Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) sets out the terms under which Samey AI Solutions Private Limited (“Data Processor”) processes personal data on behalf of its customers (“Data Controller”).

This Agreement forms part of and is subject to the Samey AI Terms of Service available at: https://www.samey.ai/terms

Section 1: Purpose and Subject Matter of Processing

Types of Data Processed:

• User-uploaded files and documents
• Data retrieved from third-party integrations (e.g. Google Drive, OneDrive)
• User profile information: name, email, and organisation details
• Payment information via Stripe
• System logs and monitoring data

Nature of Processing:

• Parsing, indexing, and storage in a vector database
• Execution of AI-driven automations
• Search and retrieval operations
• User authentication and authorisation
• Payment processing and system performance monitoring

Business Purpose:

To provide AI-powered automation and search functionalities.

Duration of Processing:

Data is processed for the agreement duration. File data and integrations are deleted immediately upon termination. User details and logs are retained for 30 more days.

Section 2: Categories of Personal Data and Data Subjects

Data Subjects:

Users of Samey AI services including staff, clients, applicants, and vendors.

Categories of Personal Data:

• Names, email addresses, organisation details
• Billing and payment information
• Access credentials managed via Integration.app
• Documents and files including legal case data, IDs
• System logs and usage data

Section 3: Roles and Responsibilities

3.1 Data Controller Obligations:

• Ensure data is collected lawfully
• Issue documented processing instructions
• Retain right to issue binding instructions

3.2 Processor Obligations:

• Process data only on documented instructions
• Ensure confidentiality and employee agreements
• Implement encryption and access controls
• Support data subject rights
• Engage sub-processors only with authorisation

Section 4: Use of Sub-Processors

Current Sub-Processors:

• Integration.app
• Datastax AstraDB
• Ory
• Stripe
• Datadog
• Microsoft Azure
• Azure OpenAI

Notification of Changes:

Users will be notified 30 days in advance.

Data Protection Measures:

All sub-processors adhere to measures outlined in this Agreement.

Section 5: International Data Transfers

• Data is stored within the EU
• AI models hosted in Sweden (Azure OpenAI)
• Transfers follow SCCs or IDTAs
• Sub-processors must use proper safeguards

Section 6: Data Breach Notification

Samey AI will notify the Controller within 72 hours including incident details, affected data, and mitigation steps.

Section 7: Support with Data Subject Rights

Samey AI assists with GDPR-compliant access, rectification, deletion, and portability requests.

Section 8: Data Retention and Deletion

On termination, files and connections are auto-deleted. Remaining data is deleted after 30 days. Users can export data via support.

Section 9: Audit and Inspection Rights

Audits are permitted with 14-day notice, covering past 14 days’ activity.

Section 10: Amendments and Contact

Material updates will be communicated. Contact support@samey.ai for questions.

Appendices

Appendix A: Security Measures

• TLS 1.2+ encryption
• Access control mechanisms
• Penetration testing
• Activity logging and monitoring

Appendix B: Approved Sub-Processors

• Integration.app
• Datastax AstraDB
• Ory
• Stripe
• Datadog
• Microsoft Azure
• Azure OpenAI

Appendix C: Processing Activity Description

• Collection of files and integration data
• Indexing and vector storage
• Automations and search execution
• Auth management and performance tracking