Edysor Edutech Solutions Private Limited
Effective Date: 24 June 2026
Version: 2.0 (Enterprise Edition)
1. Introduction and Parties
This Data Processing Agreement ("DPA") forms part of the service agreement or other written or electronic agreement ("Principal Agreement") entered into between:
Processor:Edysor Edutech Solutions Private Limited, a company registered under the Companies Act 2013, India, operating the SICADA AI platform ("Processor" or "Edysor")
Controller:The entity or individual engaging Edysor's services ("Controller" or "Client")
This DPA governs the processing of Personal Data by Edysor on behalf of the Client in connection with SICADA AI services.
SICADA AI is an AI-powered voice, chat, and workflow automation platform providing services including (but not limited to): automated voice calls, AI voice bots, speech-to-text and text-to-speech processing, conversational AI, customer support automation, lead qualification, CRM communication, appointment scheduling, analytics, and related SaaS services.
2. Definitions
| Applicable Data Protection Laws | GDPR (EU General Data Protection Regulation), DPDPA 2023 (India), CCPA (if applicable), and any other applicable data protection or privacy laws in jurisdictions where the Client and Data Subjects are located. |
| Personal Data | Any information relating to an identified or identifiable natural person, including names, contact information, voice recordings, call metadata, transcripts, CRM data, and any other data processed by SICADA AI. |
| Processing | Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction. |
| Data Subject | The natural person to whom Personal Data relates (e.g., call recipients, customers, leads, employees). |
| Subprocessor | Any third party engaged by Edysor to process Personal Data on behalf of the Client (e.g., cloud providers, AI vendors, payment processors). |
| Client Personal Data | All Personal Data uploaded, generated, recorded, or integrated into SICADA AI by or on behalf of the Client, including call data, customer information, CRM records, documents, and any other content. |
| Breach | A confirmed or suspected unauthorized access, disclosure, destruction, or loss of Personal Data. |
3. Roles and Responsibilities
3.1 The Client as Data Controller
- The Client determines the purposes and means of processing Personal Data.
- The Client bears responsibility for lawful basis and compliance with data protection laws.
- The Client is responsible for providing notices and obtaining consent from Data Subjects.
3.2 Edysor as Data Processor
- Edysor processes Personal Data solely on documented instructions from the Client.
- Edysor does not determine the purposes or means of processing.
- Edysor shall comply with this DPA and Applicable Data Protection Laws.
- Edysor shall maintain confidentiality and implement appropriate safeguards.
3.3 Legal Status
Nothing in this Agreement grants Edysor ownership, independent rights, or control over Client Personal Data. Edysor is a service provider only.
4. Scope and Purpose of Processing
4.1 Services and Processing Activities
Edysor shall process Client Personal Data exclusively to provide the services described in the Principal Agreement, including:
- AI-based voice calls and conversational interactions
- Speech-to-text transcription and voice synthesis
- Call recording, storage, and analysis (where instructed)
- Chat and messaging automation
- Customer support and inquiry routing
- Lead qualification and CRM communication
- Appointment scheduling and calendar management
- Workflow automation and business process execution
- Analytics, reporting, and service optimization
- Integration with Client systems and third-party platforms
4.2 Processing Instructions
Edysor shall not process Client Personal Data for any purpose other than those explicitly documented and instructed by the Client. Any new processing purpose requires prior written authorization from the Client.
4.3 Duration of Processing
Processing shall continue for the duration of the Principal Agreement and any extended retention periods specified in the Client's written instructions or this DPA.
5. Client Obligations and Representations
5.1 Client Warranties
The Client represents and warrants that:
- It has a lawful basis for collecting and processing Personal Data (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
- It has provided all required privacy notices and disclosures to Data Subjects.
- It has obtained appropriate consents or authorizations from Data Subjects, including for call recording, voice processing, and AI analysis.
- It has assessed the legality and necessity of processing under Applicable Data Protection Laws.
- Its instructions to Edysor comply with Applicable Data Protection Laws.
- Personal Data does not violate any third-party rights or confidentiality obligations.
5.2 Client Responsibilities
- The Client remains solely responsible for the legality of its instructions and processing.
- The Client shall obtain all necessary consents before disclosing data to Edysor (particularly for call recording and voice processing).
