This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Master SaaS and Services Agreement (the "Agreement") between:
Provider (Tyria LLC), and
Customer.
For purposes of applicable Data Protection Laws, Customer is the Controller of Personal Data processed under the Agreement, and Provider is the Processor, except where Customer acts as a Processor for a third party, in which case Provider is a Subprocessor.
Order of precedence. If there is a conflict between this DPA and the Agreement regarding Personal Data processing obligations, this DPA controls for those purposes. If a HIPAA BAA applies to PHI, the BAA controls for PHI.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement, unless otherwise defined in applicable Data Protection Laws.
"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including (where applicable) GDPR and UK GDPR.
"Personal Data" means information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data.
"Personal Data Breach" has the meaning set forth in GDPR/UK GDPR (as applicable).
"Subprocessor" means a third party appointed by Provider to process Personal Data.
2. Customer Instructions
Provider will process Personal Data only on documented instructions from Customer, including as necessary to provide the Subscription Services under the Agreement and this DPA, unless required by applicable law.
3. Customer Responsibility
Customer is responsible for: (a) determining lawful basis for Processing; (b) providing required notices to data subjects; (c) responding to data subject requests; and (d) ensuring Customer instructions comply with Data Protection Laws.
4. Details of Processing
The subject matter, duration, nature and purpose of Processing, types of Personal Data, and categories of data subjects are described in Schedule 1.
5. Provider Obligations
Provider will:
5.1 Confidentiality. Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
5.2 Security Measures. Implement appropriate technical and organizational measures to protect Personal Data, as described in Schedule 2.
5.3 Assist with Data Subject Requests. Provide reasonable assistance to Customer to fulfill data subject requests, to the extent Customer cannot do so through the Subscription Services.
5.4 Assist with Compliance. Provide reasonable assistance with Customer's obligations regarding security, breach notifications, DPIAs, and prior consultations, taking into account the nature of Processing and information available to Provider.
5.5 Subprocessors. Use Subprocessors only in accordance with Section 7.
5.6 No Sale/Ads; Purpose Limitation. Provider will not sell Personal Data, use it for advertising, or use it for unrelated profiling; Provider processes Personal Data only to provide, maintain, secure, and support the Subscription Services and to meet its obligations under the Agreement and this DPA.
6.1 Unlawful Instructions. If Customer instructs Provider to process Personal Data in a manner Provider reasonably believes violates Data Protection Laws, Provider will notify Customer and may suspend the relevant Processing until Customer provides compliant instructions.
6.2 Customer-Specific Compliance Responsibility. Provider is not responsible for compliance with laws applicable uniquely to Customer's industry or use case, except as required under Data Protection Laws for a Processor.
7. Subprocessors
7.1 General Authorization. Customer provides general authorization for Provider to engage Subprocessors to process Personal Data, subject to this DPA.
7.2 List. Provider's current Subprocessors are listed at https://trust.tyriacore.app/ (Subprocessor List) and/or in Schedule 3.
7.3 Flow-Down Terms. Provider will impose data protection obligations on Subprocessors that are no less protective than this DPA.
7.4 Notice of Changes; Objection; Limited Termination Remedy. Provider will provide at least 30 days' prior notice before adding or replacing a Subprocessor that materially affects the Processing of Personal Data, via email, trust center posting, or other written notice.
Customer may object on reasonable data protection grounds by providing written notice within 15 days after Provider provides the notice (an "Objection Notice"). If Customer does not provide an Objection Notice within that 15-day period, Customer is deemed to have accepted the change.
The Objection Notice must: (a) describe the specific and reasonable data protection grounds; and (b) include information reasonably sufficient to demonstrate the change is reasonably likely to materially increase risk to confidentiality, integrity, or availability of Personal Data, or materially increase Customer's compliance/security/business risk.
The Parties will work together in good faith to resolve the objection prior to the effective date. Provider may take commercially reasonable steps to address the objection, including not implementing the change for Customer, offering an alternative configuration/workaround, or providing additional information.
If the Parties cannot resolve the objection in good faith prior to the effective date, Customer may terminate only the affected Subscription Services by written notice within 30 days after Provider notifies Customer it cannot accommodate the objection (or earlier, by the effective date).
Customer's sole and exclusive remedy for an unresolved objection: (a) termination of affected Subscription Services without early termination penalty for those affected services; and (b) a prorated refund of prepaid unused Subscription Fees for the affected services (if any). No other refunds, credits, or damages are owed under this Section 7.4.
