Data Processing Agreement
The terms on which Pyyrah Limited processes personal data on behalf of business Customers. Applies to Customers acting as Data Controllers; most individual creators do not need to sign one.
Use this if you’re a business buying Pyyrah+ access for a team, or processing other people’s personal data through the service. Most individual creators don’t need a DPA · you’re processing only your own data.
Request a counter-signed PDF copy at Legal@pyyrahplus.com.
Parties and scope
This Data Processing Agreement ("DPA") is entered into between Pyyrah Limited (trading as Pyyrah+), a company registered in England and Wales (Company No. 12176473; registered office: 27 Old Gloucester Street, London WC1N 3AX) ("Pyyrah+", "we", "Processor") and the customer identified in the Pyyrah+ account or order (the "Customer", "you", "Controller").
This DPA forms an integral part of the Terms of Sale and the Terms and Conditions (together, the "Principal Agreement"). In the event of conflict, this DPA prevails for matters concerning the processing of Personal Data.
It applies only where the Customer, in using the Pyyrah+ services, processes Personal Data of which the Customer is the Data Controller. It does not apply to Personal Data Pyyrah+ collects in its own right (governed by our Privacy Policy).
Definitions
Capitalised terms have the meanings given in the UK GDPR and the Data Protection Act 2018, and where applicable the EU GDPR (Regulation (EU) 2016/679). In particular:
- Personal Data, Data Subject, Processing, Data Controller, Data Processor, Sub-processor · as defined in UK GDPR Article 4.
- Personal Data Breach · a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- Applicable Data Protection Laws · UK GDPR, Data Protection Act 2018, EU GDPR where it applies, and any subordinate or successor laws.
Subject matter, nature and purpose of processing
Subject matter: processing of Personal Data necessary to provide the Pyyrah+ services (the Viral Growth System for Instagram course and associated tools) to the Customer.
Nature of processing: hosting, access provisioning, authentication, transactional communications, customer support, and (where applicable) audience-analysis features that ingest Customer-supplied data.
Purpose: performance of the Principal Agreement; compliance with legal obligations; protection of legitimate interests of both parties.
Duration: for the term of the Principal Agreement, plus the retention periods set out in this DPA and our Privacy Policy.
Categories of Data Subjects and Personal Data
Data Subjects:
- The Customer’s employees, contractors or team members granted access to the Pyyrah+ services.
- The Customer’s clients, audience members, prospects or contacts whose data is uploaded or analysed within the services.
Personal Data:
- Identifying data: name, email, role, organisation.
- Account data: login credentials, IP, device, session metadata.
- Content data: any text, image, URL, social handle, or audience metric the Customer voluntarily uploads to the services.
- Transactional data: order, billing identifier (note: payment-card details are processed by Stripe directly and are not held by Pyyrah+).
Special-category Personal Data should not be uploaded. The Customer is responsible for ensuring no special-category or unlawful data is submitted.
Pyyrah+ obligations as Processor
Pyyrah+ shall:
- Process Personal Data only on the Customer’s documented instructions, unless required by UK or EU law (in which case Pyyrah+ shall inform the Customer where legally permitted).
- Ensure personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organisational measures (see Section 9).
- Assist the Customer with Data Subject rights requests and any required impact assessment.
- Notify the Customer of any Personal Data Breach as set out in Section 11.
- Return or delete Personal Data on termination, subject to any legal retention obligation.
- Make available information necessary to demonstrate compliance with this DPA.
Customer obligations as Controller
The Customer warrants and undertakes that:
- It has a lawful basis under UK GDPR Article 6 (and, where applicable, Article 9) for the processing it instructs Pyyrah+ to carry out.
- It has provided all required notices and obtained all required consents from Data Subjects.
- Its instructions to Pyyrah+ comply with Applicable Data Protection Laws.
- It will not upload to the services any Personal Data it is not lawfully entitled to process, or that includes special-category data, payment-card data, or data of children under 13 (UK) / 16 (EU) without explicit consent.
The Customer indemnifies Pyyrah+ against losses arising from breach of these warranties, subject to the limits in the Principal Agreement.
