Data processing agreement.

Last updated July 4, 2026

What this agreement is.

This Data Processing Agreement (the "DPA") sets out how VYRA Data Inc. ("VYRA", "we", "us") handles personal information that we process on your behalf when you use our services. It applies whenever your use of the services results in VYRA processing personal information for which you, our customer, decide the purposes and the means.

In this DPA, you are the controller and VYRA is the processor. You decide why and how the personal information is processed. We process it only to provide the services and only on your instructions.

This DPA forms part of your agreement with us. It works alongside our Terms of Service, our Privacy Policy, and, where you have signed one, your master services agreement and statement of work. Where this DPA conflicts with those documents on the handling of personal information that we process on your behalf, this DPA controls for that subject. For everything else, the order of precedence in your main agreement applies.

If you accept the services, or continue to use them, you accept this DPA on behalf of yourself and any organisation you represent. If you sign this DPA as an individual for an organisation, you confirm that you have the authority to bind that organisation.

Definitions.

The terms below have the meanings given here. Terms we use but do not define have the meaning given in the applicable data protection law.

  • Applicable data protection law means every privacy and data protection law that applies to the processing under this DPA. This includes Canada's PIPEDA, Quebec's Law 25, the comprehensive US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA, the EU General Data Protection Regulation (GDPR), and the UK GDPR, each to the extent it applies.
  • Customer personal data means personal information that VYRA processes on your behalf under your agreement with us. It does not include personal information for which VYRA decides the purposes and means, such as your account and billing contacts, which we handle as a controller under our Privacy Policy.
  • Controller means the party that decides the purposes and means of processing. You are the controller. This term includes an equivalent role, such as a business under US state law or a person carrying on an enterprise under Law 25.
  • Processor means the party that processes personal information on the controller's behalf and on its instructions. VYRA is the processor. This term includes an equivalent role, such as a service provider under US state law.
  • Subprocessor means a third party we engage to process customer personal data on our behalf.
  • Processing means any operation performed on personal information, such as collecting, storing, using, sharing, or deleting it.
  • Data subject means the identified or identifiable individual to whom personal information relates.
  • Data subject rights request means a request from a data subject to exercise a right under applicable data protection law, such as access, correction, deletion, portability, or objection.
  • Personal data breach means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer personal data. This includes a confidentiality incident under Law 25.
  • Restricted transfer means a transfer of customer personal data to a country or recipient where that transfer needs a specific safeguard under applicable data protection law.
  • Standard contractual clauses or SCCs means the standard data protection clauses adopted by the European Commission for the transfer of personal data to processors in third countries.
  • UK addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (ICO).
  • DPF means the EU-US Data Privacy Framework and its UK extension.

Scope and our roles.

This DPA covers all customer personal data that VYRA processes on your behalf through the services. This can include personal information about your SaaS end users, your CRM contacts, the end users in an advertising audience you run with us, and data subjects whose data you provide for an AI-implementation project such as training, testing, or evaluation data.

You are the controller of customer personal data. VYRA is your processor. Where a further layer applies, for example when a subprocessor processes the data for us, that subprocessor is our sub-processor and remains under our responsibility to you.

The subject matter, nature, and purpose of the processing, the duration, the types of personal information, and the categories of data subjects are described in Annex I. Annex I is a general description that reflects how our services work. Your specific configuration, order, and statements of work refine it for your engagement.

You are responsible for the lawfulness of the personal information you provide and the instructions you give. You confirm that you have a valid legal basis and any required consent to provide the customer personal data to us and to have us process it as instructed. For advertising, this means you confirm you have the rights and consent needed before any pixel or conversion event fires, consistent with the Meta Business Tools Terms, which you accept as controller when we run ads on your behalf.

Processing on your documented instructions.

VYRA processes customer personal data only on your documented instructions, unless a law we are subject to requires otherwise. If a law requires us to process beyond your instructions, we will tell you of that requirement before we process, unless the law forbids us from telling you.

Your instructions are made up of this DPA, your agreement with us, your order and statements of work, your configuration of the services, and any further written instruction you give that we accept. Using the services as documented is itself an instruction to process as needed to provide them.

If we believe an instruction breaks applicable data protection law, we will tell you. We may pause the affected processing until the instruction is resolved, without being in breach of our agreement.

Confidentiality.

We keep customer personal data confidential. We make sure that everyone we authorise to process customer personal data, whether an employee or a contractor, is bound by a duty of confidentiality, whether by contract or by a legal duty, and is trained on their responsibilities. We limit access to those who need it to provide the services.

