Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between CloudSecNetwork LLC, doing business as DrusyAI ("DrusyAI" or "Processor"), and the customer that uses the Service ("Customer" or "Controller"). It applies when DrusyAI processes Customer Personal Data on behalf of Customer in connection with the Service.

This DPA is intended to satisfy applicable data protection laws, including where applicable the GDPR, UK GDPR, Swiss Federal Act on Data Protection, CCPA/CPRA service provider requirements, and similar data protection laws. If there is a conflict between this DPA and the Terms of Service, this DPA controls for Customer Personal Data processing matters.

Terms such as "controller," "processor," "personal data," "processing," "data subject," "subprocessor," and "supervisory authority" have the meanings given in applicable data protection laws. "Customer Personal Data" means personal data that Customer submits to the Service or that DrusyAI processes on Customer’s behalf, including WhatsApp messages, customer records, leads, booking details, and related metadata.

Customer is the controller or business that determines the purposes and means of processing Customer Personal Data. DrusyAI is the processor or service provider that processes Customer Personal Data only on Customer’s documented instructions, including the Terms of Service, order forms, product configuration, support requests, and this DPA.

Customer is responsible for ensuring that its instructions are lawful and that it has provided all notices and obtained all consents, permissions, and lawful bases necessary for DrusyAI to process Customer Personal Data.

DrusyAI processes Customer Personal Data to provide, secure, support, maintain, and improve the Service, including WhatsApp conversation automation, AI-generated drafts and responses, lead capture, booking workflows, analytics, troubleshooting, customer support, and integrations selected by Customer.

• Categories of data subjects: Customer’s authorized users, prospects, leads, customers, website visitors, support contacts, and individuals who communicate through connected channels.
• Categories of personal data: contact details, account information, WhatsApp identifiers, message content, attachments, metadata, lead details, booking details, business notes, prompts, AI outputs, and usage logs.
• Sensitive data: Customer should not submit sensitive or special category data unless permitted by its agreement, configuration, and applicable law and unless appropriate safeguards are in place.
• Duration: for the term of the Service and any post-termination period needed for deletion, return, backup retention, legal compliance, and security purposes.

• Process Customer Personal Data only on documented instructions from Customer unless required by law.
• Ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organizational measures designed to protect Customer Personal Data.
• Assist Customer with data subject requests, security incidents, impact assessments, and consultations with supervisory authorities, taking into account the nature of processing and information available to DrusyAI.
• Delete or return Customer Personal Data at the end of the Service, subject to legal requirements, backup retention, and legitimate security or compliance needs.

DrusyAI maintains administrative, technical, and organizational safeguards appropriate to the risk, which may include access controls, least-privilege permissions, encryption in transit, logging and monitoring, vulnerability management, vendor diligence, secure development practices, employee confidentiality commitments, and incident response procedures.

Customer is responsible for configuring the Service securely, managing authorized users, protecting credentials, limiting access permissions, and ensuring connected integrations are appropriate for Customer’s data protection obligations.

Customer authorizes DrusyAI to engage subprocessors to provide hosting, storage, communications, messaging, AI processing, analytics, payment, support, monitoring, and other services necessary to operate the Service. DrusyAI will impose data protection obligations on subprocessors that are materially no less protective than those in this DPA.

DrusyAI remains responsible for subprocessors’ performance of their data protection obligations. We will provide a mechanism to make available information about subprocessors and, where required by law, allow Customer to object to new subprocessors on reasonable data protection grounds.

Customer Personal Data may be processed in countries other than where Customer or data subjects are located. Where applicable data protection laws require a transfer mechanism, the parties will use appropriate safeguards such as standard contractual clauses, UK addenda, adequacy decisions, transfer impact assessments, or other lawful mechanisms.

Customer is responsible for responding to requests from data subjects to exercise privacy rights. Taking into account the nature of processing, DrusyAI will provide reasonable assistance through product functionality or support channels to help Customer access, correct, delete, export, or restrict Customer Personal Data when required by applicable law.

DrusyAI will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to DrusyAI to help Customer meet its legal obligations. DrusyAI’s notification is not an admission of fault or liability.

Upon reasonable written request, DrusyAI will provide information necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and commercial sensitivity limitations. Audits must be reasonable in scope, frequency, and duration and may be satisfied through security documentation, questionnaires, certifications, or independent reports where available.

To the extent the CCPA/CPRA applies, DrusyAI acts as a service provider or contractor for Customer Personal Data. DrusyAI will not sell or share Customer Personal Data, retain, use, or disclose it outside the business purposes specified in the agreement, or combine it with other personal information except as permitted by the CCPA/CPRA and Customer’s instructions.

Upon termination or expiration of the Service, DrusyAI will delete or return Customer Personal Data according to Customer’s instructions and the Service functionality, unless retention is required by law or permitted for backups, security, fraud prevention, dispute resolution, or compliance purposes. Backup deletion may occur according to ordinary backup cycles.

• Legal entity: CloudSecNetwork LLC
• Postal address: 2055 Limestone Road, Suite 200-C, Wilmington, DE 19808, United States
• Privacy contact: hello@cloudsecnetwork.com
• Data Protection Officer or EU/UK Representative, if applicable: not currently appointed; privacy requests may be sent to hello@cloudsecnetwork.com