Definitions
"Controller" means the SayaOps customer who determines the purposes and means of processing personal data. "Processor" means SayaOps, Inc., which processes personal data on the Controller's behalf. "Personal data", "data subject", "processing", "supervisory authority", and "sub-processor" have the meanings given in the GDPR (EU 2016/679). "Services" means the SayaOps AP automation platform as described in the Terms of Service. This DPA is incorporated into and subject to the Terms of Service; in case of conflict, this DPA prevails with respect to personal data.
Processing
SayaOps processes personal data solely to provide the Services as instructed by the Controller. SayaOps will not process personal data for any purpose other than those described in the Privacy Policy and these terms, including for training AI models or for advertising. The subject matter, nature, purpose, and duration of processing are: invoice and financial document processing (including vendor personal data such as names, addresses, EINs, and bank details) for the duration of the subscription. SayaOps implements confidentiality obligations for all personnel who access personal data.
Security
SayaOps implements technical and organisational measures including: AES-256 encryption at rest with per-tenant key isolation; TLS 1.3 for all data in transit; row-level security at the PostgreSQL layer preventing cross-tenant access; RBAC with least-privilege access controls; multi-factor authentication for administrative access; automated vulnerability scanning and quarterly access reviews; SOC 2 Type II audit (in progress). In the event of a personal data breach, SayaOps will notify the Controller within 72 hours of becoming aware, including the nature of the breach, categories and approximate number of data subjects affected, and measures taken or proposed.
Sub-processors
SayaOps uses the sub-processors listed on the Security page (ops.saya-io.com/security) to operate the service. SayaOps will notify Controllers 30 days in advance of adding any new sub-processor. Controllers may object to a new sub-processor within 14 days of notice; if the objection cannot be resolved, the Controller may terminate the subscription and receive a pro-rata refund. All sub-processors are bound by data processing terms at least as protective as this DPA. A full sub-processor list is available at ops.saya-io.com/security.
Data subject rights
SayaOps will assist the Controller in fulfilling data subject requests (access, rectification, erasure, restriction, portability, and objection) under GDPR, CCPA, and other applicable law. SayaOps will forward any requests received directly from data subjects to the Controller within 5 business days. The Controller remains responsible for responding to data subjects. Account owners can delete users and export data via the Settings panel. For erasure requests that require deletion beyond the self-serve tools, email privacy@saya-io.com.
International transfers
SayaOps primarily processes data in the United States. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the US, SayaOps relies on the EU Standard Contractual Clauses (Module 2: controller to processor, 2021/914/EU) incorporated by reference into this DPA. Customers requiring a separately signed DPA or specific SCC documentation may request one at legal@saya-io.com. EU data residency is available on Growth and Enterprise plans for customers who need data to remain within the EEA.