- The Client shall ensure compliance with data localization, residency, and sectoral regulations.
6. Processor Obligations
6.1 Processing Instructions
Edysor shall:
- Process Client Personal Data only on documented, explicit written instructions from the Client.
- Not process Personal Data beyond the scope of the Principal Agreement without prior written authorization.
- Promptly inform the Client if an instruction violates or appears to violate Applicable Data Protection Laws.
- Refuse to execute instructions that are manifestly unlawful or inconsistent with data protection principles.
6.2 Confidentiality and Access Control
Edysor shall:
- Ensure that all persons authorized to process Client Personal Data are bound by written confidentiality obligations.
- Limit access to Personal Data to authorized personnel only, based on a need-to-know basis.
- Implement role-based access control (RBAC) to restrict view, edit, and delete permissions.
- Maintain access logs and audit trails for all data access and processing activities.
- Immediately revoke access upon termination of employment or engagement.
6.3 Prohibited Uses
Edysor shall NOT:
- Sell, rent, lease, or monetize Client Personal Data for any purpose.
- Use Client Personal Data for advertising, profiling, behavioral analysis, or marketing directed at Data Subjects.
- Combine Client Personal Data with data from other sources for independent analytics or insights.
- Share Client Personal Data with unrelated third parties or competitors.
- Use Client Personal Data for business purposes other than delivering the contracted services.
7. No AI Model Training Without Consent
CRITICAL CLAUSE:
Edysor shall NOT use Client Personal Data, call recordings, transcripts, uploaded documents, CRM data, prompts, customer content, call metadata, or any other content derived from the Client's use of SICADA AI to:
- Train, fine-tune, or improve third-party or general-purpose AI models.
- Develop competing AI products or services.
- Create datasets for research or commercial purposes.
- Transfer to OpenAI, Google, Meta, or any other AI vendor for model development.
EXCEPTION:
Edysor may use aggregated, anonymized, and de-identified data for service improvement, analytics, and product optimization, provided that:
- Data is irreversibly anonymized such that individuals cannot be re-identified.
- No personal or identifying information is retained.
- The Client has not objected in writing.
Any use of Client Personal Data for model training beyond the above requires explicit written consent from the Client, a separate Data Processing Agreement amendment, and clear compensation terms.
8. Security and Protection Measures
8.1 Technical Measures
Edysor shall maintain reasonable and appropriate technical security measures, including:
- Encryption: TLS 1.3 or equivalent for data in transit; AES-256 or equivalent encryption at rest.
- Access Control: Multi-factor authentication (MFA) for all administrative and staff access.
- Network Security: Firewalls, intrusion detection systems, DDoS protection, and network segmentation.
- Data Isolation: Client data stored in isolated environments (per-tenant or encrypted partitions).
- Audit Logging: Immutable logs of all access, modifications, and deletions for minimum 90 days.
- Monitoring: 24/7 security monitoring and threat detection via SIEM systems.
- Backups: Regular automated backups with encryption and secure storage; tested recovery procedures.
8.2 Organizational Measures
Edysor shall maintain organizational safeguards, including:
- Personnel Security: Background checks for staff with access to Personal Data; security awareness training.
- Access Policies: Written policies limiting access to authorized personnel only; immediate revocation on termination.
- Data Protection Officer: Designated DPO or privacy officer responsible for oversight.
- Incident Response: Documented procedures for breach detection, investigation, and remediation.
- Vendor Management: Due diligence on all Subprocessors; contractual data protection obligations.
- Regular Testing: Annual penetration testing, vulnerability assessments, and security audits by third parties.
8.3 Security Updates
Edysor may update security measures to reflect industry best practices and emerging threats. Material changes will be communicated to the Client in advance where feasible.
9. Subprocessors
9.1 Authorized Subprocessors
Edysor is authorized to engage Subprocessors necessary to deliver the SICADA AI services. The Client authorizes the use of the Subprocessors listed in the current Authorized Subprocessors List (Annex A).
9.2 Categories of Subprocessors
Subprocessors may include providers in the following categories:
- Cloud Infrastructure: Amazon Web Services (AWS), Microsoft Azure, or equivalent providers for compute, storage, and database services.