Sub-processors
The Customer provides general authorisation for Pyyrah+ to engage Sub-processors. The current list is maintained at pyyrahplus.com/sub-processors and forms part of this DPA.
Pyyrah+ will give at least 30 days’ prior notice of intended changes via that page. The Customer may object on reasonable data-protection grounds within 14 days. If the parties cannot agree, the Customer’s sole remedy is to terminate the affected services with a pro-rata refund.
Pyyrah+ remains liable for the acts and omissions of its Sub-processors to the same extent as for its own acts and omissions under this DPA.
International data transfers
Where Personal Data is transferred outside the United Kingdom or European Economic Area, Pyyrah+ relies on one or more of the following safeguards:
- Adequacy regulations (UK) or adequacy decisions (EU) where the destination country offers adequate protection.
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).
- EU SCCs (Commission Implementing Decision (EU) 2021/914) where the transfer is from the EEA.
- Other lawful transfer mechanisms recognised by the ICO or competent EU authority.
Technical and organisational measures
Pyyrah+ implements measures appropriate to the risk, including:
- Encryption in transit · TLS 1.2 or higher for all public endpoints.
- Encryption at rest · provider-side disk encryption on hosted infrastructure.
- Access control · role-based access, least privilege, MFA on administrative accounts.
- Authentication · hashed credentials, session expiry, suspicious-activity detection.
- Network security · cloud-provider firewalls, DDoS mitigation, environment isolation.
- Backups · regular backups with restore testing.
- Vendor management · Sub-processor due diligence and contractual data-protection terms.
- Incident response · documented procedure and breach-notification process.
- Staff training · data-protection and security awareness for personnel with access to Personal Data.
Data Subject rights assistance
Pyyrah+ shall assist the Customer, taking into account the nature of processing and information available, in fulfilling the Customer’s obligations to respond to requests under UK GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
Where a Data Subject submits a request directly to Pyyrah+ in relation to Personal Data processed on behalf of the Customer, Pyyrah+ will refer them to the Customer and not respond directly, except to acknowledge.
Personal Data Breach notification
Pyyrah+ shall notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notification will include, to the extent known:
- The nature of the breach, categories and approximate number of Data Subjects and records concerned.
- The likely consequences.
- The measures taken or proposed to address the breach.
- Contact information for further enquiries.
The Customer remains responsible for any onward notification to supervisory authorities or Data Subjects, as required by Applicable Data Protection Laws.
Audit rights
Pyyrah+ shall make available to the Customer, on reasonable request, the information necessary to demonstrate compliance with this DPA. This may include security questionnaires, summaries of independent assessments, and documented policies.
Where further information is reasonably required, the parties shall agree the scope, timing and confidentiality conditions of an audit. Audits shall:
- Occur no more than once per 12-month period (except after a breach or supervisory-authority instruction).
- Be conducted on at least 30 days’ prior written notice.
- Not unreasonably disrupt Pyyrah+’s operations.
- Be at the Customer’s cost (subject to identified non-compliance).
Term, termination, return and deletion
This DPA continues for the term of the Principal Agreement and for as long as Pyyrah+ processes Personal Data on the Customer’s behalf.
On termination, and at the Customer’s choice, Pyyrah+ shall return or delete all Personal Data processed on behalf of the Customer within 60 days, unless storage is required by UK or EU law. Standard backups are overwritten in the ordinary course.
Liability and governing law
Each party’s liability under this DPA is subject to the limitations and exclusions in the Principal Agreement. Nothing in this DPA limits liability that cannot be limited by law (e.g., for death, personal injury, fraud, or statutory rights of Data Subjects).
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, save for proceedings a Data Subject is entitled to bring elsewhere under Applicable Data Protection Laws.
Contact
For DPA-related questions or to request a counter-signed copy:
Pyyrah Limited (trading as Pyyrah+)
27 Old Gloucester Street, London WC1N 3AX, United Kingdom
Company No. 12176473
Email: Legal@pyyrahplus.com
Privacy queries: Privacy@pyyrahplus.com