Last updated on 24 January 2026
This Data Processing Agreement (“Agreement”) forms part of the agreement between eyre.ai (“Processor”) and the customer entity identified in the applicable order form or agreement (“Controller”). This Agreement applies to the Processing of Personal Data in connection with the provision of the eyre.ai European sovereign meeting platform (“Services”).
This Agreement is intended to meet the requirements of Article 28 of Regulation (EU) 2016/679 (GDPR), the UK GDPR, and incorporates the EU Standard Contractual Clauses where applicable.
1. Definitions
“Applicable Data Protection Law” means GDPR, UK GDPR, and any applicable national implementing laws, as amended from time to time.
“Personal Data” means any information relating to an identified or identifiable natural person processed under this Agreement.
“Processing” has the meaning given in Applicable Data Protection Law.
“Sub-processor” means any third party engaged by Processor to Process Personal Data.
2. Roles of the Parties
The Parties acknowledge that:
- The Controller acts as the data controller.
- eyre.ai acts as the data processor.
The Processor shall Process Personal Data solely on documented instructions from the Controller, unless required to do so by Applicable Law.
3. Scope and Purpose of Processing
The Processor shall Process Personal Data solely for the purpose of providing secure, sovereign meeting services, including meeting hosting, access control, collaboration features, security monitoring, and support.
Processing activities may include collection, storage, access, transmission, and deletion of Personal Data as necessary to deliver the Services.
4. Categories of Data and Data Subjects
4.1 Data Subjects
- Employees, contractors, and representatives of the Controller
- Meeting participants and invited users
4.2 Categories of Personal Data
- Identification data (name, email address, user ID)
- Authentication and security data
- Meeting metadata (timestamps, participant lists)
- Optional meeting content where enabled by the Controller
Special categories of Personal Data are not intentionally Processed unless explicitly enabled by the Controller.
5. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that personnel authorised to Process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
- Assist the Controller in responding to data subject requests
- Assist the Controller with data protection impact assessments and prior consultations where required
- Notify the Controller without undue delay of any Personal Data breach
6. Security Measures
The Processor implements security measures aligned with industry standards, including:
- European data residency and hosting
- Encryption in transit and at rest
- Role-based access controls
- Audit logging and monitoring
- Incident response procedures
A summary of technical and organisational measures may be provided upon request.
7. Sub-Processing
The Controller authorises the Processor to engage Sub-processors as necessary to provide the Services.
The Processor shall:
- Impose data protection obligations on Sub-processors equivalent to those set out in this Agreement
- Remain fully liable for the performance of Sub-processors
- Maintain an up-to-date list of Sub-processors available to the Controller
8. International Data Transfers
8.1 EU and UK Data
Personal Data is primarily Processed and stored within the European Economic Area.
Where Personal Data is transferred outside the EEA or the UK, such transfers shall be governed by:
- The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor)
- The UK International Data Transfer Addendum, where applicable
8.2 Supplementary Measures
The Processor implements supplementary technical and organisational measures to ensure an essentially equivalent level of protection, including encryption, access restrictions, and transfer minimisation.
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling obligations to respond to requests for access, rectification, erasure, restriction, portability, and objection.
The Processor shall not respond directly to data subject requests unless authorised by the Controller.
10. Data Retention and Deletion
Upon termination of the Services, the Processor shall, at the Controller’s choice:
- Delete all Personal Data; or
- Return Personal Data to the Controller and delete remaining copies
Deletion shall occur within a reasonable timeframe unless retention is required by Applicable Law.
11. Audits and Compliance
The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement.
The Controller may conduct audits subject to reasonable notice, confidentiality, and security requirements.
12. Liability
Liability under this Agreement shall be subject to the limitations set out in the main agreement between the Parties, except where prohibited by Applicable Data Protection Law.
13. Governing Law
This Agreement shall be governed by the laws of an EU Member State designated in the main agreement between the Parties.
14. Standard Contractual Clauses
The EU Standard Contractual Clauses (Module Two – Controller to Processor) are incorporated by reference and apply where Personal Data is transferred outside the EEA.
In the event of conflict, the Standard Contractual Clauses shall prevail with respect to international data transfers.
15. Order of Precedence
In the event of conflict between this Agreement and the main agreement, this Agreement shall prevail with respect to data protection matters.
Executed as of the effective date of the main agreement.