Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Erayaha ("Processor") and you ("Controller") for the provision of AI-powered document intelligence services. This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Scope and Definitions

This DPA applies to the processing of personal data by Erayaha on behalf of the Controller in the course of providing Services.

• "Personal Data" means any information relating to an identified or identifiable natural person contained in documents processed through the Services.
• "Processing" has the meaning given in GDPR Article 4(2).
• "Data Subject" means the individual to whom Personal Data relates.
• "Subprocessor" means any third party appointed by Erayaha to process Personal Data.

2. Nature and Purpose of Processing

Erayaha will process Personal Data for the following purposes:

• Document analysis and intelligence extraction
• AI-powered contract review and redlining
• Providing search and retrieval capabilities
• Platform maintenance and support
• Compliance with legal obligations

3. Controller and Processor Obligations

4. Security Measures

Erayaha implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest (AES-256)
• Regular security testing, assessment, and evaluation of security measures
• Access controls and multi-factor authentication
• Security monitoring and incident detection systems
• Employee training on data protection and security
• Secure data destruction procedures

5. Subprocessors

The Controller authorizes Erayaha to engage the following Subprocessor:

• Vercel Inc. - Web hosting, infrastructure, and deployment platform (EU: Dublin & Frankfurt)

Erayaha will provide at least 30 days' notice to the Controller of any intended changes concerning the addition or replacement of Subprocessors. The Controller may object to such changes on reasonable data protection grounds.

All Subprocessors are bound by data protection obligations equivalent to those in this DPA.

Sandbox Deployment Option: Enterprise customers may opt for a sandbox deployment where the entire Erayaha application runs on the Controller's own cloud infrastructure. In this configuration, no third-party Subprocessors process the Controller's data, providing complete data sovereignty and eliminating cross-border data transfers. The sandbox deployment uses the same Next.js server architecture as our standard offering.

6. Data Subject Rights

Erayaha will, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under data protection laws. Erayaha will:

• Provide reasonable assistance to enable the Controller to respond to Data Subject requests
• Not respond to such requests directly without the Controller's prior authorization
• Implement appropriate technical measures to facilitate Data Subject rights

7. Personal Data Breaches

Erayaha will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach affecting Controller's data. The notification will include:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

8. International Data Transfers

Erayaha may transfer Personal Data to countries outside the EEA. For such transfers, Erayaha ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Additional security measures for data transfers to third countries

Copies of relevant transfer mechanisms are available upon request.

9. Audit Rights

Erayaha will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

For enterprise customers, Erayaha will permit annual audits or inspections by the Controller or an independent auditor appointed by the Controller, subject to reasonable notice (at least 30 days) and confidentiality obligations.

10. Data Deletion and Return

Upon termination of Services, Erayaha will, at the Controller's choice:

• Delete all Personal Data and existing copies (default action)
• Return all Personal Data to the Controller in a commonly used format

Erayaha may retain Personal Data to the extent required by applicable law, provided that Erayaha will ensure the confidentiality of such Personal Data and will only process it as necessary for the purpose(s) specified in the applicable law.

11. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. The parties agree that any fines or penalties imposed by a supervisory authority on one party due to the other party's failure to comply with this DPA shall be borne by the party responsible for the non-compliance.

12. Term and Termination

This DPA will remain in effect for the duration of the Services and will automatically terminate upon the cessation of all Services involving the processing of Personal Data, subject to Section 10 (Data Deletion and Return).