- Telephony & Communication: Twilio, AWS Connect, or similar PSTN and VoIP providers for call routing and delivery.
- Real-Time Media: LiveKit, Zoom, or similar WebRTC platforms for video/voice streaming.
- AI and Language Processing: OpenAI, Google Gemini, Anthropic Claude, xAI, Groq, or similar LLM providers for AI inference.
- Speech Processing: Deepgram, Google Cloud Speech-to-Text, AWS Transcribe, or similar providers for transcription and voice synthesis (ElevenLabs, Cartesia, Sarvam AI).
- Vector & Knowledge Retrieval: Pinecone, Weaviate, or similar vector database providers for RAG and knowledge base search.
- Payment Processing: Stripe, Razorpay, PayPal, or similar PCI-compliant payment gateways.
- Analytics & Monitoring: Datadog, New Relic, Sentry, or similar monitoring and observability platforms.
- Email & Notifications: SendGrid, Mailgun, Twilio SendGrid, or similar email service providers.
9.3 Subprocessor Obligations
Edysor shall ensure that all Subprocessors are bound by written data protection obligations no less protective than those in this DPA, including:
- Confidentiality and security requirements.
- Restrictions on use of Personal Data (no independent use, no model training without consent).
- Audit and compliance rights for Edysor and the Client.
- Sub-subprocessor authorization and notice requirements.
9.4 Authorized Subprocessors List (Annex A)
The current list of authorized Subprocessors is maintained at: https://sicada.ai/security. This list is updated in real-time and reflects all active third-party processors. The Client may request a copy at any time by contacting privacy@edysor.ai.
9.5 Subprocessor Changes and Client Rights
- Notice of Changes: Edysor will provide the Client with at least 30 days' prior written notice before adding, replacing, or materially changing any Subprocessor.
- Right to Object: The Client may object to the addition or change of a Subprocessor on reasonable data protection grounds within 15 days of notice. Edysor shall consider the Client's objection in good faith.
- Remedies: If Edysor and the Client cannot agree on a Subprocessor change, the Client may suspend use of SICADA AI for the affected services, or terminate the Principal Agreement without penalty, provided the Client terminates within 30 days of the notice.
10. Data Subject Rights Assistance
10.1 Cooperation on Subject Rights
Edysor shall assist the Client, at no additional cost, in responding to Data Subject requests for:
- Access: Providing copies of Personal Data in a structured, commonly-used, machine-readable format.
- Rectification: Correcting or updating inaccurate Personal Data.
- Erasure (Right to be Forgotten): Deleting Personal Data, except where retention is legally required.
- Restriction: Limiting processing to storage only, where legally required.
- Data Portability: Transferring Personal Data in a structured format to another processor.
- Objection: Suspending processing where legally permitted.
10.2 Cooperation Timeline
Edysor shall respond to Data Subject requests within 5 business days of notification from the Client. The Client remains responsible for responding to Data Subjects within applicable legal timelines (e.g., 30 days under GDPR/DPDPA).
10.3 Limitations
Edysor's obligations are subject to:
- Technical feasibility (e.g., irreversibly anonymized data cannot be identified).
- Legal requirements (e.g., where retention is mandated by law).
- The Client's confirmation that the request is authentic and lawful.
11. Data Breach Notification
11.1 Breach Detection and Notification
Edysor shall:
- Implement systems to detect, log, and investigate suspected or confirmed breaches.
- Notify the Client without undue delay and, where feasible, within 72 hours after becoming aware of a confirmed Personal Data breach.
- Provide notification via the Client's primary contact email and, if critical, by phone.
11.2 Breach Notification Content
The notification shall include:
- Nature and scope of the breach (e.g., unauthorized access, accidental disclosure, deletion).
- Categories and approximate number of Data Subjects affected.
- Categories and types of Personal Data affected (e.g., names, contact, call recordings).
- Likely consequences of the breach.
- Measures taken or proposed to mitigate harm (e.g., notification, password reset, credit monitoring).
- Edysor's breach contact (typically the DPO or legal team).
11.3 Investigation and Remediation
Edysor shall:
- Promptly investigate the root cause of the breach.
- Provide the Client with a full incident report within 15 business days of the breach.
- Implement remedial measures to prevent recurrence.
