Data Processing Addendum (DPA)

For customer data processed through Sylica services, customer acts as controller (or business) and Sylica AI acts as processor (or service provider), except where Sylica determines independent processing purposes required by law.

• Applicable Data Protection Laws means laws governing personal data processing in relevant jurisdictions.
• Security Incident means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
• Subprocessor means an approved third party engaged by Sylica to process personal data for service delivery.

Processing is limited to service delivery, support, billing, reliability, and security operations for the duration of the applicable commercial agreement.

• Data subjects may include customer personnel, end users, and related contacts.
• Data categories may include identifiers, account metadata, usage telemetry, and support records.
• Processing continues only for contractual performance periods and legally required retention windows.

• Process data only on documented customer instructions, unless required by law.
• Ensure confidentiality obligations for personnel handling customer data.
• Apply technical and organizational measures appropriate to processing risk.
• Assist with verified data subject requests and regulatory obligations where required.
• Maintain records of processing activities where required by applicable law.

• Access controls, least privilege, and role-based permissions across operational systems.
• Encryption in transit and at rest for relevant categories of customer data.
• Logging, monitoring, and detection controls for security and abuse events.
• Backup, recovery, and resilience procedures aligned to service continuity requirements.

Sylica may engage subprocessors for infrastructure and operational support with contractual safeguards. Current subprocessors are listed at /compliance/subprocessors.

Subprocessors are bound by written obligations that provide data protection commitments substantially similar to Sylica obligations under this DPA.

Where transfers occur across jurisdictions, Sylica applies recognized contractual and technical safeguards consistent with applicable data transfer laws.

Transfer frameworks may include standard contractual clauses and related jurisdictional addenda where applicable.

Sylica provides reasonable assistance to customers in responding to verified data subject rights requests, taking into account processing nature and technical feasibility.

Sylica will notify affected customers without undue delay after confirming a Security Incident involving customer personal data and will provide available details for customer legal reporting workflows.

Subject to confidentiality, security, and operational constraints, Sylica may provide summary compliance information, certifications, or other reasonable evidence of controls.

Upon termination, customer data is deleted or returned according to contract terms, except where retention is required by law or necessary for legal claims and security integrity.

To request an executed DPA package, contact legal@sylicaai.com.