Back to Wyra

Data Processing Agreement

This DPA sets out the terms under which Wyra AI, Inc. processes personal data on behalf of the Customer. It satisfies Wyra's obligations as a data processor under GDPR, CCPA/CPRA, and other applicable data protection laws.

Last updated: Version 1.0 — Effective Date: April 2026 — Governing Law: State of Delaware, USA

The Parties

Data Processor: Wyra AI, Inc., a Delaware corporation | 633 3rd Avenue, Suite 19F, New York, NY 10017 | privacy@wyra.ai ("Wyra")

Data Controller: The Customer identified in the signature block, being the entity that has subscribed to the Wyra platform or engaged Wyra for managed services ("Customer").

This DPA is incorporated into and forms part of Wyra's Terms of Service (wyra.ai/terms) and any applicable EULA or Master Services Agreement executed between the Parties. By accessing the Wyra platform or accepting Wyra's Terms of Service, Customer agrees to be bound by the terms herein.

1. Definitions

  • Applicable Data Protection Law: all data protection and privacy laws applicable to the processing of personal data under this DPA, including GDPR, CCPA/CPRA, CASL, the UK GDPR, and equivalent national or state laws.
  • CCPA/CPRA: the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020.
  • Customer Data: all personal data uploaded, input, or transmitted to the Wyra platform by Customer or processed by Wyra on Customer's behalf in connection with the Services, including prospect data, contact data, conversation histories, and campaign outputs.
  • Data Controller: the entity that determines the purposes and means of processing personal data. Under this DPA, Customer is the Data Controller.
  • Data Processor: the entity that processes personal data on behalf of the Data Controller. Under this DPA, Wyra is the Data Processor.
  • Data Subject: a natural person whose personal data is processed under this DPA, including Customer's employees, administrators, and prospect contacts.
  • GDPR: the EU General Data Protection Regulation 2016/679, as implemented in member states of the European Economic Area.
  • Personal Data: any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
  • Processing: any operation performed on personal data, including collection, storage, use, disclosure, transfer, and deletion.
  • SCCs: the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914).
  • Security Incident: any confirmed or reasonably suspected unauthorised access to, disclosure of, loss of, or destruction of Customer Data that constitutes a personal data breach as defined under Applicable Data Protection Law.
  • Services: the Wyra platform and managed outreach services made available to Customer under the Terms of Service, EULA, or Master Services Agreement.
  • Sub-processor: any third party engaged by Wyra that processes Customer Data in connection with the Services.
  • UK GDPR: the UK General Data Protection Regulation as retained in UK law under the European Union (Withdrawal) Act 2018.

2. Scope and Processing Instructions

2.1 Scope of Processing. This DPA applies to all personal data processed by Wyra on Customer's behalf in connection with the Services. The categories of personal data, data subjects, processing purposes, and retention periods are set out in Annex I.

2.2 Processing on Instructions. Wyra shall process Customer Data only on Customer's documented instructions, as set out in this DPA, the Terms of Service, and Customer's configuration of the Services.

2.3 Lawfulness of Instructions. Customer warrants that its instructions are, and shall remain, lawful and compliant with Applicable Data Protection Law. If Wyra believes an instruction would infringe Applicable Data Protection Law, Wyra will promptly notify Customer. Wyra shall not be required to follow instructions it reasonably believes are unlawful.

2.4 Purpose Limitation. Wyra shall not process Customer Data for any purpose other than delivering the Services. Wyra shall not process Customer Data for its own commercial purposes, sell Customer Data to third parties, or retain, use, or disclose Customer Data outside the scope of this DPA.

2.5 No AI Training on Customer Data. Wyra does not use Customer Data to train, fine-tune, or improve any foundation AI model or general-purpose machine learning model. Wyra may use aggregated, anonymised, or de-identified data to improve platform performance, provided such use cannot identify Customer or any individual data subject.

3. Confidentiality

Wyra shall ensure that all personnel authorised to process Customer Data are bound by appropriate confidentiality obligations and have received training on applicable data protection requirements. Access to Customer Data is granted on a need-to-know basis and restricted to personnel who require access to perform the Services.

4. Security Measures

4.1 Technical and Organisational Measures. Wyra implements and maintains appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are set out in Annex II and are reviewed and updated regularly.

4.2 Updates to Security Measures. Wyra may update its security measures provided that any update does not materially reduce the overall level of protection. Wyra will document material updates and make summary information available to Customer upon request.

