Data Processing
Agreement (DPA)

For purposes of this Data Processing Agreement, the following terms have the meanings set forth below:

"Controller"

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the MYGIA client who engages MYGIA to process data on its behalf.

"Processor"

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is MYGIA LLC.

"Sub-processor"

Any third party engaged by MYGIA to carry out processing activities with respect to Personal Data on behalf of the Controller. A list of authorized Sub-processors is provided in Section 6.

"Personal Data"

Any information relating to an identified or identifiable natural person ("Data Subject"), including names, email addresses, phone numbers, IP addresses, device identifiers, behavioral data, and similar information.

"Processing"

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, erasure, or destruction.

"Services"

The AI automation services, conversational agents, workflow automation, marketing automation, and related services provided by MYGIA to the Controller under a main service agreement.

"Security Incident"

Any confirmed unauthorized access, disclosure, alteration, or destruction of Personal Data that compromises its confidentiality, integrity, or availability.

This DPA applies to all processing of Personal Data carried out by MYGIA in its capacity as a Processor on behalf of the Controller in connection with the Services. Processing occurs for the following documented purposes:

• Operation of AI conversational agents and chatbots on behalf of the Controller.
• Automated workflow execution including CRM updates, notification delivery, and data enrichment.
• Marketing automation, including email, WhatsApp, and SMS campaign delivery.
• Analytics, reporting, and performance optimization of the above services.
• Any additional processing activities expressly authorized in writing by the Controller.

Depending on the Services configured, MYGIA may process the following categories of Personal Data on behalf of the Controller:

This DPA is effective from the date the Controller first accesses the Services and remains in force for the duration of the main service agreement between MYGIA and the Controller.

Processing of Personal Data will cease upon termination or expiration of the main service agreement, subject to any retention obligations set forth in Section 9 (Data Return & Deletion). Retention periods by data category:

• Active service data: Retained for the duration of the service agreement plus 30 days for orderly offboarding.
• Conversation logs: Retained for up to 12 months unless the Controller requests earlier deletion.
• Aggregate analytics: De-identified reports may be retained indefinitely as they no longer constitute Personal Data.
• Legal holds: Data subject to litigation, regulatory inquiry, or tax obligation is retained for the legally required period.

MYGIA undertakes the following obligations when processing Personal Data on behalf of the Controller:

The Controller hereby grants MYGIA general authorization to engage the following Sub-processors for the purposes stated. MYGIA will provide at least 10 days' notice before engaging any new Sub-processor, during which time the Controller may reasonably object.

MYGIA enters into data processing agreements or standard contractual clauses with each Sub-processor equivalent to the protections in this DPA. Copies are available upon request at [email protected].

MYGIA will assist the Controller in fulfilling its obligations to respond to Data Subject requests. The following rights are recognized under the CCPA/CPRA and other applicable US privacy statutes:

When the Controller receives a Data Subject request, MYGIA will provide all reasonably necessary assistance within 5 business days. Requests may be coordinated at [email protected].

The breach notification will include, to the extent available at the time of notification:

• A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected.
• The name and contact details of MYGIA's data protection point of contact.
• The likely consequences of the Security Incident and the measures taken or proposed to address the incident.
• Steps taken to contain, mitigate, and remediate the incident, and a timeline for completion.

MYGIA will provide timely follow-up communications as more information becomes available. Notification will be sent to the Controller's designated security contact via email.

Upon termination or expiration of the main service agreement, or upon written request by the Controller, MYGIA will:

• Return all Personal Data to the Controller in a machine-readable format (JSON or CSV) within 30 days of the termination date.
• Permanently delete all copies of Personal Data from MYGIA's systems and those of its Sub-processors within 60 days of termination, unless legally required to retain.
• Provide written certification of deletion within 90 days of the termination date upon the Controller's request.

MYGIA will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

Audit process and conditions:

• The Controller must provide at least 30 days' written notice before conducting an on-site audit.
• Audits are limited to once per 12-month period unless there is a reasonable belief of a material breach.
• Audits must be conducted during normal business hours, with minimal disruption to MYGIA operations, and the auditor must be bound by confidentiality obligations.
• The Controller bears all costs of audits unless an audit reveals a material non-compliance, in which case MYGIA bears reasonable audit costs.
• MYGIA may satisfy audit requirements by providing third-party security certifications (e.g., SOC 2 Type II reports) in lieu of on-site inspection.

MYGIA is a US-based company (Florida LLC). All core processing infrastructure is located in the United States. Some Sub-processors may process data in other jurisdictions as part of global cloud infrastructure.

For transfers of Personal Data outside the United States involving Data Subjects from jurisdictions with privacy protections (e.g., EU/EEA residents under GDPR), MYGIA relies on the following transfer mechanisms:

• Adequacy decisions recognized by the relevant authority for transfers to countries with adequate protection.
• Standard Contractual Clauses (SCCs) issued by competent authorities, incorporated by reference into Sub-processor agreements.
• The Data Privacy Framework (DPF) where Sub-processors are certified participants.

Each party's liability under this DPA is subject to the limitations, exclusions, and caps set forth in the main service agreement between the parties. Notwithstanding the foregoing:

• Each party is individually responsible for ensuring its own compliance with applicable privacy laws when acting as a Controller.
• MYGIA is liable for damages caused by processing only where it has not complied with obligations of this DPA specifically directed to Processors, or where it has acted outside or contrary to the lawful instructions of the Controller.
• MYGIA is not liable for processing performed by Sub-processors that exceeds the scope authorized in this DPA, provided MYGIA took reasonable steps to impose equivalent obligations on such Sub-processors.
• This DPA is governed by the laws of the State of Florida, United States, without regard to conflict of law principles. Disputes will be resolved in courts of competent jurisdiction in Broward County, Florida.