RylvoRylvo

Legal

Data Processing Addendum

The contractual terms governing how Rylvo processes customer-controlled personal data.

Last updated July 13, 2026

Privacy Policy

In short

  • This DPA applies automatically when Rylvo processes personal data on an Operator's behalf under the Terms.
  • The Operator is the controller or processor that determines the instructions; Rylvo is its processor or subprocessor.
  • Rylvo uses documented instructions, confidentiality, security controls, managed subprocessors, rights assistance, and deletion controls.
  • Restricted international transfers use the applicable SCCs or another lawful transfer mechanism.

This summary is for convenience only and is not a substitute for the full text below.

01Scope & Parties

This Data Processing Addendum (DPA) forms part of the Rylvo Terms of Service or other agreement governing the Services (Agreement). It applies when Rylvo processes personal data contained in Customer Data on behalf of the Operator. Capitalized terms not defined here have the meaning in the Agreement.

The Operator is Customer. Rylvo, Inc. is Rylvo. If Customer is a controller, Rylvo is its processor. If Customer is a processor for another controller, Rylvo is Customer's subprocessor. Each party will comply with the data-protection laws applicable to its role.

02Processing Details

  • Subject matter: providing, securing, supporting, monitoring, and maintaining the AI-agent control plane, API, channels, knowledge retrieval, observability, supervision, testing, automation, and customer-configured integrations.
  • Duration: for the term of the Agreement and the limited deletion, backup, legal-hold, and statutory-retention periods described in the Agreement and Privacy Policy.
  • Nature and purpose: collecting, hosting, organizing, transmitting, retrieving, analyzing, redacting, deleting, and otherwise processing Customer Data only to deliver the Services and follow documented instructions.
  • Data subjects: Customer personnel, authorized users, Customer's bot end users, contacts, recipients, and other people whose information Customer submits or causes the Services to process.
  • Personal data: identifiers, contact and account data, message content and attachments, prompts, knowledge content, channel identifiers, audience profiles, tool results, traces, evaluations, consent records, technical logs, and other data selected by Customer.
  • Sensitive data: only data Customer is legally permitted to submit and that the applicable Service is documented to support. Regulated data restricted by the Terms remains prohibited without a separate written agreement.

03Customer Instructions

Rylvo will process Customer Data only on Customer's documented instructions, including the Agreement, Customer's configuration and use of the Services, support requests, and other written instructions Rylvo accepts. If law requires different processing, Rylvo will inform Customer before processing unless law prohibits notice.

Rylvo will promptly notify Customer if, in its reasonable opinion, an instruction infringes applicable data-protection law. Rylvo may suspend the affected processing while the parties resolve the issue. Customer is responsible for the lawfulness, accuracy, notices, consents, and instructions relating to Customer Data.

04Confidentiality & Security

Rylvo will ensure personnel authorized to process Customer Data are bound by confidentiality obligations and access it only as necessary for their duties.

  • Access control: organization-scoped authorization, role-based permissions, least-privilege service access, and server-authoritative controls for sensitive resources.
  • Encryption: TLS for data in transit and AES-256-GCM for supported stored credentials and secrets; provider-managed encryption at rest for primary managed infrastructure.
  • Resilience: managed infrastructure, backups appropriate to the service, monitoring, rate limits, durable queues for critical workflows, and recovery procedures.
  • Secure development: code review, dependency and configuration controls, testing, logging, and remediation proportionate to risk.
  • Data lifecycle: plan-based operational retention, deletion workflows, legal-hold controls, and separation of financial records requiring longer retention.

These measures may evolve as technology and risk change, but Rylvo will not materially reduce the overall security of the Services during the Agreement.

05Subprocessors

Customer gives Rylvo general authorization to use subprocessors. The current list is published at /subprocessors. Rylvo will impose data-protection obligations appropriate to each subprocessor's services and remains responsible for their performance to the extent required by applicable law.

Rylvo will provide reasonable advance notice of a new subprocessor that will materially process Customer Data. Customer may object within 15 days on reasonable data-protection grounds. The parties will work in good faith on a commercially reasonable alternative; if none is available, either party may terminate the affected Service without penalty for the unused prepaid period.

AI providers, databases, channels, MCP servers, and connectors chosen and configured by Customer are customer-directed recipients. Customer is responsible for their selection, instructions, contracts, and transfer basis; they are not Rylvo subprocessors merely because the Services transmit data to them at Customer's direction.

06Rights & Compliance Assistance

Taking into account the nature of processing and information available to Rylvo, Rylvo will reasonably assist Customer with data-subject requests, security obligations, breach notifications, data-protection impact assessments, and regulator consultations required by applicable law.

If Rylvo receives a request relating to Customer Data, it will direct the requester to Customer where practicable and will not independently respond except on Customer's instructions or as law requires. Customer is responsible for responding to requests. Assistance beyond standard Service functionality may be charged at agreed rates.

07Personal Data Breaches

Rylvo will notify Customer without undue delay after confirming a personal data breach affecting Customer Data. Notice will include available information reasonably necessary for Customer's legal obligations, such as the nature of the incident, affected data, likely consequences, and mitigation. Information may be provided in phases as the investigation develops.

Notification is not an admission of fault or liability. Customer is responsible for notices to regulators, data subjects, and third parties unless law assigns that duty to Rylvo.

08International Transfers

For Customer Data transferred from the EEA to a country without an applicable adequacy decision, the 2021 European Commission Standard Contractual Clauses are incorporated by reference, using Module 2 for controller-to-processor transfers or Module 3 for processor-to-processor transfers as appropriate. Customer is data exporter and Rylvo is data importer.

The optional docking clause applies; the competent supervisory authority and governing member-state law follow Customer's EEA establishment where legally permitted; Annex I is completed by the Agreement and Processing Details above; Annex II is completed by the Security section; and Annex III is the current subprocessor list. For UK restricted transfers, the then-current UK Addendum or mandatory replacement applies. Swiss law adaptations apply where required.

If a valid alternative transfer mechanism applies, it may replace the SCCs to the extent lawful. Rylvo will provide information reasonably necessary for Customer's transfer assessment, subject to confidentiality and security restrictions.

09Return & Deletion

During the term, Customer may use available export and deletion tools. Following termination or a valid deletion instruction, Rylvo will delete or return Customer Data in accordance with the Agreement and Privacy Policy, unless law requires retention. Data in backups will be isolated from ordinary use and deleted through the normal backup lifecycle. De-identified data that cannot reasonably be linked to a person is not Customer Data.

10Information & Audits

Rylvo will make information reasonably necessary to demonstrate compliance available through documentation, questionnaires, summaries, and independent reports when available. If that information is insufficient, Customer may request one audit per year by an independent auditor bound by confidentiality, on reasonable notice, during business hours, without accessing other customers' data or disrupting the Services.

Customer bears audit costs unless an audit identifies Rylvo's material breach of this DPA. Rylvo may require reasonable scope, security, and confidentiality safeguards.

11Order, Liability & Contact

If this DPA conflicts with the Agreement on processing of personal data, this DPA controls. The Agreement's liability limitations, governing law, and dispute provisions apply to this DPA except where data-protection law requires otherwise.

Privacy, DPA, and transfer-information requests may be sent to contact@rylvo.com with the subject line ‘DPA request’. Customers needing a separately signed copy should use the same address and subject line.