Saylidocs
Download

Data Processing Addendum

Template DPA: roles, processing scope, subprocessors, security measures, and deletion.


Draft

Draft. This document is under legal review and is not yet in effect.

This is a template Data Processing Addendum for customers who need one. It supplements the Terms of Service when Sayli processes personal data on a customer's behalf.

Parties and roles

The customer is the controller. Sayli (entity name pending incorporation) is the processor. Sayli processes personal data only on the customer's documented instructions, which are: provide the service as described in the Terms and as configured by the customer in the product.

Scope of processing

Subject matter
Operation of the Sayli meeting copilot for the customer.
Duration
The subscription term, plus the deletion window below.
Nature and purpose
Recording, transcription, redaction, retrieval, AI-generated answers and briefs, storage, search, and sharing as directed by the customer's users.
Categories of data
Audio recordings, transcripts, briefs and notes, Knowledge Base content, account data of the customer's users, and usage records.
Data subjects
The customer's users, and participants in conversations the customer's users run Sayli on.

The customer is responsible for having a lawful basis for the processing, including any consent that call-recording law requires. See Recording consent guidance.

Confidentiality

Persons authorized to process the personal data are bound by confidentiality obligations.

Security measures

Sayli applies the measures described in the Security overview. In summary: encryption in transit and at rest, per-organization tenant isolation enforced in the data model, redaction of sensitive strings at ingest, short-lived signed URLs for object access, short-lived access tokens with rotating refresh tokens, an audit log of state-changing actions, and scrubbing of error telemetry.

Subprocessors

The customer gives general authorization for the subprocessors listed at Subprocessors. Sayli will give notice before adding or replacing a subprocessor, and the customer may object on reasonable data protection grounds.

[Counsel: set the notice period, the objection window, and the remedy if an objection cannot be resolved.]

Sayli imposes data protection terms on each subprocessor that are no less protective than this DPA, and remains responsible for their performance.

International transfers

Personal data is processed in the United States, with product analytics on PostHog's EU cloud.

[Counsel: SCCs placeholder. Incorporate the EU Standard Contractual Clauses (controller-to-processor, Module Two) and the UK addendum as applicable, or rely on an adequacy mechanism per processor.]

Assistance

Taking into account the nature of the processing, Sayli assists the customer with data subject requests, security, breach notification, and data protection impact assessments. Sayli notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer's data.

[Counsel: confirm whether a fixed notification window (e.g. 72 hours) is committed here.]

Deletion on termination

On termination of the subscription, or earlier on the customer's documented instruction, Sayli deletes the customer's personal data. Users can also delete meetings and accounts directly in the product, which erases the associated recordings, transcripts, briefs, and search embeddings. On request, Sayli confirms deletion in writing. Data may persist in backups for a bounded period before being overwritten.

[Counsel: state the backup retention bound once the backup policy is finalized.]

Audits

Sayli makes available the information reasonably necessary to demonstrate compliance with this DPA.

[Counsel: define the audit right, frequency, and cost allocation. Note that no third-party certification (e.g. SOC 2) exists yet; see the Security overview.]