Data processing addendum (DPA)

Last updated 14 May 2026

This DPA forms part of your agreement with SAYLS.in for the use of the Service. It defines the obligations of SAYLS.in (Processor) when handling personal data on behalf of you (Controller).

Roles

You are the Controller of personal data uploaded into your tenant workspace. We are the Processor and act only on your documented instructions.

Sub-processors

Listed in our Privacy Policy. We notify you of changes via your registered email at least 30 days before adoption.

Security measures

• TLS 1.2+ for data in transit; AES-256 at rest for backups.
• Tenant-scoped queries enforced at the model layer; isolation invariant under automated test.
• Role-based access control (six built-in roles).
• Audit log of every data change with actor, before/after, IP and user-agent.
• HMAC-signed webhooks (SHA-256).
• CSRF tokens on every mutating form. Login rate-limited.
• Backups retained for 30 days; restorable from the agency console.

Breach notification

We will notify you within 72 hours of becoming aware of any personal-data breach affecting your workspace, with details we then know and an action plan.

International transfers

Default hosting is India. If you require a different region (EU, US), we will agree on the location in your order form. Standard Contractual Clauses are available on request for cross-border transfers.

Audit rights

Upon 30 days' written notice and during business hours, you may request a third-party audit of our security controls (or a SOC 2 / ISO 27001 attestation when available).

Termination

On termination, we delete or return all your personal data within 30 days unless retention is required by law.

Contact & signature

For a counter-signed copy on company letterhead, email hello@sayls.in.