4.3 Access Controls for Sensitive Credentials. Where Customer provides LinkedIn credentials to enable LinkedIn outreach functionality, Wyra stores such credentials in encrypted form using AES-256 encryption at rest. Access is restricted to automated systems required for outreach execution. No Wyra personnel access decrypted credentials except under documented break-glass procedures, subject to audit logging. Credentials are permanently deleted within 30 days of Customer disconnecting the LinkedIn integration or terminating the Services.

5. Sub-processor Management

5.1 General Authorisation. Customer provides Wyra with general authorisation to engage Sub-processors to assist in delivering the Services. The current list of Sub-processors is set out in Annex III and is available upon written request to privacy@wyra.ai.

5.2 Notification of Changes. Wyra will notify Customer of any material addition or replacement of Sub-processors that will have access to Customer Data via the email address on Customer's account or by publishing a notice at wyra.ai/dpa.

5.3 Objection Rights. If Customer has a reasonable and documented data protection objection to a new Sub-processor, Customer shall notify Wyra within 15 days. If the Parties cannot resolve the objection within 30 days, Customer may terminate the affected Services without penalty by providing 30 days' written notice, with a pro-rata refund of prepaid fees for the unused portion.

5.4 Sub-processor Obligations. Wyra imposes data protection obligations on each Sub-processor no less protective than those in this DPA. Wyra remains liable to Customer for Sub-processors' acts and omissions with respect to Customer Data.

5.5 Large Platform Vendors. Customer acknowledges that Wyra contracts with large platform vendors (including AWS, Anthropic, Google Cloud, and Twilio) as a customer of their standard services. Wyra discloses these vendors in Annex III. Wyra does not require these vendors to countersign this DPA.

6. Data Subject Rights

6.1 Assistance Obligation. Wyra shall assist Customer with appropriate technical and organisational measures to fulfil Customer's obligations to respond to Data Subject requests exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

6.2 Forwarding Requests. If Wyra receives a Data Subject request directly relating to Customer Data, Wyra shall promptly forward it to Customer without responding to the Data Subject directly, unless required by Applicable Data Protection Law. Customer is responsible for responding within the required timelines.

6.3 Submission of Requests. Data Subject requests relating to Customer Data should be submitted by Customer to privacy@wyra.ai with the subject line "Data Subject Request." Wyra will acknowledge receipt within five (5) business days.

7. Security Incident Notification

7.1 Notification Obligation. Without undue delay, and no later than 72 hours after becoming aware of a Security Incident affecting Customer Data, Wyra shall notify Customer.

7.2 Content of Notification. Wyra's notification shall include, to the extent available: the nature of the Security Incident including categories and approximate number of affected data subjects and records; contact details for Wyra's data protection contact (privacy@wyra.ai); likely consequences; and measures taken or proposed to address the incident.

7.3 Customer Notification Obligations. Customer is responsible for any notifications to Data Subjects, supervisory authorities, or other third parties required by Applicable Data Protection Law. Wyra shall cooperate reasonably with Customer in fulfilling these obligations.

8. Data Protection Impact Assessments and Prior Consultation

To the extent required under Applicable Data Protection Law, Wyra shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and information available to Wyra. Such assistance shall be provided in response to Customer's written request and at Customer's reasonable expense for effort beyond standard documentation already maintained by Wyra.

9. Return and Deletion of Customer Data

9.1 On Termination. Upon termination or expiration of the applicable service agreement, Wyra shall make Customer Data available for export for 30 days following the termination date. Customer is solely responsible for exporting its data within this period.

9.2 Deletion. Following the export period (or upon Customer's earlier written request), Wyra shall permanently delete all Customer Data within 30 days, unless retention is required by applicable law. Wyra shall provide written confirmation of deletion upon Customer's request.

9.3 Backup Retention. Deleted Customer Data may persist in Wyra's automated backup systems for up to an additional 60 days, after which it will be permanently overwritten. Wyra will not use backup copies for any purpose other than disaster recovery.

9.4 Earlier Deletion Request. Customer may request permanent deletion at any time by submitting a written request to privacy@wyra.ai with the subject line "Data Deletion Request." Deletion is completed within 30 days of a verified request and is irreversible.

10. Audit Rights

10.1 Compliance Information. Upon Customer's reasonable written request (no more than once per calendar year unless a Security Incident has occurred), Wyra shall provide information reasonably necessary to demonstrate compliance with this DPA, including security documentation and current SOC 2 reports if available.

