[!NOTE]
This DPA supplements Summya's Terms and Conditions and applies when the customer processes personal data of EU/EEA, UK, Brazil, or other jurisdiction citizens requiring a formal data processing agreement.
1. Definitions
For the purposes of this Agreement:
"Controller": The client entity that determines the purposes and means of processing Personal Data.
"Processor": Summya S.A.S., which processes Personal Data on behalf of the Controller.
"Sub-Processor": Any third party engaged by Summya to assist in processing Personal Data.
"Personal Data": Any information relating to an identified or identifiable natural person.
"Security Incident": Any breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of Personal Data.
2. Purpose and scope of processing
Summya processes Personal Data solely:
According to the Controller's documented instructions.
To the extent necessary to provide the contracted services.
In compliance with applicable data protection regulations.
The Controller warrants that it has a valid legal basis for transferring Personal Data to Summya for processing.
3. Summya obligations as Processor
Summya commits to:
Process Personal Data only in accordance with the Controller's documented instructions.
Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR.
Respect the conditions for engaging another Processor (Sub-Processor).
Assist the Controller, to the extent possible, in responding to data subject rights requests.
Assist the Controller in ensuring compliance with security obligations, breach notification, and impact assessments.
Delete or return all Personal Data to the Controller upon termination of services, as elected by the Controller.
Make available to the Controller all information necessary to demonstrate compliance with Processor obligations.
4. Authorized Sub-Processors
The Controller authorizes the use of the following Sub-Processors. Summya will provide reasonable advance notice of any changes to this list:
| Sub-Processor | Country | Service |
|---------------|---------|---------|
| Google Cloud (GCP) | U.S. / Global | Cloud infrastructure, compute, storage |
| Firebase / Google | U.S. | Authentication, real-time database |
| Stripe, Inc. | U.S. | Payment processing |
| Anthropic / OpenAI | U.S. | AI models (prompt processing) |
| PostHog, Inc. | U.S. / EU | Product analytics |
All Sub-Processors are subject to data protection obligations equivalent to those set out in this DPA.
5. International transfers
International transfers of Personal Data outside the EEA, UK, or Brazil will be carried out under appropriate transfer mechanisms, including:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions issued by competent authorities.
Additional safeguards implemented by certified Sub-Processors.
6. Technical and organizational security measures
Summya implements the following security measures:
6.1 Technical measures
Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control (RBAC) with least-privilege principle.
Multi-factor authentication (MFA) for critical access.
Network and environment segmentation (production, staging, development).
Periodic risk assessments and penetration testing.
7. Security incident notification
In the event of a Security Incident affecting the Controller's Personal Data:
Summya will notify the Controller without undue delay and, in any case, within 72 hours of becoming aware of the incident (where GDPR/LGPD applies).
The notification will include: description of the nature of the incident, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.
8. Data subject rights
Summya will assist the Controller, through appropriate technical and organizational measures, in responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction of processing).
9. Audits and verifications
The Controller has the right to:
Request information to verify compliance with this DPA.
Conduct or commission audits, with reasonable prior notice and without disrupting Summya's operations.
Review relevant security certifications of Summya and its Sub-Processors.
10. Term and termination
This DPA takes effect on the date of subscription to the service contract and remains in force for the duration of the services. Upon termination, Summya will return or delete Personal Data within 30 days, unless applicable law requires retention for a longer period.
11. DPA contact
For requests related to this DPA, the Controller should contact:
Summya S.A.S. — Data Protection Officer
Email: dpo@summya.com
Form: /en/contacto