GDPR Compliance

2.1 Processing Within Controller Instructions

Wyra processes personal data only for the purposes its customers define. Customers control which prospects are uploaded, which offerings and campaigns are active, and which geographies are targeted. Wyra does not use customer prospect data for its own marketing purposes, model training outside the scope of the service, or any purpose beyond delivering the platform.

2.2 Security Measures

Wyra AI, Inc. is SOC 2 Type 1 certified. SOC 2 certification validates that Wyra has implemented controls across security, availability, and confidentiality — directly relevant to GDPR's Article 32 requirement that processors implement appropriate technical and organizational measures to protect personal data.

Wyra's security infrastructure includes:

• Encryption in transit and at rest
• Access controls and role-based permissions
• Regular internal security reviews
• Managed sending infrastructure with domain-level and email-level unsubscribe handling

ISO 27001 certification is currently in progress. For enterprises requiring audit documentation, the SOC 2 report is available under NDA. Contact security@wyra.ai.

2.3 Data Processing Agreement

Wyra maintains a publicly accessible Data Processing Agreement (DPA) at wyra.ai/legal/dpa. The DPA governs the terms under which Wyra processes personal data on behalf of customers and includes the required contractual clauses under GDPR Article 28. Customers operating in the EU or EEA, or handling EU resident data, should ensure their DPA is executed before processing commences. Contact legal@wyra.ai to initiate.

2.4 Sub-Processors

Wyra engages a limited number of sub-processors — third-party services involved in delivering the platform. Wyra ensures all sub-processors are bound by data protection obligations consistent with GDPR requirements. The current sub-processor list is available upon request. Customers are notified of any material changes to the sub-processor list in advance, providing the opportunity to raise objections before the change takes effect. Contact privacy@wyra.ai to request the sub-processor list.

2.5 Records of Processing

Wyra maintains records of processing activities as required under GDPR Article 30. These records cover the categories of personal data processed, the purposes for which processing occurs, and the technical measures in place to protect that data. Records are available to customers and supervisory authorities upon request.

2.6 Data Breach Notification

Notification will include the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed to address it.

2.7 Data Subject Rights

GDPR grants individuals specific rights over their personal data, including the right to access, rectify, restrict processing of, and erase their data.

Wyra assists its customers — as data controllers — in fulfilling these requests from their prospects. If an individual contacts Wyra directly regarding their personal data, Wyra will route the request to the relevant customer and cooperate in ensuring it is addressed within the statutory timeframe. Data subject requests can be submitted to privacy@wyra.ai.

2.8 Data Deletion on Contract Termination

Upon contract termination, Wyra will securely delete all personal data processed on behalf of the customer within 30 days, unless retention is required by applicable law. Customers may request written confirmation of deletion. Contact privacy@wyra.ai to initiate the data return or deletion process.