- Cooperate with the Client's notification to Data Subjects and regulatory authorities.
12. International Data Transfers
12.1 Data Localization and Storage
Client Personal Data is primarily stored in:
- AWS ap-south-1 (Mumbai, India): Primary data center for storage and backup.
- AWS us-east-1 (Virginia, USA): Secondary processing location for AI inference and optimization.
The Client may request alternative or additional data residency (e.g., EU-only, India-only) by written request. Alternative arrangements may incur additional fees.
12.2 International Transfer Mechanisms
Where Personal Data is transferred outside the country of origin, Edysor shall implement one of the following mechanisms:
- Standard Contractual Clauses (SCCs): EU Standard Contractual Clauses (Module One/Two) approved by the European Commission for transfers from EU/UK to third countries.
- Adequacy Decisions: Transfer to countries with EU/UK adequacy decisions (e.g., UK, Japan, South Korea).
- UK IDTA/Addendum: UK International Data Transfer Agreement or UK SCCs Addendum for UK data transfers.
- Customer Data Processing Addendum: Supplementary agreements with Subprocessors ensuring onward transfer protections.
12.3 Supplementary Safeguards
For transfers to countries without adequacy or SCC agreements, Edysor may implement supplementary safeguards, including:
- Encryption of Personal Data at rest and in transit.
- Pseudonymization where feasible.
- Contractual commitments limiting onward access.
12.4 Client Choice
The Client may restrict transfers by writing to privacy@edysor.ai. Restrictions may impact service availability and performance.
13. Data Retention and Deletion
13.1 Retention Periods
Edysor shall retain Client Personal Data only as long as necessary to provide the services and comply with legal obligations:
| Data Type | Retention Period |
|---|
| Call Recordings and Transcripts | As specified by Client; default 90 days unless extended |
| Call Metadata (dates, numbers, duration) | As specified by Client; default 1 year |
| CRM and Customer Data | Duration of engagement + 1 year (or as instructed) |
| System Logs and Audit Trails | 90 days minimum, up to 1 year |
| Billing and Transaction Records | 7 years (legal/tax requirement) |
| Backup Copies | 90 days after deletion (disaster recovery) |
13.2 Deletion Upon Termination
Upon termination of the Principal Agreement or at the Client's request, Edysor shall, at the Client's written choice:
- Delete: Securely and permanently delete all Client Personal Data within 30 days, or
- Return: Return all Personal Data in a structured, machine-readable format within 30 days, or
- Retain: Continue retention for the period specified by the Client, subject to Applicable Data Protection Laws.
13.3 Deletion Method
Deletion shall be carried out using cryptographically secure erasure methods such that data cannot be recovered. Edysor shall provide a written certification of deletion within 10 days of completion.
13.4 Legal Retention Exceptions
Notwithstanding the above, Edysor may retain Personal Data where required by law (e.g., tax, financial, or regulatory obligations). The Client shall be notified of the legal basis and expected retention period.
14. Audit Rights and Compliance Verification
14.1 Audit Requests
Upon reasonable written request, Edysor shall provide information and documentation necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
14.2 Audit Scope and Frequency
- Frequency: Audits limited to once per calendar year, unless Edysor is subject to a Data Protection Authority investigation or the Client has identified a specific compliance concern.
- Notice: The Client shall provide at least 30 days' prior written notice before conducting an audit.
- Timing: Audits shall be scheduled during business hours and shall not disrupt normal operations.
- Scope: Audits may cover security measures, access controls, processing records, and Subprocessor compliance. Access to other Clients' data is prohibited.
- Confidentiality: The auditor shall execute a confidentiality agreement protecting Edysor's proprietary information and trade secrets.
14.3 Third-Party Audits
The Client may request that Edysor undergo an audit by a qualified third-party auditor (e.g., SOC 2, ISO 27001). The costs of such audits shall be borne by the Client unless Edysor has agreed otherwise.
14.4 Certification and Reports
Edysor maintains the following certifications and compliance statuses:
- ISO 27001 (Information Security Management) - Aligned Controls
- SOC 2 Type II - In Progress (target completion: Q4 2026)
- GDPR Compliance - Verified by legal review
- DPDPA 2023 Compliance - Verified by legal review
Current audit reports and certificates are available at: https://sicada.ai/security
15. Data Subject Requests and Regulatory Cooperation
15.1 Authority Requests
If a Data Protection Authority or government agency requests Personal Data from Edysor, Edysor shall:
- Notify the Client without undue delay, unless legally prohibited.
