Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Synvolve Intellis Private Limited (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) and governs the processing of personal data we perform on your behalf in providing the Riya platform (“Service”). Where you require a countersigned copy, contact privacy@synvolveintellis.com.

1. Roles of the Parties

For personal data relating to your end-users that is processed through the agents you configure, you are the Controller (you determine the purpose and means of processing) and we act as the Processor (we process such data only on your documented instructions, which include your use of the Service and these Terms). For data we process to operate and bill the Service (your account and billing data), we act as an independent controller as described in our Privacy Policy.

2. Subject-matter, Nature & Purpose

We process personal data for the purpose of providing the Service: hosting and operating AI agents, storing conversation logs and knowledge-base content, enabling channels (chat, voice, messaging), and related support. Processing continues for the duration of your subscription.

3. Categories of Data & Data Subjects

• Data subjects: your authorised users and your end-users who interact with your agents.
• Categories: identifiers (name, email, phone), conversation content, and any personal data your end-users provide to your agents or that you upload to your knowledge base.

You are responsible for ensuring you have a lawful basis and any required notices/consents to process end-user data through the Service, and for not submitting special-category data unless appropriate safeguards are in place.

4. Our Obligations as Processor

• Process personal data only on your documented instructions, unless required by law.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see Section 6).
• Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
• Make available information reasonably necessary to demonstrate compliance.

5. Sub-processors

You provide general authorisation for us to engage sub-processors to deliver the Service. Our current sub-processors are listed at /subprocessors. Each sub-processor is bound by data-protection obligations no less protective than those in this DPA. We will give notice of intended additions or replacements so you may object on reasonable data-protection grounds.

6. Security Measures

We maintain measures including: AES-256 encryption at rest, TLS 1.3 in transit, per-tenant data isolation, role-based access control, audit logging, secret management, network controls, and regular security assessments. We review these measures periodically and update them to address evolving risk.

7. Personal Data Breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably available to help you meet your notification obligations to authorities and data subjects.

8. International Transfers

Core platform data is hosted in India. Where sub-processors process data outside India (or, for UAE customers, outside the UAE), such transfers are made under appropriate safeguards and limited to what is necessary to provide the Service. See Sub-processors for details.

9. Data-subject Requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to fulfil your obligation to respond to requests from data subjects exercising their rights. The Service also provides export and deletion tooling within your workspace.

10. Return & Deletion

On termination, account and conversation data is retained for 30 days to allow export, after which it is deleted, except where retention is required by law (e.g. billing records retained for the period required by Indian tax law). You may request earlier deletion in writing.

11. Audit

We will make available, on reasonable written request and subject to confidentiality, information and relevant third-party audit reports/certifications necessary to demonstrate compliance with this DPA. Any on-site audit will be scoped to avoid disrupting the Service or compromising other customers' data.

12. Applicable Law

This DPA is governed by the laws of India and is intended to support compliance with India's Digital Personal Data Protection Act, 2023 and, for UAE customers, applicable UAE data-protection law. It is subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India, consistent with the Terms of Service.

13. Contact

For DPA execution or data-protection queries, contact privacy@synvolveintellis.com.