Data Processing Addendum

A summary of Doyna's DPA. The signed PDF version is available on request.

Get the signed DPA

Email [email protected] with the subject “DPA request”. Include your company legal name, registered address, and the contact details of your data protection officer (or controller representative). We return a signed counterpart within two business days.

1. Roles

For customer-owned content processed in your Doyna tenant (mailbox content, calendar events, AI prompts, uploaded documents), you are the controller and Doyna (Summise SRL) is the processor under Art. 4 GDPR. For account-level data we strictly need to operate the service (your login email, payment details), Doyna is an independent controller.

2. Subject matter and duration

Doyna processes personal data on your behalf for the duration of your subscription. The subject matter is the operation of the Doyna AI productivity platform; the nature and purpose of processing is to provide email triage, calendar assistance, AI-assisted drafting, and document analysis.

3. Categories of data and data subjects

  • Data subjects: your employees and external persons whose data is contained in messages, calendar events, or documents you process through Doyna.
  • Categories: contact identifiers, email content, calendar content (including attendees), files you upload, AI queries, OAuth identifiers.
  • Special categories (Art. 9): not processed by Doyna intentionally. You undertake not to direct Doyna to process special-category data without first agreeing on additional safeguards.

4. Sub-processors

You give Doyna general authorization to engage sub-processors listed on the /subprocessors page. We notify you of additions or replacements at least 15 days in advance via the change-subscription mailing list.

If you object on reasonable data-protection grounds, you may terminate the affected service within the notice period without penalty.

5. International transfers

Where personal data is transferred outside the EEA / UK, transfers rely on the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor) and, where applicable, the UK International Data Transfer Addendum. The applicable Module 2 SCCs and IDTA are incorporated by reference into our DPA.

6. Security measures (TOMs)

  • TLS 1.3 in transit; AES-256 at rest.
  • Tenant isolation: customer-owned data resides in tenant-scoped storage and is not co-mingled across customers.
  • Authentication: OAuth 2.0 (Microsoft Identity Platform, Google), signed JWT for session tokens, server-side validation.
  • Access control: least-privilege engineering access; production access logged and reviewed.
  • Vulnerability management: dependencies scanned on every build; critical advisories triaged.
  • Incident response: breach-notification target of 72 hours from confirmation, per GDPR Art. 33.
  • Subprocessor controls: signed DPAs with all subprocessors listed at /subprocessors.

7. Assistance to the controller

Doyna will assist you with (a) responses to data-subject requests (access, rectification, erasure, objection, portability), (b) data protection impact assessments, and (c) prior consultations with supervisory authorities, in each case taking into account the nature of processing and the information available to Doyna.

8. Audit rights

You may request, no more than once per year, a copy of our most recent third-party security assessment and a written response to a reasonable questionnaire. On-site audits require 30 days' notice, are subject to confidentiality, and may not unreasonably disrupt the service.

9. Return or deletion on termination

On termination of the service, Doyna deletes or returns all customer personal data within 30 days of your written request, unless retention is required by EU or Member-State law. Backups are purged on the standard 90-day rotation.

10. Liability

Liability under this DPA is subject to the limitations of the main subscription agreement between you and Summise SRL. Caps do not limit either party's liability for damages owed to data subjects under Art. 82 GDPR.

11. Contact

Doyna data-protection contact: [email protected]. For supervisory complaints, the competent EU authority is the Romanian Data Protection Authority (ANSPDCP).