10.2 Third-Party Audits. Wyra's SOC 2 Type I or Type II audit report shall satisfy Customer's right to audit Wyra's security compliance. For Enterprise customers requiring bespoke third-party audits, such audits are available at most once per calendar year, subject to: (a) at least 30 days' prior written notice; (b) execution of a confidentiality agreement; and (c) the audit being conducted at Customer's expense during normal business hours.

10.3 Scope. All audit information is subject to strict confidentiality obligations and may only be used to evaluate Wyra's compliance with this DPA.

11. International Data Transfers

11.1 Transfers to the United States. Wyra is incorporated in Delaware, USA. Processing of Customer Data by Wyra and its Sub-processors occurs primarily in the United States. For transfers of personal data from the EU/EEA or UK to the United States, the Parties rely on the Standard Contractual Clauses (SCCs) set out in Annex IV.

11.2 Standard Contractual Clauses. The EU SCCs (Module 2: Controller to Processor) adopted by the European Commission on 4 June 2021 are incorporated into this DPA by reference. For transfers from the UK, the UK International Data Transfer Addendum (IDTA) applies.

11.3 Adequacy Decisions. Where a valid adequacy decision covers the relevant transfer, Wyra may rely on that decision rather than the SCCs. Wyra will notify Customer if it relies on a different lawful transfer mechanism.

11.4 Transfer Impact Assessments. Upon Customer's reasonable written request, Wyra will provide a summary Transfer Impact Assessment for transfers of Customer Data to the United States or other third countries without an adequacy decision.

12. Customer Obligations as Data Controller

Customer, as Data Controller, is responsible for:

  • Ensuring it has a lawful basis under Applicable Data Protection Law for processing Customer Data and for instructing Wyra to process it.
  • Providing all required notices to Data Subjects regarding processing of their personal data, including the use of third-party processors such as Wyra.
  • Obtaining any required consents from Data Subjects prior to collecting and sharing their personal data with Wyra.
  • Ensuring that all prospect data, contact lists, and other Customer Data shared with Wyra has been lawfully obtained.
  • Configuring the Services in a manner consistent with Customer's obligations under Applicable Data Protection Law.
  • Ensuring all communications sent through the Services comply with applicable anti-spam and electronic communications laws.
  • Maintaining records of processing activities as required by Applicable Data Protection Law.
  • Promptly notifying Wyra if Customer becomes aware of any Data Subject request, supervisory authority inquiry, or complaint relating to Customer Data processed by Wyra.

13. CCPA/CPRA — Service Provider Terms

13.1 Service Provider Status. To the extent that CCPA/CPRA applies, Wyra acts as a "Service Provider" as defined under CCPA/CPRA. Wyra processes Customer Data only for the business purpose of providing the Services and does not sell or share Customer Data.

13.2 Prohibited Uses. Wyra shall not: (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any commercial purpose other than providing the Services; (c) combine Customer Data with personal information from other sources except as permitted under CCPA/CPRA.

13.3 Sensitive Personal Information. Where Customer Data includes sensitive personal information as defined under CCPA/CPRA (including LinkedIn credentials and two-factor authentication keys), Wyra processes such information only for the purpose of delivering the Services.

13.4 Certification. Wyra certifies that it understands and will comply with the restrictions set out in this Section 13 for the duration of this DPA.

14. Term

This DPA takes effect on the Effective Date and remains in force for as long as Wyra processes Customer Data in connection with the Services. This DPA automatically terminates upon termination or expiration of the applicable service agreement, subject to Wyra's data deletion obligations under Section 9.

15. Liability

Liability between the Parties arising from this DPA is governed by the limitation of liability provisions in the applicable Terms of Service, EULA, or Master Services Agreement, except to the extent that Applicable Data Protection Law requires a different allocation of liability.

16. General

16.1 Order of Precedence. In the event of conflict between this DPA and any other agreement, this DPA governs with respect to personal data processing matters. The SCCs in Annex IV take precedence over this DPA to the extent of any inconsistency in relation to EU/EEA personal data transfers.

16.2 Governing Law. This DPA is governed by the laws of the State of Delaware, USA, except to the extent that Applicable Data Protection Law requires a different governing law.

16.3 Amendments. Wyra may amend this DPA from time to time to reflect changes in Applicable Data Protection Law, provided that any amendment does not materially reduce the level of protection afforded to Customer Data. Wyra will notify Customer of material amendments with reasonable notice.

16.4 Severability. If any provision of this DPA is held invalid or unenforceable, it shall be modified to the minimum extent necessary, and all other provisions remain in full force.

16.5 Entire DPA. This DPA, together with its Annexes, constitutes the complete agreement between the Parties with respect to the processing of Customer Data.

