Data Processing Addendum

In this DPA:

• “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) where applicable, the ePrivacy Directive (as transposed into UK law), and any other applicable laws relating to privacy, personal data protection or data security.
• “Personal Data”, “Data Subject”, “processing”, “controller”, “processor”, “supervisory authority”, “personal data breach” have the meanings given in the UK GDPR.
• “Restricted Transfer” means a transfer of Personal Data to a country or recipient outside the UK that does not benefit from adequacy and which, absent additional safeguards, would be prohibited under Data Protection Laws.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 (or successor).
• “UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner, and any addendum to the EU SCCs issued by the UK Information Commissioner, each as in force from time to time.
• “Sub-processor” means any third party engaged by BEYLA to process Personal Data on behalf of the Customer in connection with the Service.

2.1 This DPA applies where BEYLA processes Personal Data on behalf of the Customer in connection with the Service. It does not apply to Personal Data that BEYLA processes as a controller (for example account data or billing), which is governed by BEYLA’s Privacy Policy.

2.2 For the purposes of this DPA: (a) the Customer is the Controller; (b) BEYLA is the Processor; and (c) each Sub-processor engaged by BEYLA is a sub-processor.

2.3 The subject matter, duration, nature and purpose of processing, the categories of Personal Data and the categories of Data Subjects are set out in Schedule 1 (Details of Processing) to this DPA.

3.1 The Customer is responsible for the accuracy, quality and legality of Personal Data submitted to the Service, for the means by which it acquired the Personal Data, and for its compliance with Data Protection Laws as Controller.

3.2 The Customer instructs BEYLA to process Personal Data: (a) to provide, maintain and support the Service in accordance with the Agreement; (b) as further instructed by the Customer through the Service (including its settings, configurations, integrations and Authorised Users); and (c) to comply with other reasonable documented instructions from the Customer, where these are consistent with the Agreement.

3.3 BEYLA will notify the Customer if, in its opinion, an instruction infringes Data Protection Laws.

3.4 The Customer warrants that it has all necessary consents, authority and lawful bases to transfer Personal Data to BEYLA for processing under the Agreement, and for BEYLA to process it in accordance with this DPA.

4.1 BEYLA will process Personal Data only on the Customer’s documented instructions, except where required to do so by law (in which case BEYLA will, where lawful, notify the Customer before processing).

4.2 BEYLA will ensure that personnel authorised to process Personal Data are bound by obligations of confidentiality.

4.3 BEYLA will implement appropriate technical and organisational measures as described in Schedule 2 (Technical and Organisational Measures) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. BEYLA may update these measures from time to time, provided the overall level of protection is not materially reduced.

4.4 BEYLA will, taking into account the nature of the processing and the information available, provide reasonable assistance to the Customer to enable the Customer to: (a) respond to Data Subject requests; (b) ensure compliance with security, breach notification, impact assessments and prior consultation obligations under Articles 32–36 UK GDPR; and (c) demonstrate compliance of this DPA. BEYLA may charge reasonable fees for assistance that materially exceeds ordinary use of the Service.

5.1 The Customer provides a general authorisation for BEYLA to engage Sub-processors to process Personal Data for the purposes of providing the Service.

5.2 BEYLA maintains a current list of material Sub-processors at beyla.ai/legal/subprocessors (a copy is also available by emailing privacy@beyla.ai). BEYLA will provide prior notice of any new Sub-processor (by updating that page or by email), giving the Customer a reasonable opportunity to object.

5.3 If the Customer has a reasonable, objectively-justified objection to a new Sub-processor on data protection grounds, the parties will work together in good faith. If no resolution is reached within 30 days, the Customer’s sole remedy is to terminate the affected part of the Service on written notice.

5.4 BEYLA will enter into written terms with each Sub-processor that impose data protection obligations substantially equivalent to those in this DPA. BEYLA remains liable to the Customer for the acts and omissions of its Sub-processors in relation to the Personal Data, subject to the limitations of liability in the Agreement.

6.1 BEYLA operates the Service from the United Kingdom. The Customer acknowledges and agrees that Personal Data may be transferred to and processed in countries outside the UK, including the EEA, United States and other jurisdictions, through BEYLA, its Affiliates and Sub-processors.

6.2 For Restricted Transfers, BEYLA will rely on one or more of the following safeguards: (a) an adequacy decision or regulation; (b) the UK IDTA or the UK Addendum to the EU SCCs; (c) the EU SCCs (where applicable); or (d) another mechanism permitted under Data Protection Laws.

6.3 Where the UK IDTA or EU SCCs apply, the parties are deemed to have entered into them for the Restricted Transfer, with the Customer as data exporter and BEYLA (or the applicable Sub-processor) as data importer, and the practical details being those set out in this DPA and Schedule 1.

7.1 BEYLA will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA.

7.2 Notifications will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

7.3 BEYLA will take reasonable steps to contain and investigate personal data breaches and will cooperate with the Customer’s reasonable requests for further information and assistance. BEYLA’s notification or response to a breach is not an acknowledgement of fault or liability.

8.1 BEYLA will, to the extent reasonable and taking into account the nature of the processing, provide tools and features within the Service to enable the Customer to respond to requests by Data Subjects to exercise their rights.

