Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Webifyd Technologies ("Processor") and you ("Controller") for the Roya AI service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Data Subject" means the individual to whom Personal Data relates.
2. Scope of Processing
The Processor will process Personal Data only to provide the Roya AI service as instructed by the Controller. This includes chatbot interactions, lead capture, and analytics as configured by the Controller.
3. Processor Obligations
The Processor shall: process Personal Data only on documented instructions; ensure personnel are bound by confidentiality; implement appropriate security measures; assist with data subject requests; delete or return data upon termination.
4. Sub-processors
The Processor may engage sub-processors to provide the service. A current list of sub-processors is available upon request. The Controller will be notified of any changes to sub-processors with the right to object.
5. Security Measures
The Processor implements technical and organizational measures including: encryption of data in transit and at rest; access controls and authentication; regular security testing; incident response procedures; employee training.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, affected data, likely consequences, and measures taken.
7. Assistance to Controller
The Processor shall assist the Controller in ensuring compliance with data protection obligations, including responding to data subject requests, conducting impact assessments, and cooperating with supervisory authorities.
8. Audit Rights
The Controller may audit the Processor's compliance with this DPA. The Processor shall provide necessary information and allow for inspections. Third-party audit reports may be provided as an alternative.
9. International Transfers
Personal Data may be transferred internationally only with appropriate safeguards in place, such as standard contractual clauses or adequacy decisions, as required by applicable data protection laws.
10. Termination
Upon termination of services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless required by law to retain the data.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing only where it has not complied with its obligations.
12. Contact
For questions about this Data Processing Agreement, please contact: