Data Processing Agreement

1. Parties and definitions

This Data Processing Agreement (“DPA”) is between IzzyOS LLC, a Wyoming limited liability company with its principal office at 1309 Coffeen Ave STE 1200, Sheridan, WY 82801 (“IzzyOS,” “Processor”), and the customer entity that has accepted the Terms of Service (“Customer,” “Controller”).

Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), UK-GDPR, or applicable data-protection law. References to “Data Protection Laws” mean the GDPR, UK-GDPR, the Swiss Federal Act on Data Protection, PIPEDA (Canada), the CCPA/CPRA (California), the LGPD (Brazil), and any other privacy laws applicable to the processing under this DPA.

2. Roles

For personal data of Customer’s contacts, leads, end-customers, and employees processed by IzzyOS in the course of providing the Service, Customer is the Controller and IzzyOS is the Processor. For Customer’s own account data (used to manage the Service relationship and to bill Customer), IzzyOS acts as a Controller; that processing is governed by our Privacy Policy, not this DPA.

3. Subject matter and duration

• Subject matter: processing of personal data necessary to provide the IzzyOS Service to Customer, as described in the Terms of Service.
• Nature and purpose: hosting, storing, transmitting, analyzing, and deleting personal data; running AI features (Kai); sending communications (email, SMS, voice) on Customer’s instructions; providing analytics and support.
• Duration: for the term of the Service subscription, plus the retention windows in §11 of the Privacy Policy and the termination handling in §13 below.

4. Categories of data subjects and personal data

Data subjects: Customer’s contacts, leads, prospects, end-customers, employees, and other individuals whose data Customer processes through the Service.

Categories of personal data:

• Identity and contact data: name, email, phone, postal address, business affiliation
• Communication content: emails, SMS, voice recordings, voice transcripts, chat messages
• Behavioral data: opt-in events, page views, form submissions, opens, clicks, calls placed, appointments booked
• Commercial data: purchases, payment events, subscription status (Stripe holds payment-method details)
• Inferred data: AI-generated summaries, memories, classifications related to the data subject

IzzyOS does not knowingly process special-category data. Voice recordings may include biometric-adjacent information; their handling is described in §6 of the Privacy Policy.

5. Customer’s instructions

IzzyOS will process personal data only on Customer’s documented instructions. Use of the Service constitutes such instructions. IzzyOS will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

6. Sub-processors

Customer authorizes IzzyOS to engage sub-processors. The current list is published at /legal/sub-processorsand updated with at least 30 days’ advance notice of additions or material changes.

IzzyOS imposes contractual obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for sub-processor performance. Customer may object to a new sub-processor by emailing privacy@izzyos.com within the notice period; if the parties cannot agree on accommodation, Customer may terminate the Service with a pro-rata refund of any pre-paid period.

7. International transfers

IzzyOS is operated from the United States. Where personal data of EU, UK, Swiss, or Canadian residents is transferred to the United States or another country outside the data subject’s jurisdiction:

• For EU and Swiss transfers, the Standard Contractual Clauses (Module 2: Controller-to-Processor) issued by the European Commission in Decision 2021/914 are incorporated into this DPA by reference and apply to the transfer.
• For UK transfers, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs apply.
• IzzyOS has performed Transfer Impact Assessments for each transfer per the Schrems II decision and applies supplementary measures where necessary, including encryption in transit and at rest, access controls, and audit logging.

8. Security

IzzyOS implements technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2 or higher) and at rest
• Role-based access controls with the principle of least privilege
• Audit logging for administrative actions and data access
• Secret management (no credentials in code, logs, or configuration)
• Regular dependency reviews and security patching
• Backup with tested restore procedures (rolling 30-day retention)
• Pre-deployment review for changes touching authentication, data access, or external integrations

9. Personal data breach

IzzyOS will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer’s data, providing the information needed for Customer to meet its own breach-notification obligations under Data Protection Laws.

10. Assistance with data subject rights

IzzyOS will, taking into account the nature of the processing, assist Customer in fulfilling its obligations to respond to data subjects’ requests for access, rectification, erasure, restriction, portability, and objection. Standard tooling provided in the Service includes per-contact data export, contact deletion (with cascade to AI memory and communication history), and consent records. For requests beyond standard tooling, IzzyOS may charge a reasonable cost-recovery fee.

11. Assistance with DPIAs and consultations

IzzyOS will provide reasonable assistance to Customer with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities concerning the processing under this DPA, subject to a reasonable cost-recovery fee for substantial assistance.

12. Audit rights

IzzyOS makes available the information necessary to demonstrate compliance with this DPA, including via published policies, sub-processor list, and documentation of technical and organizational measures. On reasonable written request and not more than once per twelve-month period (except in case of a documented breach), IzzyOS will respond to a written audit questionnaire from Customer covering the matters in this DPA. On-site audits are not generally accommodated; if required by Customer’s regulatory obligations, IzzyOS may agree subject to reasonable scope, advance notice, confidentiality, and cost recovery.

13. Termination — return and deletion

On termination of the Service, at Customer’s option:

• Customer may export all personal data through the Service’s export functionality before deletion
• IzzyOS will, within 30 days of termination, delete personal data in its possession or control, except for backups (deleted within the rolling 30-day backup window) and information IzzyOS is required to retain by applicable law (e.g., billing records held by Stripe under US tax law for 7 years)
• On request, IzzyOS will certify the deletion in writing

14. Confidentiality

IzzyOS ensures that persons authorized to process personal data are bound by confidentiality obligations (employment terms, contractor agreements, or written undertaking).

15. CCPA / CPRA addendum

For personal information of California residents, IzzyOS acts as a “Service Provider” under the CCPA/CPRA. IzzyOS will not:

• Sell or share personal information
• Retain, use, or disclose personal information outside the direct business relationship with Customer or for any purpose other than performing the Service
• Combine personal information received from Customer with personal information from other sources, except as permitted under CCPA Regulation §7050

IzzyOS will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

16. Liability

Each party’s liability under this DPA is subject to the limitation-of-liability terms in the Terms of Service.

17. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of personal data.

18. Changes

IzzyOS may update this DPA from time to time. Material changes will be communicated with at least 30 days’ advance notice. Continued use of the Service after the effective date constitutes acceptance.

19. Contact

For DPA questions, counter-signature requests, or assistance with data subject requests:

IzzyOS LLC
1309 Coffeen Ave STE 1200
Sheridan, WY 82801, United States
privacy@izzyos.com

Annex 1 — Description of processing

Subject matter: provision of the IzzyOS Service.

Duration: for the term of the subscription plus retention windows.

Nature and purpose: as described in §3.

Types of personal data: as described in §4.

Categories of data subjects: as described in §4.

Sub-processors: as listed at /legal/sub-processors.

Annex 2 — Technical and organizational measures

As described in §8 of this DPA and §12 of the Privacy Policy.

Annex 3 — Standard Contractual Clauses

For EU/Swiss transfers, the Standard Contractual Clauses (Module 2: Controller-to-Processor) in Annex of European Commission Decision (EU) 2021/914 of 4 June 2021, available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj, are incorporated by reference. The data exporter is Customer; the data importer is IzzyOS LLC. Optional clauses apply per the description in this DPA. Annexes I, II, and III of the SCCs are populated by Annexes 1 and 2 above and the sub-processor list.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (version B1.0, in force from 21 March 2022), available from ico.org.uk, applies.