Data Processing
Data Processing Agreement.
A standard DPA for GDPR, UK GDPR, and equivalent frameworks. Pre-signed for Free, Starter, Pro, and Team customers. Negotiated for Enterprise.
Scope
What our DPA covers
When you process the personal data of EU, UK, or other regulated subjects through PiyAPI, you become the controller and PiyAPI becomes the processor. The DPA formalises that relationship and codifies our obligations under Article 28 of the GDPR.
The agreement covers: lawful basis, sub-processor governance, security of processing, personal data breach notification, data-subject rights assistance, international transfers (Standard Contractual Clauses), and audit rights.
How to execute
Self-serve
Free / Starter / Pro
Our standard DPA is incorporated by reference into the Terms of Service. By using the service in a controller capacity, you accept the standard DPA. A countersigned copy is available on request.
Countersigned
Team
Email legal@piyapi.cloud with your billing entity, jurisdiction, and the lawful basis you rely on. We countersign within 5 business days.
Negotiated
Enterprise
Bring your paper. We accept redlines on the standard agreement and can negotiate custom SCCs, data-residency clauses, and audit windows.
HIPAA
Business Associate Agreement (BAA)
Customers processing US Protected Health Information should request a BAA in addition to the DPA. The BAA is available on the Team plan ($158/mo) and above. A custom BAA is part of every Enterprise engagement.
See /compliance/hipaa for the HIPAA-Ready architecture and the 31-type PHI Firewall that backs the BAA.
Sub-processors
A current list of sub-processors used to deliver the service is maintained at /subprocessors. You will receive 30 days’ notice of any new sub-processor before they are engaged.
Need a countersigned DPA?
Email legal@piyapi.cloud with your billing entity. 5 business-day turnaround.