Security.

We put in place technical and organisational measures designed to protect customer personal data against a personal data breach, matched to the risk and the sensitivity of the data. These measures are described in Annex II. We may update them as technology and threats change, but we will not reduce the overall level of protection during your engagement.

You are responsible for the security choices within your control, such as how you configure the services, who you grant access to, and whether you enable available protections like multi-factor authentication.

Subprocessing.

You give us general written authorisation to engage subprocessors to help provide the services. Every subprocessor we use is bound by a written contract that imposes data protection obligations no less protective than those in this DPA, to the extent they apply to the work the subprocessor does. We stay responsible to you for the acts and omissions of our subprocessors.

We keep a current list of subprocessors, with their purpose and the categories of processing, at our subprocessors page. The list identifies our AI model providers among the other categories such as cloud hosting, database services, payment processing, email delivery, analytics, advertising measurement, and support.

When we plan to add or replace a subprocessor, we update the list and give notice before the new subprocessor starts processing customer personal data. You can subscribe to change notices on the subprocessors page. You have 30 days from the notice to object in writing, on reasonable data protection grounds. If you object, we will work with you in good faith to address your concern, for example by offering an alternative or a configuration change. If we cannot resolve it, you may terminate the affected part of the services for the period after the change would take effect, and receive a pro-rated refund of prepaid fees for that unused period, as your sole remedy.

Helping with data subject rights.

We help you meet your duty to respond to data subject rights requests. Where the request relates to customer personal data we process for you, we assist through appropriate technical and organisational measures, so far as this is possible, taking into account the nature of the processing.

Where the services provide in-product tools to access, correct, export, or delete data, you can use those tools directly. Where you need our help beyond those tools, contact privacy@vyradata.com and we will respond within a reasonable time and in any case in time for you to meet your legal deadline.

If a data subject contacts us directly about customer personal data we process for you, we will not respond on the substance except to confirm the request relates to you. We will pass the request to you promptly, and help you handle it.

Personal data breach.

If we become aware of a personal data breach affecting customer personal data, we notify you without undue delay. Our notice will describe, to the extent we know it, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take to address it and reduce harm. Where we cannot provide all of this at once, we provide it in phases as we learn more.

We help you meet your own notification duties to regulators and to affected individuals, such as those under PIPEDA, Law 25, the GDPR, and the UK GDPR. Because you are the controller, deciding whether and how to notify regulators and individuals is your responsibility, and our notice to you is not an admission of fault.

Helping with impact assessments.

We help you carry out data protection impact assessments and prior consultations with regulators where applicable data protection law requires them, taking into account the nature of the processing and the information available to us.

This includes cooperating with a privacy impact assessment under Quebec's Law 25, including the assessment Law 25 requires before personal information is communicated outside Quebec, and with a data protection impact assessment under GDPR Article 35 for high-risk processing. We provide the information about our processing and our security measures that you reasonably need for these assessments.

International data transfers.

Some of our subprocessors are in the United States or other countries, so customer personal data may be processed outside your home region. Where a transfer of customer personal data is a restricted transfer, we apply the safeguard that applicable data protection law requires.

  • For personal data protected by the GDPR, the SCCs apply. We enter the SCCs on the Module Two basis, controller to processor, with you as data exporter and VYRA as data importer. The selections that complete the SCCs are set out in Annex IV, and this DPA and its annexes provide the information the SCCs require.
  • For personal data protected by the UK GDPR, the UK addendum applies to the SCCs, completed as set out in Annex V.
  • Where personal data is subject to Swiss law, the SCCs apply with the adjustments needed for Switzerland, including references to the Swiss Federal Data Protection and Information Commissioner and to individuals in Switzerland.
  • Where we or a subprocessor are certified under the DPF, we may rely on it for the relevant transfer. Because the framework may face legal challenge, we keep the SCCs in place as a fallback so your data stays protected if the framework becomes unavailable.
  • Before we communicate Quebec personal information outside Quebec, we run the assessment that Law 25 requires. Under PIPEDA, we require every subprocessor that processes customer personal data to give it a comparable level of protection by contract.

If a change in law or a court decision makes a transfer mechanism invalid, we will work with you in good faith to put an alternative lawful mechanism in place.

Return or deletion at the end of the services.

When your services end, you can export your customer personal data using the tools we provide, and we will help where you need more. At your choice, we return the customer personal data to you in a portable format or delete it.

