Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PiyAPI Cloud Inc. ("Processor") and the customer ("Controller") for the provision of AI memory infrastructure services.

This DPA applies when PiyAPI processes personal data on behalf of the Controller in connection with the services.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, and retrieval.
• "Data Subject" means the individual to whom personal data relates.
• "Sub-processor" means a third party engaged by PiyAPI to process personal data.

3. Processing Instructions

PiyAPI will process personal data only:

• In accordance with documented instructions from the Controller
• As necessary to provide the contracted services
• In compliance with applicable data protection laws
• Subject to confidentiality obligations

4. Security Measures

PiyAPI implements appropriate technical and organizational measures including:

• AES-256 encryption of data at rest
• TLS 1.3 encryption for data in transit
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response and breach notification procedures
• Employee security training and background checks

5. Sub-processors

PiyAPI may engage sub-processors to assist in providing services. A current list of sub-processors is available upon request. PiyAPI will notify the Controller of any intended changes to sub-processors, providing an opportunity to object.

Current sub-processors include:

• AWS - Cloud infrastructure (US, EU regions available)
• Pinecone - Vector database services
• OpenAI - Embedding generation (optional)

6. Data Subject Rights

PiyAPI will assist the Controller in responding to data subject requests including:

• Access to personal data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Data portability
• Restriction of processing

The Controller can exercise these rights through the PiyAPI dashboard or by contacting privacy@piyapi.cloud.

7. International Transfers

For transfers of personal data outside the EEA, PiyAPI relies on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Binding Corporate Rules where applicable
• Adequacy decisions for approved jurisdictions

Enterprise customers may request EU-only data residency to ensure data never leaves the European Economic Area.

8. Data Retention and Deletion

Personal data will be retained only for as long as necessary to provide the services. Upon termination of the agreement or upon Controller request:

• Controller may export all data within 30 days
• PiyAPI will delete personal data within 90 days
• Certification of deletion provided upon request

9. Breach Notification

In the event of a personal data breach, PiyAPI will:

• Notify the Controller without undue delay (within 72 hours maximum)
• Provide details of the breach including affected data and individuals
• Describe measures taken to address and mitigate the breach
• Assist the Controller in meeting regulatory notification obligations

10. Audit Rights

The Controller may audit PiyAPI's compliance with this DPA by:

• Requesting SOC 2 Type II audit reports
• Reviewing security certifications and compliance documentation
• Conducting on-site audits (with reasonable notice, for Enterprise plans)

11. Contact

For questions about this DPA or to exercise data protection rights:

• Email: privacy@piyapi.cloud
• Data Protection Officer: privacy@piyapi.cloud
• Postal: PiyAPI Cloud Inc., [Address]