8. International Transfers (If Applicable)
If Personal Data subject to GDPR/UK GDPR is transferred outside the EEA/UK to a country not recognized as adequate, the Parties will ensure appropriate safeguards are in place. Where applicable, the Parties agree the EU SCCs and/or UK Addendum will apply as incorporated by reference in Schedule 4.
9. Personal Data Breach
9.1 Notification. Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
9.2 Minimum Details. The notice will include, to the extent known: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, mitigation steps taken or proposed, and a point of contact.
9.3 Cooperation. Provider will reasonably cooperate with Customer's investigation and Customer obligations to notify regulators and data subjects, as applicable.
10. Compliance Information; Audit Rights
10.1 SOC 2 Status; Report Availability. Provider maintains a security program with controls designed to align with the AICPA Trust Services Criteria. If Provider has a SOC 2 Type II report available for distribution, Provider will make it available to Customer under NDA upon request.
10.2 Compliance Information. Upon Customer's written request, Provider will make available reasonable information necessary to demonstrate compliance with this DPA and Provider's security obligations, subject to confidentiality and reasonable protections for Provider systems and other customers' data.
10.3 Audit Right (Bounded). If Customer requires an on-site audit or third-party audit of Provider controls, it must: (a) be limited to one (1) audit per twelve (12) months (unless a confirmed Personal Data Breach materially affecting Customer reasonably requires additional audit); (b) occur during normal business hours with at least 30 days' prior written notice; (c) be limited in scope to systems and controls used to provide the Subscription Services to Customer; (d) not unreasonably interfere with Provider operations or compromise other customers' data; (e) be performed by an independent auditor bound by confidentiality; and (f) be subject to a mutually agreed audit plan and confidentiality terms.
Customer bears its audit costs and will reimburse Provider for Provider's reasonable time and out-of-pocket expenses within 30 days of invoice.
10.4 SOC Report in Lieu of Audit. If Provider provides a SOC 2 Type II report for a given period, Customer agrees receipt of the report satisfies Customer audit request for that period unless Customer demonstrates a specific and reasonable need for additional audit procedures related to Customer Data.
11. Return or Deletion
11.1 Customer may export Customer Data using available Subscription Services functionality.
11.2 Upon termination or expiration of the Agreement, Provider will delete or return Customer Data within 60 days after termination or expiration (or earlier upon Customer's written request), unless retention is required by law. If deletion is not immediately feasible (e.g., backups), Provider will isolate and protect the data and delete it in accordance with backup retention cycles.
12. Liability
12.1 The Parties' liability under this DPA is subject to the limitations of liability in the Agreement, unless prohibited by Data Protection Laws.
12.2 Nothing in this DPA limits liability that cannot be limited under applicable law.
13. Governing Law
This DPA is governed by the governing law in the Agreement, unless Data Protection Laws require otherwise for SCCs/UK Addendum.
Schedule 1 - Processing Details
Subject matter: Provision of TyriaCore Subscription Services.
Duration: Term of the Agreement plus limited post-termination retention.
Nature of Processing: Hosting, storing, transmitting, retrieving, organizing, analyzing, and presenting Customer Data as directed by Customer; support and troubleshooting.
Purpose: Provide and maintain the Subscription Services, provide support, ensure security, and meet contractual obligations.
Categories of data subjects: Customer end users, employees, contractors, prospects/clients, and others whose data Customer submits.
Types of Personal Data: Names, emails, phone numbers, addresses, account identifiers, notes, documents, event data, communications metadata, and other Personal Data submitted by Customer.
Special categories: Not intended by Provider; Customer-controlled. If Customer processes special categories, Customer is responsible for lawful basis and safeguards.
Schedule 2 - Security Measures (Summary)
Measures appropriate to risk may include:
RBAC/least privilege; MFA for privileged access;
TLS in transit; encryption at rest for applicable stores; key management controls;
audit logging for key actions; monitoring and alerting; restricted log access;
logical tenant isolation; production controls; non-production segregation;
vulnerability remediation process;
incident response procedures;
backup and restore capabilities; tested restoration procedures;
personnel confidentiality obligations and security training.
Schedule 3 - Subprocessors
See the Subprocessor List page at https://trust.tyriacore.app/.
Schedule 4 - SCCs / UK Addendum (If Applicable)
If applicable, incorporate:
EU SCCs (Controller->Processor module) and/or UK Addendum, and
transfer details and annexes (categories of data, security measures, subprocessors).