Unless you tell us otherwise, we delete customer personal data, and instruct our subprocessors to delete their copies, within 60 days after the services end. We may keep customer personal data longer only where a law we are subject to requires it, and then only for as long as that law requires and only for that purpose. This 60-day window sits alongside the shorter data-export window in our Terms of Service, which tells you how long you have to retrieve your data before this deletion process begins.

On your written request, we confirm in writing that the deletion is complete.

Audit rights.

We help you confirm that we meet the obligations in this DPA.

  • Once a year, on request, we provide a written summary of our data protection and security controls, such as a current report or certification, or a completed security questionnaire.
  • Where that summary does not give you the assurance you reasonably need, you may audit our processing on site. You give us at least 30 days written notice, we agree the timing so it does not disrupt our operations, and the audit is limited in scope to what is relevant to your customer personal data. You keep what you learn confidential, you bear your own costs, and you reimburse our reasonable costs where an audit goes beyond one visit a year or is not triggered by a suspected breach.
  • We may satisfy an audit right through an independent third-party audit where that gives you comparable assurance.

An audit must not require us to disclose another customer's data, our security details in a way that would weaken our protections, or anything that would breach a legal or confidentiality duty.

Aggregated and de-identified data.

We may create and use aggregated and de-identified data derived from the processing to operate, secure, and improve the services. This data does not identify you or any individual and cannot reasonably be linked back to a person. We do not treat this data as customer personal data, and our obligations for customer personal data do not apply to it, provided it stays de-identified and we do not attempt to re-identify it.

AI-specific processor terms.

Some services use artificial intelligence, including the VYN AI teammate, and we may process customer personal data through AI features on your behalf. These terms apply on top of the rest of this DPA.

  • We do not let the third-party foundation model providers we use train their models on customer personal data. We rely on the business and enterprise terms of those providers, which do not train on customer content.
  • We do not train VYRA's own models on customer personal data unless you opt in through a written agreement.
  • Our AI model providers appear on our subprocessors page among the other subprocessor categories, and they are bound by the subprocessing terms above.
  • Where it is technically feasible, we pass your instructions through to our AI subprocessors, so that limits you set, such as not training on your data, are carried down the chain.
  • We may use aggregated and de-identified data, which cannot be traced back to you or any individual, to run and improve AI features, as described in the aggregated and de-identified data section above.

Term, termination, and precedence.

This DPA takes effect when you accept the services or your agreement with us, whichever is first, and continues for as long as we process customer personal data on your behalf. The sections that by their nature should continue after the services end, such as return or deletion, confidentiality, and audit, survive until we have deleted or returned all customer personal data.

On the handling of personal information that VYRA processes on your behalf, this DPA controls over any conflicting term in your main agreement with us. Where this DPA incorporates the SCCs, and the SCCs conflict with this DPA on a matter the SCCs govern, the SCCs control for that matter.

Annex I. Description of the processing.

This annex describes the processing in general terms. Your order, configuration, and statements of work refine it for your engagement.

Subject matter and duration.

The subject matter is the provision of VYRA's services to you, including our SaaS products Vyra Insights, Vyra Life, Vyra Code, and the VYN AI teammate, and our services such as website development, SEO, static Meta ads, app development, CRM development and implementation, and AI implementation. The processing lasts for the term of your agreement, plus the return or deletion period described above.

Nature and purpose.

The nature of the processing includes collecting, recording, storing, structuring, using, sharing with authorised subprocessors, and deleting customer personal data. The purpose is to provide, operate, secure, and support the services you have chosen, on your instructions.

Categories of data subjects.

  • Your SaaS end users and the people whose accounts you administer.
  • Your CRM contacts and the individuals in your customer records.
  • The end users in an advertising audience you run with us.
  • Data subjects whose data you provide for an AI-implementation project, such as training, testing, or evaluation data.
  • Other individuals whose personal information you choose to submit through the services.

Categories of personal information.

  • Identity and contact details, such as name, email address, phone number, company, and job title.
  • Account and profile data, and records of the features used and actions taken.
  • Content you or your end users submit, including prompts and messages sent to VYN and the responses returned.
  • Advertising and measurement data, including hashed contact identifiers used for matching.
  • Technical data, such as device, browser, approximate location from IP address, and usage logs.

Sensitive information.

The services are not designed to process sensitive or special-category information, such as health, biometric, or financial-account data. You should not submit it unless your agreement with us authorises it and you have the legal basis and any required consent. Where you are authorised to submit it, we handle it with additional care.

