EchoIQ
Privacy PolicyTerms & Conditions

Data Processing Agreement

Effective: March 23, 2026Version 1.0
1

Definitions

In this Data Processing Agreement (DPA), the following terms apply.
  • Controller: The organization that determines the purposes and means of processing personal data (the Client)
  • Processor: Pleisys Technologies Private Limited, operating EchoIQ
  • Data Subject: An identified or identifiable natural person whose personal data is processed
  • Personal Data: Any information relating to a Data Subject
  • Processing: Any operation performed on personal data, including recording, transcription, storage, and deletion
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller
2

Scope and Purpose

This DPA applies to all processing of personal data by EchoIQ on behalf of the Controller.
  • Processing is limited to providing the EchoIQ service: audio recording, transcription, AI summarization, and related features
  • The Processor shall only process personal data on documented instructions from the Controller
  • The Processor shall not process personal data for any purpose other than providing the Service
3

Categories of Data

The following categories of personal data may be processed.
  • Account Data: Name, email address, phone number, address, date of birth
  • Conversation Data: Audio recordings, transcripts, AI-generated summaries, action items
  • Usage Data: Login history, feature usage, device information
  • Payment Data: Billing details, transaction history (processed by Stripe/Razorpay, not stored by EchoIQ)
  • Organization Data: Company name, address, team member information
4

Sub-processors

The Processor uses the following sub-processors to deliver the Service. The Controller consents to the use of these sub-processors.
  • AssemblyAI (USA): Audio transcription and speaker diarization
  • Anthropic (USA): AI summarization via Claude API
  • Amazon Web Services (India — ap-south-1): Cloud infrastructure, S3 storage, SES email
  • Stripe (USA): International payment processing
  • Razorpay (India): Domestic payment processing
5

Security Measures

The Processor implements the following technical and organizational measures to protect personal data.
  • Encryption: AES-256-GCM field-level encryption for sensitive data at rest, TLS 1.2+ for data in transit
  • Access Control: Role-based access control (RBAC), maximum 3 concurrent sessions per user
  • Authentication: JWT-based authentication with 15-minute access tokens, bcrypt password hashing (cost factor 12)
  • Audit Logging: All data access, modifications, and deletions are logged with timestamps, user IDs, and IP addresses
  • S3 Storage: Server-side encryption (AES-256) for all audio files, time-limited presigned URLs for access
  • Session Security: Automatic session invalidation on password reset, proactive token refresh
6

Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller.
  • Notification within 72 hours of becoming aware of the breach
  • Notification shall include: nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken
  • The Processor shall cooperate with the Controller in investigating and remediating the breach
  • Contact for breach notification: support@pleisys.com
7

Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights.
  • Right of Access: Data export available via Settings > Data & Privacy (JSON format, 16 data categories)
  • Right to Erasure: Account deletion with 30-day grace period, covers 17 database tables + S3 audio files
  • Right to Rectification: Users can update their profile data at any time
  • Right to Data Portability: Full data export in machine-readable JSON format
  • Right to Restrict Processing: Consent toggles for marketing, analytics, and third-party sharing
  • Right to Object: Users can revoke optional consents at any time; data processing consent required for service operation
8

Data Retention and Deletion

The Processor retains personal data only as long as necessary for the purposes of processing.
  • Account data: Retained while account is active, anonymized upon deletion
  • Conversation data: Retained while account is active, permanently deleted upon account deletion
  • Audio files: Stored in AWS S3, permanently deleted upon account deletion
  • Audit logs: Retained for 1 year, then automatically deleted
  • Payment records: Retained for 7 years as required by tax regulations
  • Upon termination of the Service, the Controller may request data export before account deletion
9

Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA.
  • The Controller may request information about data processing activities
  • The Processor shall provide reasonable cooperation for audits and inspections
  • Audits shall be conducted with reasonable prior notice and during normal business hours
  • The Controller shall bear the cost of any audit it initiates
10

International Transfers

Personal data may be transferred to sub-processors located outside the Controller's jurisdiction.
  • Primary data storage: AWS ap-south-1 (Mumbai, India)
  • Sub-processors in the USA: AssemblyAI, Anthropic, Stripe
  • Data is transmitted via encrypted channels (TLS 1.2+) and processed under the sub-processors' own data protection agreements
  • The Processor ensures that all sub-processors provide adequate data protection guarantees
11

Term and Termination

This DPA remains in effect for the duration of the Service agreement.
  • This DPA automatically terminates when the Service agreement ends
  • Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by law
  • Obligations regarding data protection and confidentiality survive termination
12

Contact

For questions regarding this DPA, contact support@pleisys.com.
Was this policy easy to understand?