, transcripts, chat messages, email content, SMS messages
• Interaction metadata: timestamps, communication channel, duration, outcome, agent ID, session ID
• CRM and business data: deal records, support tickets, contact history, notes, project records, task assignments (as entered by the Controller)
• Voice biometric data: voice audio processed for speech-to-text conversion (not stored beyond the processing session unless recording is enabled by the Controller)
• Technical identifiers: IP addresses, device information, browser type (of end-users interacting with agents)
• Special categories: Only if explicitly enabled by the Controller for healthcare or other regulated use cases, subject to a separately executed BAA or equivalent agreement

Categories of Data Subjects

• End-customers of the Controller — individuals who interact with AI agents deployed by the Controller through the AYBIZA platform
• Contacts and leads stored in the Controller's CRM within Parties
• Employees or team members of the Controller who use Bridges
• Any other individuals whose personal data the Controller inputs into the AYBIZA platform

Schedule 2 — Technical and Organizational Security Measures

AYBIZA implements and maintains the following security measures. These measures are regularly reviewed and updated to address evolving threats.

Encryption

• In transit: TLS 1.3 for all data in transit between clients, the AYBIZA platform, and sub-processors. TLS 1.2 accepted only where TLS 1.3 is not supported by the counterparty.
• At rest: AES-256 encryption for all stored personal data in databases (PostgreSQL) and object storage (S3). Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

Access Controls

• Authentication: Role-based access control (RBAC) with least-privilege principles. Administrative access requires multi-factor authentication (MFA).
• API security: All API endpoints authenticated via bearer tokens. Internal service-to-service communication authenticated via cryptographic tokens over encrypted channels.
• Personnel access: Access to production systems is restricted to authorized personnel on a need-to-know basis, logged, and reviewed periodically.

Data Isolation

• Multi-tenant isolation: Organization-level data isolation enforced at the database layer. No cross-tenant data access is possible at the application or database layer.
• Network isolation: VPC isolation with private subnets for databases and internal services. Security groups limit inter-service access to explicitly permitted paths.

Audit and Monitoring

• Audit logging: Immutable audit logs of all administrative actions, data access events, configuration changes, and authentication events. Security audit logs retained for a minimum of 12 months.
• Monitoring: Continuous monitoring of infrastructure, application performance, and security events with automated alerting.

Vulnerability Management

• Regular dependency auditing and automated vulnerability scanning
• Static code security analysis integrated into the development pipeline
• Periodic penetration testing by qualified third parties
• Responsible disclosure program for external security researchers

Incident Response

• Documented incident response procedures with defined severity levels, escalation paths, and communication protocols
• Breach notification timelines as set out in Section 8 of this DPA (48 hours)
• Post-incident review and remediation tracking

Business Continuity

• Availability: Infrastructure deployed on AWS ECS Fargate across multiple availability zones within us-east-1 with automated failover.
• Backups: Automated database backups with point-in-time recovery. Backup and recovery procedures tested periodically.
• Disaster recovery: Documented disaster recovery plan with defined recovery time objectives (RTO) and recovery point objectives (RPO).

Personnel

• All personnel with access to personal data are subject to enforceable confidentiality obligations
• Data protection and security awareness training provided upon onboarding and refreshed periodically
• Background checks conducted for personnel with access to production systems, where permitted by applicable law

Schedule 3 — Approved Sub-Processors

The following Sub-Processors are approved as of the effective date of this DPA. Changes will be notified in accordance with Section 6.3.

Infrastructure

• Amazon Web Services, Inc. (AWS) — US (us-east-1) — Cloud infrastructure, compute (ECS Fargate), relational databases (RDS PostgreSQL), caching (ElastiCache Redis), object storage (S3), email delivery (SES), key management (KMS)
• Fly.io, Inc. — US — Marketing website hosting (aybiza.com only; no customer personal data processed)

Payments

• Payment Processor (PCI DSS Level 1 certified) — Payment processing and subscription billing. Processor: Stripe, Inc. (US / Ireland).

Telephony and Messaging

• Twilio Inc. — US — Voice call routing, SMS delivery, and telephony infrastructure
• Additional licensed telephony providers — US — Voice routing and PSTN connectivity (current list available on request at [email protected])

AI and Language Models (Platform-Managed)

• OpenAI, L.L.C. — US — Large language model (LLM) processing for agent conversations and text generation
• Anthropic, PBC — US — Large language model (LLM) processing for agent conversations and text generation
• Google LLC (Gemini) — US — Large language model (LLM) processing for agent conversations and text generation
• Groq, Inc. — US — Large language model (LLM) inference for agent conversations
• Amazon Web Services, Inc. (AWS Bedrock) — US (us-east-1) — Large language model (LLM) processing via managed model hosting

All platform-managed LLM providers process data under agreements with AYBIZA that prohibit the use of customer data for model training. Data submitted to LLM providers is not retained by those providers beyond the duration of the API request, except as required by their own legal obligations.

Speech and Voice Processing

• Deepgram, Inc. — US — Speech-to-text (STT) and text-to-speech (TTS) processing
• AssemblyAI, Inc. — US — Speech-to-text (STT) processing
• ElevenLabs, Inc. — US — Text-to-speech (TTS) voice synthesis
• Cartesia AI, Inc. — US — Text-to-speech (TTS) voice synthesis
• Fixie AI, Inc. (Ultravox) — US — Speech-to-speech (S2S) real-time voice processing

Browser and Meeting Processing

• Steel Inc. — US — Browser automation infrastructure for web-based agent tasks
• Recall.ai, Inc. — US — Meeting transcription and analysis processing

Creative and Video Processing

• Black Forest Labs (Flux) — Germany — Image generation for creative agent workflows
• HeyGen, Inc. — US — AI avatar and video generation
• Tavus, Inc. — US — Personalized AI video generation
• Runway ML, Inc. — US — Video generation for creative agent workflows
• Ideogram, Inc. — US/Canada — Image generation for creative agent workflows

BYOK Exclusion

When the Controller uses BYOK (Bring Your Own Keys), the Controller's chosen provider processes data directly under the Controller's own agreement with that provider and is not an AYBIZA Sub-Processor for those requests. The Controller is solely responsible for that processing relationship.