Data Processing Agreement

Unless otherwise defined here, capitalised terms have the meanings given in UK GDPR (including “Personal Data”, “Data Subject”, “Controller”, “Processor”, “Processing”, “Sub-processor”).

• Customer Personal Data: personal data within transcripts, AI-generated minutes, action items, account profiles, billing contacts, Microsoft Graph access tokens, and operational logs that summri processes on the Customer's behalf.
• Standard Contractual Clauses (“SCCs”): the EU SCCs approved by Commission Implementing Decision (EU) 2021/914, and the UK Addendum / International Data Transfer Addendum (“UK IDTA”).
• Data Privacy Framework: the EU-US Data Privacy Framework, the UK Extension thereto, and the Swiss-US Data Privacy Framework.

• The Customer is the Controller of Customer Personal Data submitted to summri.
• summri is the Processor of that data, processing it only on the Customer's documented instructions as set out in this DPA, the Terms, the Privacy Policy, and the configurable settings the Customer elects within the service.
• For limited categories of data — primarily summri's account and billing records — summri acts as Controller in its own right; this is described in the Privacy Policy.

• Subject matter: the provision of the summri service.
• Duration: for the term of the Customer's active subscription, plus the retention windows described in the Privacy Policy and Section 12 below.
• Nature and purpose: processing meeting transcripts (uploaded directly or fetched from Microsoft Teams on the Customer's authorisation) to generate structured minutes, action items, and decisions; storing and serving that output to authorised users.
• Categories of personal data: name, email, hashed password, billing contact, Stripe customer ID, meeting transcripts and minutes (which may include further personal data of meeting participants), action items, decisions, glossary terms, Microsoft Graph access and refresh tokens (encrypted), session metadata.
• Categories of data subjects: the Customer's account holders, the Customer's invited team members, and meeting participants whose voice or text appears in transcripts processed via the service.

summri processes Customer Personal Data only on the Customer's documented instructions, which are: (a) this DPA; (b) the Terms; (c) the Privacy Policy; and (d) the features the Customer chooses to use within the service. Where summri reasonably believes a Customer instruction infringes UK GDPR or other applicable law, it will inform the Customer without undue delay.

summri ensures that any personnel with access to Customer Personal Data are subject to a duty of confidentiality (whether by employment contract, contractor agreement, or equivalent). Access is restricted to those who need it to provide the service.

The Customer authorises summri to engage the following Sub-processors. Each is bound by contractual obligations no less protective than those in this DPA:

• Anthropic, PBC (USA) — AI minutes generation via the Claude API. Data Privacy Framework + SCCs in place. Anthropic does not train on API content by default.
• Stripe Payments Europe Ltd (Ireland) — card payments and billing. UK/EU data residency.
• Microsoft Corporation (USA / EU data residency where chosen) — outbound transactional email and Microsoft Graph data fetch (Teams transcripts, calendar events).
• Self-hosted UK infrastructure operated by Saasyn — primary application server and PostgreSQL database, located in the United Kingdom.

summri will notify Customer admins at least 14 calendar days before adding or replacing a Sub-processor that processes Customer Personal Data. The Customer may object to the change in writing within that period. If summri and the Customer cannot resolve the objection within a further 14 days, the Customer may terminate the affected parts of the Agreement and receive a pro-rata refund of any prepaid fees.

summri implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (UK GDPR Article 32). These include:

• TLS 1.2+ for all data in transit.
• AES-256-GCM encryption at rest for meeting transcripts, AI-generated minutes, and Microsoft Graph access/refresh tokens.
• scrypt one-way hashing (N=16384, 32-byte salt) for user passwords.
• Restricted database network access — application server only; no public ingress to the database.
• Operating-system patching weekly; critical security patches applied within 24 hours of release.
• Audit logging of sensitive administrative actions, retained for 12 months.
• Sub-processors selected on the basis of their published security posture (SOC2, ISO27001 where available).

A current description of measures is in the Privacy Policy, Section “Security”.

summri assists the Customer, by appropriate technical and organisational measures and to the extent reasonably possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection).

The Customer is responsible for handling rights requests addressed to it. If a data subject contacts summri directly, summri will, where practicable, redirect them to the Customer.

summri notifies the Customer without undue delay, and in any event within 72 hours of confirmation, of any Personal Data Breach affecting Customer Personal Data. The notification will include, where available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, measures taken or proposed, and a contact point for further information.

Where Customer Personal Data is transferred to a Sub-processor in a country outside the UK or EEA (currently: Anthropic in the USA, Microsoft to the extent of US-region processing), summri relies on one or more of: the EU-US Data Privacy Framework and the UK Extension thereto; the EU SCCs supplemented by the UK IDTA; or other transfer mechanisms permitted by UK GDPR.

The Customer may, no more than once per twelve-month period, request reasonable evidence of summri's compliance with this DPA in the form of (i) a description of summri's security measures, (ii) the most recent reports from any Sub-processors' third-party audits where available to summri, and (iii) responses to a reasonable security questionnaire.

Enterprise customers may, in addition, request an on-site or remote audit subject to (a) mutually agreed scope and timing, (b) the auditor signing summri's standard NDA, (c) the audit not unreasonably interfering with summri's operations, and (d) the Customer bearing reasonable costs.

On termination or expiry of the Agreement, summri deletes Customer Personal Data within 30 calendar days, except where retention is required by law or for the establishment, exercise, or defence of legal claims. Database backups containing the data roll off within a further 30 days.

The Customer may export its data at any time via the in-app data export request (email privacy@saasyn.com) or the self-serve account deletion flow under Settings → Delete my account.

The liability provisions in summri's Terms of Service apply to the parties' obligations under this DPA, except that nothing in this DPA limits liability for any matter that cannot be lawfully limited under UK GDPR or applicable law.

To the extent of any conflict between this DPA and the Terms of Service, this DPA prevails on matters concerning the processing of Customer Personal Data.

This DPA takes effect on the Customer's acceptance of the Terms of Service and remains in force for the duration of the Agreement and any period during which summri continues to hold Customer Personal Data.

summri may update this DPA where required by law, by changes to Sub-processors, or to reflect changes to the service. Material changes will be communicated to Customer admins at least 14 days before they take effect. The version date is shown at the top of this page.

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

For data-protection matters: privacy@saasyn.com.

Acceptance of the Terms of Service constitutes acceptance of this DPA on behalf of the Customer entity. For Enterprise customers requiring a counter-signed PDF version, please email privacy@saasyn.com with the legal name of your entity, the jurisdiction of incorporation, and your authorised signatory's name and title.