Data processing agreement.

This Data Processing Agreement ("DPA") describes the terms on which Aidey processes Personal Data on behalf of a Client in connection with the customer experience, technical success, customer success, sales and back-office operations services Aidey provides (the "Services").

This page sets out Aidey's standard DPA terms. A countersigned copy is attached to the Master Services Agreement ("MSA") or Statement of Work ("SOW") between Aidey and the Client. Where this page conflicts with a signed DPA, MSA, SOW or Order Form, the signed document prevails.

This DPA does not apply to personal information Aidey collects directly from visitors to aidey.net or from prospects and applicants — that information is handled as described in our Privacy Policy.

"Personal Data", "Processing", "Controller", "Processor", "Sub-Processor" and "Data Subject" have the meanings given to them under applicable data protection laws, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA") and the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) ("Applicable Data Protection Law").

"Client Personal Data" means Personal Data that Aidey processes on behalf of the Client to provide the Services.

"Security Incident" means a confirmed breach of Aidey's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data processed by Aidey.

For the Services, the Client is the Controller (or, where the Client itself acts as a processor for its end-customers, the Processor) of Client Personal Data, and Aidey is the Processor (or Sub-Processor) acting on the Client's documented instructions.

The Client is responsible for the lawfulness of its instructions, for having the necessary legal bases to share Client Personal Data with Aidey, and for ensuring its end-user notices and consents permit Aidey's processing under this DPA.

Aidey will process Client Personal Data only for the purposes set out in the MSA / SOW and on the Client's documented instructions, including with regard to transfers, unless required to do so by law (in which case Aidey will, where legally permitted, inform the Client of that legal requirement before processing).

Subject matter: provision of the Services described in the MSA / SOW (e.g. customer support across email, chat, voice and social; technical triage; onboarding and customer success motions; outbound and inbound sales; back-office and operations tasks).

Duration: for the term of the MSA / SOW plus the retention periods set out in clause 9.

Nature and purpose: receiving, reviewing, responding to and routing communications and tasks; updating records in the Client's CRM, helpdesk, billing and operations systems; producing reports; assisting with quality assurance and AI feedback loops where agreed.

Categories of Data Subjects: the Client's end-customers, prospects, account holders, applicants, users, and the Client's own personnel where they appear in tickets, calls or workflows.

Categories of Personal Data: typically contact identifiers (name, email, phone), account identifiers and metadata, content of customer messages and call recordings (where the Client enables recording), order, billing and transaction metadata, support and CRM metadata. Special category data is not requested and should not be routed to Aidey unless expressly agreed in the SOW with appropriate safeguards.

Aidey ensures that personnel authorized to process Client Personal Data are bound by written confidentiality obligations, receive data protection and security awareness training, and access Client Personal Data only on a need-to-know basis to perform the Services.

Aidey implements and maintains appropriate technical and organizational measures designed to protect Client Personal Data against the risks described in Applicable Data Protection Law. These measures include, as relevant to a given engagement: role-based access controls and least-privilege provisioning; multi-factor authentication for systems that handle Client Personal Data; encryption in transit; secure managed devices for agents handling Client Personal Data; logging and monitoring; vendor and tool review; documented onboarding and offboarding for personnel; and an incident response process.

The specific control set applied to an engagement depends on the systems Aidey accesses on the Client's behalf and on the requirements set out in the MSA / SOW. Aidey periodically reviews and updates these measures and may replace controls with materially equivalent or stronger measures.

The Client provides general authorization for Aidey to engage Sub-Processors to support the Services, including (a) cloud, communications, helpdesk, CRM, workforce-management and quality-assurance providers selected by the Client and to which Aidey is given access, and (b) infrastructure, productivity, communications and security providers used by Aidey to operate its business.

Where Aidey selects a Sub-Processor that processes Client Personal Data on Aidey's behalf, Aidey will impose data protection obligations on that Sub-Processor that are no less protective than those set out in this DPA, and Aidey remains liable for the acts and omissions of its Sub-Processors as if they were its own.

A current list of Aidey-selected Sub-Processors and the mechanism for notifying changes is provided to the Client on request to info@aidey.net. The Client may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection.

Aidey operates primarily from the Republic of the Philippines and may access Client Personal Data from that jurisdiction. Where Client Personal Data originating in the European Economic Area, the United Kingdom or Switzerland is processed in a country that has not been recognized as providing an adequate level of protection, the parties will rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed using the information set out in the MSA / SOW.

Aidey processes Client Personal Data only for as long as needed to provide the Services. On termination of the MSA / SOW, Aidey will, at the Client's election, return or delete Client Personal Data in its possession within a reasonable period (typically thirty (30) days), except where retention is required by applicable law or for backup, audit, accounting or dispute-resolution purposes, in which case the retained data remains subject to this DPA.

Most Client Personal Data lives in systems owned and controlled by the Client; Aidey's deletion obligation in those systems is limited to ceasing access and removing copies that Aidey itself created (e.g. exports stored for reporting or QA).

Aidey will, taking into account the nature of the processing, provide reasonable assistance to the Client to enable it to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability and objection.

If Aidey receives a Data Subject request directly relating to the Services, Aidey will, unless prohibited by law, promptly forward it to the Client and will not respond to the request itself except on the Client's documented instructions.

Aidey will notify the Client without undue delay after becoming aware of a Security Incident affecting Client Personal Data, and in any event within a timeframe consistent with Applicable Data Protection Law. The notification will include the information reasonably available to Aidey at the time, supplemented as the investigation progresses, to enable the Client to meet its own notification obligations.

Aidey will take reasonable steps to investigate, contain and mitigate the Security Incident and will cooperate with the Client's reasonable requests for information related to it. Aidey's notification of, or response to, a Security Incident is not an acknowledgement of fault or liability.

Aidey will make available to the Client information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice and no more than once in any twelve-month period (unless required by a regulator or following a Security Incident), the Client or an independent third-party auditor bound by confidentiality obligations may audit Aidey's processing of Client Personal Data, at the Client's expense, during normal business hours and in a manner that does not unreasonably interfere with Aidey's operations.

On the Client's request, Aidey will provide reasonable assistance to the Client with any data protection impact assessment and prior consultation with a supervisory authority that the Client is required to carry out under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Aidey.

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the MSA. Nothing in this DPA limits a party's liability to the extent it cannot be limited under Applicable Data Protection Law.

This DPA takes effect on the date the related MSA / SOW takes effect and remains in force for as long as Aidey processes Client Personal Data on behalf of the Client. Provisions that by their nature should survive termination — including those relating to confidentiality, security, deletion and liability — will so survive.

This DPA is governed by the laws specified in the MSA. If the MSA does not specify, it is governed by the laws of the Republic of the Philippines.

Requests under this DPA — including for a countersigned copy, the current Sub-Processor list, or to report a security or privacy concern — can be sent to info@aidey.net.