8.2 If BEYLA receives a request from a Data Subject relating to the Customer’s use of the Service, BEYLA will promptly forward it to the Customer and not respond directly, unless instructed or legally required to do so.

9.1 BEYLA will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This may be satisfied by provision of the most recent independent third-party audit reports (such as SOC 2 or ISO 27001), certifications, questionnaires and written responses to reasonable data-protection enquiries.

9.2 To the extent the foregoing is insufficient under Data Protection Laws, the Customer may (no more than once per year, on at least 30 days’ written notice, during business hours, without disruption to the Service) request an audit of BEYLA’s compliance with this DPA, conducted at the Customer’s cost by a mutually-agreed qualified auditor bound by confidentiality. In the event of a material personal data breach affecting the Customer, the 30-day notice and annual limit will not apply.

10.1 On termination or expiry of the Agreement, the Customer may within 30 days request the return or export of the Personal Data in the Service’s standard export formats. After that period, BEYLA will delete Personal Data from active systems in the ordinary course, subject to its backup and retention schedules and any requirement to retain copies under applicable law. Backup copies are overwritten in the normal course of business.

10.2 BEYLA will certify deletion on written request.

11.1 Each party’s liability arising under or in connection with this DPA is subject to the limitations of liability in the Agreement. The DPA does not increase either party’s overall liability.

12.1 This DPA applies from the Effective Date and remains in force until all Personal Data has been deleted or returned in accordance with clause 10.

12.2 BEYLA may update this DPA from time to time to reflect changes in law, regulatory guidance, Sub-processor arrangements or industry best practice. BEYLA will give reasonable notice of material changes via email or in-product notice.

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

A. Subject matter and duration

Subject matter: processing of Personal Data by BEYLA to provide the Service to the Customer. Duration: for the term of the Agreement, plus any additional period for deletion, return, or as required by law.

B. Nature and purpose of processing

BEYLA processes Personal Data for the purposes of providing, maintaining, securing and supporting the Service, including hosting, storing, retrieving, organising, analysing, summarising and otherwise operating on Customer Data using AI and machine-learning components, delivering agentic workflows, providing integrations with third-party services, and complying with the Agreement and applicable law.

C. Categories of Data Subjects

The Customer determines which Data Subjects’ Personal Data is submitted. Typical categories include: the Customer’s employees, contractors, founders, directors, Authorised Users, customers, prospects, suppliers, advisers, partners and other business contacts.

D. Categories of Personal Data

The Customer determines what Personal Data is submitted. Typical categories include: name, business contact details, role, company, identifiers, communications content (emails, messages), documents and attachments, financial and transactional data (excluding full payment card numbers), usage information, and other business information relevant to the Customer’s use of the Service.

E. Special categories of Personal Data

The Customer should not submit special category Personal Data, data relating to criminal convictions or offences, children’s data, or PCI-DSS cardholder data unless expressly agreed in writing with BEYLA. See the Acceptable Use Policy.

F. Frequency of transfer

Continuous — during the term.

G. Retention

As set out in the Agreement and DPA. On termination, Personal Data is retained for up to 30 days to enable export, then deleted in the ordinary course subject to backup cycles and legal obligations.

H. Competent supervisory authority

The UK Information Commissioner’s Office (ICO). Where the EU SCCs apply, the competent authority is the lead authority of the Customer’s main establishment in the EU.

BEYLA implements and maintains appropriate technical and organisational measures to protect Personal Data. These measures are reviewed and updated regularly and include, at minimum, the following:

Governance

• documented information security policies approved by senior management and reviewed at least annually;
• a security function accountable for the implementation of this programme;
• background checks on personnel commensurate with role and risk;
• mandatory security and data protection training on joining and at least annually;
• vendor risk-management process, including written data processing terms with Sub-processors;

Access control

• role-based access control, least privilege and need-to-know principles;
• single sign-on and multi-factor authentication for production and administrative access;
• segregation of duties for privileged actions;
• prompt revocation of access upon role change or departure;

Encryption

• encryption of Personal Data in transit using modern TLS standards;
• encryption of Personal Data at rest where supported by the underlying storage service;
• secure key management with rotation and segregation;

Network and infrastructure

• use of reputable cloud hosting providers with appropriate security certifications;
• network segmentation, firewalls and secure-by-default configurations;
• hardening baselines, vulnerability scanning and patch management;
• protection against DDoS, common web application attacks and bot abuse;

Development and change management

• secure software development lifecycle practices, including peer code review;
• separation of development, staging and production environments;
• change management controls for production deployments;
• dependency management, including tracking and remediation of known vulnerabilities;

Monitoring, logging and incident response

• centralised logging of security-relevant events, with tamper resistance;
• 24/7 monitoring and alerting for critical systems;
• documented incident-response plan tested periodically;
• personal data breach notification process aligned with clause 7;

Business continuity and resilience

• backup of production data with defined retention and tested restoration;
• business continuity and disaster recovery plans, with defined recovery objectives;

Data protection by design and default

• privacy and security reviews embedded into significant feature development;
• minimisation, pseudonymisation and de-identification where practical;
• mechanisms in the Service for data export, deletion and access control to support Data Subject rights.