privyr
Data Processing Addendum (DPA)
Last Updated: April 22, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Privyr Pte. Ltd. (“Privyr”, “Processor”) and the customer entity using the Privyr services (“Customer”, “Controller”).
If Customer is subject to the European Union General Data Protection Regulation (“GDPR”), UK GDPR, or similar applicable data protection laws, this DPA is automatically incorporated into and forms part of the agreement governing Customer’s use of the Privyr services, including acceptance through online registration, account signup, order form execution, or continued use of the services.
This DPA applies where Privyr processes Personal Data on behalf of Customer in connection with providing the Privyr services.
1. Roles of the Parties
Customer acts as the Controller of Personal Data processed through the Privyr platform.
Privyr acts as a Processor processing Personal Data on behalf of Customer in connection with providing the Privyr services.
2. Scope of Processing
Privyr may process Personal Data submitted by Customer through the services, including but not limited to:
- Names
- Phone numbers
- Email addresses
- Lead and customer information
- Communications and messages
- Notes and related CRM records
- Uploaded content and attachments
Processing activities may include collection, storage, organization, retrieval, transmission, deletion, analytics, customer support operations, and other activities reasonably necessary to provide the services.
3. Customer Responsibilities
Customer is responsible for:
- Ensuring it has a lawful basis to collect and process Personal Data submitted to Privyr
- Providing any notices or obtaining any consents required under applicable law
- Ensuring its use of the services complies with applicable data protection laws
- Determining the categories of Personal Data processed through the services
Customer acknowledges that Privyr does not determine the purposes or means of processing Customer Data submitted through the services.
4. Processor Obligations
Privyr shall:
- Process Personal Data only on documented instructions from Customer as reflected through Customer’s use of the services
- Ensure persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures designed to protect Personal Data
- Provide reasonable assistance to Customer in responding to lawful requests relating to Personal Data where reasonably possible
- Notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Data
5. Security Measures
Privyr maintains reasonable technical and organizational safeguards designed to protect Personal Data, including:
- Encryption in transit using HTTPS/TLS
- Encryption at rest where applicable
- HTTP Strict Transport Security (HSTS)
- Access controls and least-privilege access practices
- Audit logging for administrative and manual actions
- Infrastructure hosted on reputable cloud providers
Authorized Privyr personnel may access Customer Data only where necessary for support, troubleshooting, security, service operations, or customer-requested assistance.
6. Subprocessors
Customer authorizes Privyr to engage the following Subprocessors in connection with providing the services:
| Subprocessor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, and application delivery |
| Google Cloud Platform (GCP) | Analytics and limited infrastructure services |
| Cloudflare | Content delivery, DNS, performance, and security services |
| Intercom | Customer support and customer communication services |
| Elasticsearch | Search indexing and data retrieval services |
Privyr may update or replace Subprocessors from time to time as reasonably necessary to operate the services.
Privyr remains responsible for the performance of its Subprocessors to the extent required under applicable law.
7. International Data Transfers
Customer Data is stored and processed in Singapore, on Amazon Web Services infrastructure located in the ap-southeast-1 (Singapore) region. Some Subprocessors listed in Section 6 may process limited data in other regions as necessary to provide their respective services; where this occurs, Privyr ensures appropriate transfer mechanisms are in place.
Where Personal Data originating from the European Economic Area ("EEA") or United Kingdom is transferred to Privyr in Singapore, such transfers are governed by the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914. Module Two (Controller to Processor) applies. The details of the transfer are set out in Annex I and the applicable technical and organisational measures in Annex II, both of which form part of this DPA.
By accepting this DPA, both parties are deemed to have executed the Standard Contractual Clauses, with Customer acting as data exporter and Privyr acting as data importer.
The official text of the Standard Contractual Clauses is available at commission.europa.eu and is incorporated into this DPA without modification except as permitted under the clauses themselves.
8. Data Subject Requests
Taking into account the nature of processing, Privyr shall provide reasonable assistance to Customer in responding to requests from data subjects relating to access, deletion, correction, portability, restriction, or objection rights under applicable data protection laws.
Customer remains responsible for independently responding to data subject requests where required under applicable law.
9. Deletion and Return of Data
Upon termination of the services or Customer request, Privyr shall delete Customer Data from active systems within a reasonable timeframe, except where retention is required by law or where limited retention occurs in secure backups for operational continuity purposes.
Customer may export certain Customer Data using features provided within the Privyr platform.
10. Limitation of Liability
To the extent permitted by applicable law, the liability of each party arising under this DPA shall be subject to the limitations and exclusions of liability set forth in the applicable agreement governing the use of the services.
11. Governing Law
This DPA shall be governed by and construed in accordance with the governing law specified in the applicable agreement between the parties unless otherwise required by applicable data protection law.
12. Contact
Questions regarding this DPA or Privyr’s data protection practices may be directed to:
[email protected]
Privyr Pte. Ltd.
36 Robinson Rd
Singapore 068877
Annex I — Details of Processing
A. List of Parties
Data Exporter: The Customer, as identified in the Privyr account or applicable agreement. Customer acts as Controller of Personal Data processed through the Privyr services.
Data Importer: Privyr Pte. Ltd., 36 Robinson Rd, Singapore 068877. Privyr acts as Processor of Personal Data on behalf of Customer in connection with providing the Privyr services.
B. Description of Transfer
| Field | Detail |
|---|---|
| Categories of data subjects | Leads, prospects, and customers of Controller |
| Categories of personal data | Names, phone numbers, email addresses, lead and customer information, communications and messages, notes and related CRM records |
| Sensitive data | None intended. Customer shall not submit special category data unless agreed in writing |
| Frequency of transfer | Continuous, for the duration of the services |
| Nature of processing | Collection, storage, organisation, retrieval, transmission, deletion, and other activities reasonably necessary to provide the services |
| Purpose of transfer | To enable Customer to manage lead follow-up and customer communications through the Privyr services |
| Retention period | For the duration of the services, and deleted within a reasonable timeframe following termination or Customer request, except where retention is required by law |
C. Competent Supervisory Authority
The supervisory authority of the EU member state in which Customer is established, or where the relevant data subjects are located.
Annex II — Technical and Organisational Measures
Privyr maintains reasonable technical and organizational safeguards designed to protect Personal Data, including:
| Measure | Detail |
|---|---|
| Encryption in transit | HTTPS/TLS enforced across all services; HTTP Strict Transport Security (HSTS) enabled |
| Encryption at rest | Encryption at rest applied where applicable |
| Access controls | Access controls and least-privilege access practices; administrative access limited to authorised Privyr personnel where necessary for support, troubleshooting, security, service operations, or customer-requested assistance |
| Audit logging | Audit logging for administrative and manual actions |
| Personnel | Persons authorised to process Personal Data are subject to confidentiality obligations |
| Sub-processors | Subprocessors are required to implement appropriate technical and organisational measures consistent with this Annex |
| Infrastructure | Infrastructure hosted on reputable cloud providers, primarily within Singapore |