Legal

Data Processing Agreement.

Last updated: April 2026 · Last reviewed: April 2026 · Next scheduled review: April 2027

This is a summary of Foyla's standard Data Processing Addendum between Foyla, Inc., a Delaware corporation (the "Processor" or "Service Provider"), and each customer (the "Controller" or "Business"). The binding version is a signed document we'll execute alongside your MSA. It covers US state privacy laws (CCPA/CPRA and equivalents) and, for EU/UK customers, GDPR/UK GDPR. Request the signable copy at [email protected].

1. Roles

The customer is the Controller (or Business, under US state law) of its personal data. Foyla, Inc. is the Processor (or Service Provider), processing personal data only on the customer's documented instructions and for the purposes set out in the MSA. Foyla does not sell personal information and does not use it for cross-context behavioural advertising, and does not use personal data for purposes outside the business purpose of providing the service.

2. Scope and purpose

Foyla processes personal data to provide the Foyla service as described in the order form, the Terms of Service, and the Privacy Policy. The MSA, order form, this DPA, and any written configuration the Customer provides (including playbook definitions, AI employee scopes, and support tickets) together constitute the Customer's documented processing instructions under applicable data-protection law. Foyla will notify the Customer if, in its opinion, an instruction infringes applicable data-protection law.

3. Categories of data and data subjects

Data subjects: the customer's employees, contractors, customers, prospects, or partners, depending on how the AI employee is scoped.
Categories: business contact information, communications content, operational data, usage metadata.
Special categories (health, political, biometric, etc.) are not processed unless explicitly agreed in writing.

4. Confidentiality

Every Foyla employee and contractor who can access customer data is bound by written confidentiality obligations and has completed annual security and privacy training.

5. Security measures

Technical and organisational measures are described on our Security page and form part of this DPA. Measures are reviewed and updated at least annually.

6. Subprocessors

We rely on a short list of subprocessors to run the service. The current list is maintained at foyla.ai/legal/subprocessors and includes, at minimum, cloud infrastructure providers, foundation-model providers, transactional email providers, and website analytics providers. We give at least 30 days' notice of any new subprocessor; customers may object on reasonable data-protection grounds, and in good faith we'll work to resolve the objection or, if we can't, allow termination of the affected service.

7. International transfers

US customer data is processed in the United States by default. For EU/UK customers, data can be processed in the EU (Frankfurt) on request; where EU/UK personal data is transferred to the US or elsewhere outside the EEA/UK, the transfer is governed by the EU Standard Contractual Clauses (Module Two: controller-to-processor) and the UK International Data Transfer Addendum, or an equivalent approved mechanism.

8. Data subject requests

If a data subject contacts Foyla directly, we'll forward the request to you without responding substantively (unless legally required). We'll assist you in responding within applicable deadlines.

9. Security incidents

We'll notify you without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting your data, along with the information reasonably needed for you to meet your own regulatory obligations under GDPR, state breach-notification laws (e.g. California, New York SHIELD Act), and sector-specific rules like HIPAA where applicable.

10. Audits

On reasonable notice and no more than once per year (unless prompted by an incident), you may audit our compliance with this DPA. In most cases we'll satisfy the audit obligation by providing our SOC 2 / ISO reports and answering a security questionnaire.

11. Return and deletion

On termination or on your written request, we'll return or delete customer personal data within 30 days, unless US federal, state, or (for EU customers) member-state law requires retention.

12. Liability

Each party's liability under this DPA is subject to the limitations in the underlying MSA or Terms of Service, except that each party's aggregate liability arising out of breach of this DPA shall be capped at the greater of (a) two times the fees paid or payable in the 12 months preceding the claim, or (b) US$500,000. The preceding cap does not apply to a party's indemnification obligations, to amounts owed for breach of confidentiality, or to liability that cannot be limited under applicable law.

Contact

DPA questions: [email protected]
Privacy and data-subject requests: [email protected]