- Challenge legally deficient requests (e.g., lack of warrant or proper authorization).
- Disclose only the minimum necessary to comply with the legal obligation.
- Request confidentiality protection for trade secrets and Client information.
15.2 Client Cooperation
The Client shall cooperate with Edysor in responding to Data Subject requests and Authority inquiries, including providing necessary documentation and timely responses.
16. Processing Details Annex
Annex B (Processing Schedule) provides detailed specifications for processing activities, including:
- Categories of Data Subjects (e.g., customers, leads, employees).
- Categories of Personal Data processed (e.g., names, phone numbers, call recordings, metadata).
- Purpose and nature of processing (e.g., call automation, CRM communication, analytics).
- Duration of processing and data retention.
- Technical and organizational security measures.
- Authorized Subprocessors and their processing activities.
- Data localization and transfer mechanisms.
- Data Subject rights and assistance procedures.
The Client and Edysor shall maintain and update this annex as processing activities change.
17. Data Protection Impact Assessments (DPIA)
Where Edysor's processing poses a high risk to Data Subject rights (e.g., large-scale call recording, AI decision-making), Edysor shall assist the Client in conducting a Data Protection Impact Assessment (DPIA) as required under Applicable Data Protection Laws. The Client remains responsible for initiating and completing the DPIA.
18. Limitation of Liability
18.1 Indemnification: Each party shall indemnify the other against third-party claims arising from its breach of this DPA or Applicable Data Protection Laws.
18.2 Liability Caps: Edysor's total liability under this DPA shall not exceed the liability limits specified in the Principal Agreement. Liability for data breaches caused by Edysor's breach of security obligations may be subject to higher limits as determined by Applicable Data Protection Laws.
19. Term and Termination
19.1 Duration: This DPA remains in effect for the duration of the Principal Agreement and for the data retention periods specified herein.
19.2 Survival: Sections relating to confidentiality, security, breach notification, audit rights, and data deletion shall survive termination of the Principal Agreement.
20. Governing Law and Dispute Resolution
20.1 Governing Law: This DPA is governed by the laws of India and the Applicable Data Protection Laws of the Client's jurisdiction(s). In case of conflict, the most protective data protection law shall prevail.
20.2 Dispute Resolution: Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Principal Agreement. Data protection matters may be escalated to the Data Protection Authority if not resolved within 30 days.
21. Entire Agreement and Precedence
This DPA, together with Annexes A and B, constitutes the entire data protection agreement between the parties and supersedes any prior data protection arrangements.
Order of Precedence: In the event of conflict, the following order applies:
- This DPA (Data Processing Agreement)
- Applicable Data Protection Laws (GDPR, DPDPA 2023, etc.)
- Principal Agreement (Service Terms)
22. Contact Information
| Data Protection Inquiries | privacy@edysor.ai |
| Legal and Compliance | security@edysor.ai |
| Data Protection Officer / Grievances | gunjan@edysor.ai |
| Subprocessor List | https://sicada.ai/security |
| Security and Trust Center | https://sicada.ai/security |
| Registered Address | Edysor Edutech Solutions Private Limited 8, Office No. 809818, City Center, Ashok Nagar Main Road, Shastri Circle Marg, Udaipur, Rajasthan, 313001, India |
Annexes
Annex A: Authorized Subprocessors List
Current list maintained at: https://sicada.ai/security
Annex B: Processing Schedule (Detailed Specifications)
To be completed and signed by both parties upon execution of this DPA.
Acknowledgment: By executing the Principal Agreement or accessing SICADA AI services, both parties agree to be bound by this Data Processing Agreement.
Edysor Edutech Solutions Private Limited
Data Processing Agreement v2.0 (Enterprise Edition) | Effective: 24 June 2026
Enterprise-Grade | GDPR Compliant | DPDPA 2023 Compliant | AI SaaS Ready
© 2026 Edysor Edutech Solutions Private Limited. All rights reserved.