Perchy
Sign inConsole
Legal

Data Processing Addendum

Effective May 1, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Servicebetween Customer and Perchy, Inc. when Perchy processes Personal Data on Customer's behalf. Customers can countersign this DPA at legal@perchy.ai; otherwise, by using the Services where Personal Data may be processed, the parties incorporate the DPA by reference.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms or in applicable Data Protection Law (e.g., GDPR, UK GDPR, CCPA/CPRA). "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", and "Process" have the meanings given in the GDPR.

2. Roles of the parties

Customer is the Controller of Personal Data submitted to the Services. Perchy is the Processor and processes Personal Data only on Customer's documented instructions, which include the Terms, this DPA, and Customer's use of the Services.

3. Scope of processing

Subject matter: provision of the Services described in the Terms.
Duration: for the term of the Terms plus retention periods in the Privacy Policy.
Nature and purpose: routing, lane reservation, fraud prevention, billing, and operational support.
Categories of data subjects:Customer's end users and Customer personnel.
Categories of personal data: identifiers (email, IP), professional data, request and response content submitted to models. Customer must not submit special-category data without a separate agreement.

4. Subprocessors

Customer authorizes Perchy to engage the Sub-processors listed at /legal/subprocessors. Perchy gives at least 30 days' notice of new Sub-processors via email and the published list. Customer may object on reasonable data-protection grounds during the notice period; if the parties cannot resolve the objection, Customer may terminate the affected Service for the unused portion of any fees paid in advance.

Perchy enters written agreements with each Sub-processor that impose obligations no less protective than this DPA. Perchy remains responsible for Sub-processor compliance.

5. International transfers

For transfers of Personal Data from the EEA, the UK, or Switzerland, the parties agree to the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, hereby incorporated by reference, with the following selections:

  • Clause 7 (docking): applies.
  • Clause 9: Option 2 (general written authorization), with notice period of 30 days.
  • Clause 11: optional language not used.
  • Clause 17: laws of Ireland.
  • Clause 18: courts of Ireland.
  • UK Addendum: Tables 1–3 are populated by reference to this DPA.

6. Security measures

Perchy maintains the technical and organizational measures described in our Security Overview, including:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256).
  • Production access via SSO with hardware-backed MFA, segregated networks, and audit logging.
  • Regular vulnerability scanning, penetration testing, and a published disclosure program.
  • Documented incident response and business continuity plans.
  • Personnel screening and confidentiality obligations for staff with production access.

7. Personal data breach

Perchy notifies Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Customer Personal Data, with the information required by GDPR Article 33(3) to the extent then known. Perchy provides reasonable assistance with Customer's notification obligations.

8. Data subject rights

Perchy provides tooling that allows Customer to access, export, correct, or delete Customer Personal Data. To the extent Customer cannot satisfy a Data Subject request using the tooling, Perchy provides reasonable assistance, taking into account the nature of the processing.

9. Audits

Perchy makes available its most recent SOC 2 Type II report and ISO 27001 certificate (when available) under NDA. If Customer has additional reasonable audit needs, Customer may request supplemental information once per twelve months at Customer's expense, with reasonable advance notice and during business hours, and shall not unreasonably disrupt Perchy operations.

10. Deletion and return

On termination of the Services or written Customer request, Perchy deletes Customer Personal Data within 30 days, except where retention is required by law (in which case the data continues to be protected under this DPA until deletion).

11. Execution

This DPA can be countersigned by emailing a request to legal@perchy.ai. Otherwise, by accepting the Terms and processing Personal Data through the Services, the parties agree to be bound by this DPA.