Skip to content
yro
Back to home
Legal

Data Processing Agreement

Effective 1 May 2026

This DPA governs how Byro, as a data processor, handles personal data you upload (your employees, suppliers, customers, etc.) when using the Service. It supplements the Terms of Service and is automatically incorporated when you accept those Terms.

Template version 1.0. This document is a starting point and must be reviewed by qualified legal counsel before reliance in any specific jurisdiction (UAE, KSA, Pakistan, EU, etc.). Check with your lawyer before publishing on a production deployment.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered between:

  • Customer (the "Controller") — the entity that signed up for the Service
  • Byro (the "Processor") — the provider of the Service

This DPA applies to processing of Personal Data by the Processor on behalf of the Controller in connection with the Service. It supplements but does not replace the Terms of Service; in case of conflict on data protection matters, this DPA prevails.

2. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person
  • Processing — any operation performed on Personal Data (collection, storage, modification, disclosure, deletion, etc.)
  • Data Subject — the individual whose data is processed (typically Customer's employees, suppliers, customers)
  • Sub-processor — any third party engaged by Processor to process Personal Data
  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to international transfers
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Engage sub-processors only on the conditions in Section 5
  • Assist the Controller in responding to Data Subject rights requests
  • Notify the Controller without undue delay (within 72 hours) of becoming aware of a Personal Data Breach
  • At the Controller's choice, delete or return all Personal Data after end of services and delete existing copies
  • Make available all information necessary to demonstrate compliance with this DPA

4. Controller Obligations

The Controller shall:

  • Have lawful basis for collecting and uploading Personal Data into the Service
  • Provide all required notices to Data Subjects (e.g. employees) about the processing
  • Respond to Data Subject rights requests directed to the Controller
  • Use the Service in accordance with applicable data protection law

5. Sub-processors

The Controller authorizes the Processor to engage sub-processors as listed at /sub-processors. The Processor shall:

  • Provide at least 30 days' notice (via email and the sub-processors page) before engaging a new sub-processor
  • Impose data protection obligations on each sub-processor that are no less protective than this DPA
  • Remain liable for the acts and omissions of its sub-processors

The Controller may object to a new sub-processor in writing within the notice period. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected service with prorated refund of pre-paid fees.

6. International Data Transfers

Personal Data is stored in the AWS region selected at signup (UAE Bahrain by default for GCC customers, Mumbai for Pakistan, EU Ireland for others). Where data crosses borders, the parties agree that:

  • For transfers from EU/UK: the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference
  • For transfers within GCC: the parties rely on contractual safeguards in this DPA
  • For transfers from Pakistan: pending finalization of Personal Data Protection Bill, the parties rely on this DPA's safeguards

The Processor will not transfer Personal Data to a country lacking adequate protection without first implementing appropriate safeguards (typically SCCs).

7. Security Measures

The Processor implements (at minimum) the following technical and organizational measures:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
  • Field-level encryption for highly sensitive data (bank IBANs, etc.)
  • Strict access controls with role-based permissions and audit logging of every privileged action
  • Multi-factor authentication for administrator accounts
  • Automated daily backups with point-in-time recovery (30-day window)
  • Regular security testing including dependency scanning and (planned) annual penetration testing
  • Documented incident response procedures
  • Personnel security: confidentiality undertakings; data protection training

The full security posture is described at /security. Annex 1 of any signed DPA counterpart will list the measures in effect at signing date.

8. Data Subject Rights Requests

Where a Data Subject contacts the Processor directly with a rights request (access, erasure, rectification, portability, etc.), the Processor will:

  • Promptly forward the request to the Controller without responding to the Data Subject directly
  • Provide reasonable assistance to the Controller in fulfilling the request, where the Processor is technically able to do so

9. Personal Data Breach Notification

The Processor will notify the Controller of any confirmed Personal Data Breach affecting Customer's data without undue delay and in any event within 72 hours of becoming aware. The notification will include:

  • Nature of the breach (categories and approximate number of Data Subjects affected)
  • Likely consequences
  • Measures taken or proposed to address it
  • Contact details for follow-up

The Processor will provide reasonable assistance to the Controller in meeting any legal obligation to notify supervisory authorities or affected Data Subjects.

10. Audit Rights

Once per 12-month period, on at least 30 days' written notice, the Controller (or an independent third-party auditor bound to confidentiality) may audit the Processor's compliance with this DPA. Audits shall be conducted during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations, and at the Controller's expense.

The Processor may satisfy audit requests by providing relevant third-party certifications (SOC 2, ISO 27001 when achieved) or summary audit reports in lieu of an on-site audit.

11. Return and Deletion of Data

Within 90 days of termination of the Service, the Processor shall — at the Controller's choice — return or delete all Personal Data. The Processor will provide written confirmation of deletion. Backups will be deleted on the rolling 30-day backup expiry cycle.

12. Liability

Each party's liability under this DPA shall be subject to the same limitations and exclusions as set out in the Terms of Service, except where applicable law (e.g. GDPR Article 82) requires direct liability of processors to data subjects.

13. General

This DPA is incorporated into and forms part of the Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

For a signed counterpart of this DPA, contact legal@byro.io.