Data Processing Agreement

In this Data Processing Agreement (DPA), the following terms apply.

• Controller: The organization that determines the purposes and means of processing personal data (the Client)
• Processor: Pleisys Technologies Private Limited, operating EchoIQ
• Data Subject: An identified or identifiable natural person whose personal data is processed
• Personal Data: Any information relating to a Data Subject
• Processing: Any operation performed on personal data, including recording, transcription, storage, and deletion
• Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller

This DPA applies to all processing of personal data by EchoIQ on behalf of the Controller.

• Processing is limited to providing the EchoIQ service: audio recording, transcription, AI summarization, and related features
• The Processor shall only process personal data on documented instructions from the Controller
• The Processor shall not process personal data for any purpose other than providing the Service

The following categories of personal data may be processed.

• Account Data: Name, email address, phone number, address, date of birth
• Conversation Data: Audio recordings, transcripts, AI-generated summaries, action items
• Usage Data: Login history, feature usage, device information
• Payment Data: Billing details, transaction history (processed by Stripe/Razorpay, not stored by EchoIQ)
• Organization Data: Company name, address, team member information

The Processor uses the following sub-processors to deliver the Service. The Controller consents to the use of these sub-processors.

• AssemblyAI (USA): Audio transcription and speaker diarization
• Anthropic (USA): AI summarization via Claude API
• Amazon Web Services (India — ap-south-1): Cloud infrastructure, S3 storage, SES email
• Stripe (USA): International payment processing
• Razorpay (India): Domestic payment processing

The Processor implements the following technical and organizational measures to protect personal data.

• Encryption: AES-256-GCM field-level encryption for sensitive data at rest, TLS 1.2+ for data in transit
• Access Control: Role-based access control (RBAC), maximum 3 concurrent sessions per user
• Authentication: JWT-based authentication with 15-minute access tokens, bcrypt password hashing (cost factor 12)
• Audit Logging: All data access, modifications, and deletions are logged with timestamps, user IDs, and IP addresses
• S3 Storage: Server-side encryption (AES-256) for all audio files, time-limited presigned URLs for access
• Session Security: Automatic session invalidation on password reset, proactive token refresh

In the event of a personal data breach, the Processor shall notify the Controller.

• Notification within 72 hours of becoming aware of the breach
• Notification shall include: nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken
• The Processor shall cooperate with the Controller in investigating and remediating the breach
• Contact for breach notification: support@pleisys.com

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights.

• Right of Access: Data export available via Settings > Data & Privacy (JSON format, 16 data categories)
• Right to Erasure: Account deletion with 30-day grace period, covers 17 database tables + S3 audio files
• Right to Rectification: Users can update their profile data at any time
• Right to Data Portability: Full data export in machine-readable JSON format
• Right to Restrict Processing: Consent toggles for marketing, analytics, and third-party sharing
• Right to Object: Users can revoke optional consents at any time; data processing consent required for service operation

The Processor retains personal data only as long as necessary for the purposes of processing.

• Account data: Retained while account is active, anonymized upon deletion
• Conversation data: Retained while account is active, permanently deleted upon account deletion
• Audio files: Stored in AWS S3, permanently deleted upon account deletion
• Audit logs: Retained for 1 year, then automatically deleted
• Payment records: Retained for 7 years as required by tax regulations
• Upon termination of the Service, the Controller may request data export before account deletion

The Controller has the right to audit the Processor's compliance with this DPA.

• The Controller may request information about data processing activities
• The Processor shall provide reasonable cooperation for audits and inspections
• Audits shall be conducted with reasonable prior notice and during normal business hours
• The Controller shall bear the cost of any audit it initiates

Personal data may be transferred to sub-processors located outside the Controller's jurisdiction.

• Primary data storage: AWS ap-south-1 (Mumbai, India)
• Sub-processors in the USA: AssemblyAI, Anthropic, Stripe
• Data is transmitted via encrypted channels (TLS 1.2+) and processed under the sub-processors' own data protection agreements
• The Processor ensures that all sub-processors provide adequate data protection guarantees

This DPA remains in effect for the duration of the Service agreement.

• This DPA automatically terminates when the Service agreement ends
• Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by law
• Obligations regarding data protection and confidentiality survive termination

For questions regarding this DPA, contact support@pleisys.com.