Frequency and retention.

The processing is continuous for the term of your agreement. Retention follows the periods in your agreement and our Privacy Policy, and customer personal data is returned or deleted at the end of the services as described above. For example, VYN chat and prompt data is kept for about 90 days unless it is needed longer to run the service, resolve a dispute, or meet a legal duty.

Annex II. Technical and organisational measures.

We apply the measures below to protect customer personal data. Our security program is designed to align with the control areas of ISO/IEC 27001, and we track the AI management principles of ISO/IEC 42001 as our AI features grow. We may update these measures as long as we do not reduce the overall level of protection.

Access control.

  • Role-based, least-privilege access, so people can reach only what their job requires.
  • Multi-factor authentication on administrative accounts.
  • Prompt removal of access when a person no longer needs it.
  • Unique accounts with no shared credentials for administrative access.

Encryption and data protection.

  • Encryption of customer personal data in transit and at rest.
  • Key management that limits access to encryption keys.
  • Hashing of contact identifiers before they are sent to advertising tools for matching.

Network and system security.

  • Segmentation and firewalling of production systems.
  • Hardening and patching of systems on a regular cadence.
  • Protections against common web and application attacks.

Monitoring and logging.

  • Logging and monitoring to detect and investigate unusual activity.
  • Alerting on security-relevant events.
  • Retention of logs for a period that supports investigation.

Resilience and recovery.

  • Regular backups of production data.
  • Tested procedures to restore availability and access after an incident.

Operational and organisational measures.

  • A documented incident response process, with defined roles and notification steps.
  • Confidentiality obligations and security training for personnel who handle customer personal data.
  • Security review of the subprocessors we rely on.
  • Change management and separation of development and production environments.

Measures the customer applies.

You are responsible for the measures within your control, including configuring access, managing your users, enabling available protections such as multi-factor authentication, and keeping your own credentials secure.

Annex III. Subprocessors.

We keep the current list of subprocessors, with each one's purpose and the categories of processing, at our subprocessors page. The categories include:

  • Cloud hosting and infrastructure.
  • Database services.
  • Payment processing.
  • Transactional email delivery.
  • AI model access, which is where our third-party foundation model providers appear.
  • Website analytics.
  • Advertising measurement.
  • Customer support tools.
  • CRM platforms we use to manage relationships and, where you are our client, to run yours.

The subprocessors page states the notice and objection process, which is the same as the one in the subprocessing section above.

Annex IV. EU standard contractual clauses.

Where the GDPR protects customer personal data and a restricted transfer occurs, the SCCs are incorporated into this DPA and completed as follows.

  • The module that applies is Module Two, controller to processor.
  • You are the data exporter and VYRA is the data importer.
  • For the optional docking clause that lets another party join, the option does not apply unless you and VYRA agree otherwise in writing.
  • For the general authorisation of subprocessors, the option that allows general written authorisation applies, with the 30-day objection window set out in the subprocessing section above.
  • For the choice of governing law and forum, the law and courts of the Republic of Ireland apply, unless another EU member state's law is required.
  • The information the SCCs require about the parties, the processing, and the technical and organisational measures is provided by this DPA and by Annexes I, II, and III.
  • The optional time period for notifying the data subject of onward transfers and similar options is completed to reflect the practices described in this DPA.

Annex V. UK and Swiss transfers.

Where the UK GDPR protects customer personal data and a restricted transfer occurs, the UK addendum is incorporated into this DPA and applied to the SCCs completed in Annex IV.

  • The UK addendum is completed with you as the exporter and VYRA as the importer, using the details in Annex IV and the rest of this DPA.
  • For the UK addendum's option that lets either party end the addendum if the ICO issues a revised approved version, that option applies.

Where Swiss law protects customer personal data, the SCCs in Annex IV apply with the adjustments needed for Switzerland. References to the GDPR are read as references to the Swiss Federal Act on Data Protection where required, the competent authority is the Swiss Federal Data Protection and Information Commissioner, and individuals in Switzerland may enforce the SCCs as third-party beneficiaries.

How to reach us.

For privacy and data-rights questions about this DPA, email privacy@vyradata.com.

For security issues and vulnerability reports, email security@vyradata.com.

For general and legal questions, email contact@vyradata.com.

You can reach us at VYRA Data Inc., Halifax, Nova Scotia, Canada.

Questions? contact@vyradata.com