Annex I — Data Processing Details

Part A — Platform User Data (Wyra's Customers). These are individuals within Customer's organisation who access and use the Wyra platform.

  • Account information (name, business email, job title, company name) — Employees and administrators — Account creation, authentication, service delivery, billing, support — Retention: duration of subscription + 60 days.
  • LinkedIn profile URL — Employees enrolled as AI SDRs — Setting up the AI SDR LinkedIn profile — Retention: duration of subscription + 30 days.
  • LinkedIn credentials (encrypted email, password, 2FA secret key) — Employees enrolled as AI SDRs — Operating LinkedIn outreach on Customer's behalf — Deleted within 30 days of disconnection or termination.
  • Meeting scheduling link (e.g. Calendly URL) — Employees enrolled as AI SDRs — Enabling AI SDR to book meetings with prospects — Retention: duration of subscription + 30 days.
  • Usage data, session data, platform logs — Employees and administrators — Platform performance, security monitoring, support — Retention: 13 months, then deleted or anonymised.
  • Campaign content and outreach messages — Employees — Storing and executing outreach campaigns — Retention: duration of subscription + 60 days.
  • Billing contact information — Billing administrator — Payment processing, invoicing (processed by Stripe) — Retention: duration of subscription + 7 years (legal requirement).

Part B — Prospect / Lead Data (Third-Party Contacts). These are business professionals at third-party organisations that Customer wishes to contact. Wyra processes this data as Data Processor on Customer's instruction.

  • LinkedIn profile URLs — Third-party business professionals — Input for enrichment and outreach — Retention: duration of Customer engagement + 60 days.
  • Name, job title, company name, location — Third-party business professionals — Enrichment, prospect profiling, outreach personalisation — Retention: duration of Customer engagement + 60 days.
  • Business email addresses — Third-party business professionals — Email outreach on Customer's instruction (enriched by Lead Magic) — Retention: duration of Customer engagement + 60 days.
  • Mobile phone numbers (if enabled) — Third-party business professionals — Calling outreach when Customer enables phone enrichment (enriched by Prospeo) — Retention: duration of Customer engagement + 60 days.
  • Company intelligence (industry, size, tech stack, funding signals) — Third-party business professionals — Prospect scoring, outreach strategy generation — Retention: duration of Customer engagement + 60 days.
  • AI-generated outreach strategy (pain points, hooks, scores, CTAs) — Third-party business professionals — Personalised outreach strategy generated by Wyra's AI agents — Retention: duration of Customer engagement + 60 days.
  • Email and LinkedIn reply content — Third-party business professionals — Tracking campaign performance, enabling Customer follow-up — Retention: duration of Customer engagement + 60 days.
  • AI SDR interaction logs (connection requests, messages sent) — Third-party business professionals — Campaign performance monitoring, compliance — Retention: duration of Customer engagement + 60 days.

Important retention notes: (1) When Customer deletes a prospect list or campaign, associated prospect data is removed from active systems within 30 days. (2) When Customer terminates the subscription, all Customer Data is available for export for 30 days, then permanently deleted within 60 days of termination. (3) Prospect data is completely isolated per Customer — no Customer's data is shared with or visible to any other Customer. (4) Deletion requests can be submitted at any time to privacy@wyra.ai — deletion is completed within 30 days and is irreversible.

Annex II — Technical and Organisational Security Measures

  • Encryption in transit: All Customer Data transmitted between Customer, Wyra's platform, and third-party integrations is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All Customer Data stored on Wyra's infrastructure is encrypted at rest using AES-256 encryption.
  • LinkedIn credential storage: LinkedIn credentials are stored encrypted using AES-256. Access is limited to automated outreach systems. Human access occurs only under documented break-glass procedures with audit logging. Credentials are deleted within 30 days of disconnection.
  • Access controls: Role-based access controls (RBAC) ensure Wyra personnel access Customer Data only on a need-to-know basis. Administrative access requires multi-factor authentication (MFA). Access rights are reviewed quarterly.
  • Network security: Wyra's infrastructure is hosted within a secured cloud environment (AWS) with network segmentation, firewalls, and intrusion detection controls.
  • Vulnerability management: Wyra conducts regular automated vulnerability scanning and annual third-party penetration testing. Critical vulnerabilities are remediated within defined timelines based on severity.
  • Incident response: Wyra maintains a documented incident response plan. Security incidents are escalated to Wyra's security team within 24 hours of detection. Customer notification is provided within 72 hours of Wyra becoming aware of a Security Incident.
  • Backup and recovery: Customer Data is backed up using automated daily backups stored in geographically separate locations. Disaster recovery procedures are documented and tested periodically.
  • Personnel security: All Wyra personnel with access to Customer Data are subject to confidentiality obligations and receive data protection and security training on onboarding and annually thereafter.
  • Vendor security: Sub-processors are subject to security assessments before engagement and are required to maintain security standards no less protective than those in this Annex.
  • SOC 2 / ISO 27001: Wyra is pursuing SOC 2 Type I and ISO 27001 certifications. Once certified, Wyra's current audit report will be made available to Enterprise customers upon request under NDA.
  • Physical security: Wyra's infrastructure is hosted in AWS data centres, which maintain physical security controls including 24/7 monitoring, biometric access, and environmental safeguards.

