Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Adroyt Terms of Service and governs the processing of personal data that Adroyt processes on behalf of customers ("Controller") in connection with the Adroyt platform ("Services"). This DPA is intended to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent provisions in applicable data protection laws.

• Controller: the customer who determines the purposes and means of processing personal data.
• Processor: Adroyt, who processes personal data on behalf of the Controller.
• Personal Data: any information relating to an identified or identifiable natural person processed via the Services.
• Processing: any operation performed on personal data, including collection, storage, use, and deletion.

Adroyt processes personal data strictly in accordance with the Controller's documented instructions. The subject matter, duration, nature, and purpose of processing are described in the Terms of Service and this DPA.

Adroyt will not process personal data for any purpose other than providing and improving the Services, unless required by applicable law.

Adroyt implements and maintains appropriate technical and organisational security measures, including:

• AES-256 encryption at rest and TLS 1.3 in transit
• Role-based access controls and least-privilege principles
• Regular penetration testing and vulnerability assessments
• SOC 2 Type II certified infrastructure
• Multi-tenant data isolation

Adroyt may engage sub-processors to provide elements of the Services. Adroyt maintains an up-to-date list of sub-processors and will notify Controllers of any intended changes, giving Controllers the opportunity to object. All sub-processors are bound by data protection obligations no less protective than this DPA.

Adroyt will, to the extent legally permitted, promptly notify the Controller of any data subject request and provide reasonable assistance in fulfilling the Controller's obligation to respond. The Controller is responsible for managing data subject rights requests related to personal data processed via the Services.

Adroyt will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller data. Notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

For questions about this DPA or to request a signed copy, contact us at [email protected].