ariyes

Data Processing Addendum

Effective date: 1 January 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween Ariyes Lda (“Ariyes”, “Processor”) and the customer (“Customer”, “Controller”) and applies to the extent Ariyes processes Personal Data on the Customer’s behalf in providing the Service. Where there is a conflict, this DPA prevails over the Terms with respect to data protection. Capitalized terms not defined here have the meaning given in the Terms or in applicable Data Protection Laws (including the EU GDPR, UK GDPR, and CCPA/CPRA, as applicable).

1. Roles and scope

The Customer is the Controller (or a processor acting for a third-party controller) and Ariyes is the Processor of “Customer Personal Data”, the Personal Data contained in Customer Data that Ariyes processes to provide the Service. The Customer’s own end users and contacts are the Data Subjects. Ariyes processes Customer Personal Data only on the Customer’s documented instructions, including as set out in the Terms and this DPA, unless required by law.

2. Subject matter, duration, nature, and purpose

  • Subject matter / nature: hosting, storing, transmitting, and processing Customer Personal Data to provide the communications, support, CRM, and storage features of the Service.
  • Duration: for the term of the Terms plus the retention period in Section 9.
  • Categories of Data Subjects:the Customer’s contacts, recipients, support requesters, leads, and end users.
  • Categories of Personal Data: identifiers (name, email, phone), message and communication content, support and ticket content, and any other data the Customer chooses to submit.

The Customer must not submit special-category data unless the parties have agreed appropriate additional safeguards.

3. Customer obligations

The Customer warrants that it has a lawful basis and all necessary consents and notices to submit Customer Personal Data to the Service and to instruct the processing described here, and that its instructions comply with Data Protection Laws.

4. Confidentiality

Ariyes ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and process the data only as instructed.

5. Security measures

Ariyes implements appropriate technical and organizational measures to protect Customer Personal Data, including: encryption in transit (TLS) and at rest; AES-256-GCM encryption of sensitive stored credentials (such as connected-account API tokens); logical tenant isolation so one customer’s data is not accessible to another; role-based access controls and least-privilege access; authentication controls, including passwordless sign-in for users and multi-factor authentication required for privileged platform-staff access; audit logging of privileged actions (including administrative impersonation); monitoring; regular backups; and a secure software development lifecycle. Primary application and email infrastructure are hosted in the EU (Frankfurt region). Details are summarized on our Security page.

6. Sub-processors

The Customer provides general authorization for Ariyes to engage sub-processors to provide the Service. Ariyes imposes data-protection obligations on each sub-processor no less protective than this DPA and remains responsible for their performance. Current sub-processors may include, without limitation:

Sub-processorPurposeRegion
StripeBilling and payment processing[confirm - e.g. US/EU]
MailgunEmail delivery and inbound (primary)EU (Frankfurt)
AWS SESEmail delivery (failover)[confirm region]
SendGridEmail delivery-event processing[confirm region]
TwilioSMS and WhatsApp messaging[confirm region]
ChatwootOptional chat/support integration (per-tenant)[self-hosted / confirm]
GoogleGoogle sign-in; Gmail mailbox integration (OAuth)Global
SentryError and performance monitoring[confirm region]
[Cloud host]Application and database hostingEU (Frankfurt)
[Object storage, Garage / S3-compatible]File and attachment storage[confirm region]

Ariyes will make available a current list of sub-processors and will give the Customer reasonable prior notice of the addition or replacement of a sub-processor, allowing the Customer to object on reasonable data-protection grounds.

7. International transfers

Where processing involves transfers of Customer Personal Data out of the EEA, UK, or other restricted regions, the parties will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where applicable.

8. Data subject requests

Taking into account the nature of the processing, Ariyes will assist the Customer, by appropriate technical and organizational measures and insofar as possible, to respond to Data Subject requests to exercise their rights. If Ariyes receives such a request directly, it will, where legally permitted, refer the Data Subject to the Customer.

9. Retention and deletion

On termination or expiry of the Terms, Ariyes will, at the Customer’s choice, delete or return Customer Personal Data, and delete existing copies within [30] days, unless retention is required by law. Backup copies are deleted in the ordinary backup cycle.

10. Personal data breach

Ariyes will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its notification obligations.

11. Audits

Ariyes will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality, scheduling, and frequency limits.

12. Assistance

Ariyes will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Ariyes.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms.

14. Contact

Data protection contact: [email protected], Ariyes Lda, Lisbon, Portugal (company registration no. 99102561).