Annex III — Sub-processor List

The following third parties process Customer Data on Wyra's behalf. This list is maintained internally and available in full upon written request to privacy@wyra.ai.

  • AWS (Amazon Web Services, Inc.) — Primary infrastructure: application hosting, compute, storage, database, and AI model access (Anthropic Claude and other models via AWS Bedrock). Data location: United States (primary).
  • Twilio Inc. — Calling channel infrastructure: AI SDR voice outreach, call routing, and telephony services. Data location: United States.
  • Stripe, Inc. — Subscription billing and payment processing. Stripe does not access prospect data or outreach content. Data location: United States.
  • HubSpot, Inc. — CRM integration: meeting data synchronisation when Customer enables the HubSpot integration. Only Customer-enabled integrations transfer data to HubSpot. Data location: United States.
  • Lead Magic — Email address enrichment for prospect lists: locating business email addresses associated with LinkedIn profile URLs provided by Customer. Data location: United States.
  • Prospeo — Phone number enrichment: locating mobile phone numbers when Customer enables phone enrichment. Credits charged only when a number is found. Data location: United States.

Note on Large Platform Vendors: Anthropic, Google Cloud AI, and other foundation model providers are sub-sub-processors accessed through AWS Bedrock. Wyra's direct contractual relationship for AI model processing is with AWS. Wyra does not use Customer Data to train any foundation model.

Annex IV — EU Standard Contractual Clauses (SCCs)

Applicability. This Annex applies to transfers of personal data from the EU/EEA to Wyra in the United States. The Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission on 4 June 2021 are incorporated into this DPA by reference. For transfers from the UK, the UK International Data Transfer Addendum (IDTA) applies as an addendum to the EU SCCs.

SCC Annex I — Transfer Details:

  • Data exporter: Customer — the entity identified in this DPA, acting as Data Controller.
  • Data importer: Wyra AI, Inc., 633 3rd Avenue, Suite 19F, New York, NY 10017 | privacy@wyra.ai. Acting as Data Processor.
  • Data subjects: Customer's employees and administrators; third-party business professionals whose data Customer instructs Wyra to enrich, score, and contact.
  • Categories of data: as set out in Annex I, Part A and Part B of this DPA.
  • Sensitive data: LinkedIn credentials (where provided by Customer). No other special categories of personal data are ordinarily processed.
  • Frequency: continuous, for the duration of the service relationship.
  • Competent supervisory authority: the supervisory authority of the EU member state in which Customer is established, or the ICO for UK transfers.

SCC Annex II — Technical and Organisational Measures: the measures described in Annex II of this DPA are incorporated here by reference.

SCC Annex III — Sub-processors: the Sub-processors listed in Annex III of this DPA are incorporated here by reference.

SCC Module 2 Optional Clauses: Clause 7 (Docking) — not applicable. Clause 11 (Redress) — Customer does NOT elect the independent dispute resolution option. Clause 17 (Governing law) — law of the EU member state where Customer is established, or Ireland if not applicable. Clause 18 (Choice of forum) — courts of the relevant EU member state, or Ireland. For UK transfers — courts of England and Wales.

SCC Status and Updates: The EU SCCs (Module 2, June 2021) are the current applicable version. For UK transfers, the UK IDTA applies. Wyra will execute a separate UK IDTA addendum upon Customer's request. Transfer Impact Assessments covering key Sub-processor transfers are available to Enterprise customers upon request under NDA. If Customer requires executed copies of the SCCs with completed annexes, Wyra will provide them upon written request to privacy@wyra.ai.

Contact

Questions or requests: privacy@wyra.ai

Wyra AI, Inc. — 633 3rd Avenue, Suite 19F, New York, NY 10017, United States

Questions about this policy? Email legal@wyra.ai