Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Digitlify Inc. (“Processor”, “we”) and the customer (“Controller”, “you”) and governs the processing of personal data by Digitlify on behalf of the customer.

• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
• Sub-processor: Any third party engaged by Digitlify to process personal data on behalf of the customer.
• Data Protection Laws: All applicable data protection and privacy laws, including GDPR (EU), CCPA (California), and equivalent regulations in other jurisdictions.

Digitlify processes personal data solely for the purpose of providing Digitlify platform services. The categories of personal data processed may include:

• Account information (name, email, organization)
• Usage data (platform interactions, agent deployment logs)
• Workspace data (content created or processed by AI agents on your behalf)

Digitlify does not sell personal data. We do not use customer data for training AI models unless explicitly authorized by the customer in writing.

Digitlify will:

• Process personal data only on documented instructions from the customer, unless required by law.
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to protect personal data, including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, and multi-tenant isolation.
• Assist the customer in responding to data subject requests (access, rectification, erasure, portability) within reasonable timeframes.
• Notify the customer of any personal data breach without undue delay and within 72 hours of becoming aware.
• Delete or return all personal data upon termination of the service, at the customer's election, unless retention is required by law.

Digitlify uses the following categories of sub-processors:

• Cloud infrastructure: For hosting and compute services.
• Payment processing: For billing and subscription management.
• Email services: For transactional communications.

We will notify customers of any new sub-processors at least 30 days before they begin processing personal data. Customers may object to a new sub-processor by contacting us within 15 days of notification.

If personal data is transferred outside the customer's jurisdiction, Digitlify will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms recognized by applicable data protection authorities.

Digitlify maintains the following security measures:

• AES-256 encryption at rest for all stored data.
• TLS 1.3 encryption for all data in transit.
• Role-based access control (RBAC) tied to SSO / SAML 2.0 / OIDC identity providers.
• Multi-tenant isolation at the namespace level.
• Regular security assessments and vulnerability scanning.
• Immutable audit logs for all administrative and data access actions.
• Incident response procedures with defined escalation paths.

Digitlify will make available to the customer, upon reasonable request, information necessary to demonstrate compliance with this DPA. The customer may conduct audits, including inspections, directly or through a third-party auditor, subject to reasonable notice and scope limitations.

This DPA is effective for the duration of the customer's use of Digitlify services. Upon termination, Digitlify will delete all personal data within 90 days, except where retention is required by applicable law. Customers may request earlier deletion by contacting privacy@digitlify.com.

For questions about data processing or to exercise your rights under this DPA, contact us at privacy@digitlify.com.