Data Processing Agreement
Last Updated: February 2026
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Chrysolite AI, Inc. ("Chrysolite AI", "we", "us", or "our") and governs the processing of personal data by Chrysolite AI on behalf of the Customer.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Chrysolite AI as part of providing the Services.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Controller" refers to the Customer, who determines the purposes and means of processing Personal Data.
"Data Processor" refers to Chrysolite AI, who processes Personal Data on behalf of the Customer.
Data Processing
1. Scope and Purpose
Chrysolite AI will process Personal Data only for the purpose of providing the ERP services as outlined in the Terms of Service and as instructed by the Customer.
2. Duration
Processing will continue for the duration of the service agreement and for a retention period as required by law or as specified in the Terms of Service.
3. Categories of Data
Personal Data processed may include:
- Employee information (names, contact details, payroll data)
- Customer information (names, addresses, transaction history)
- Vendor information (business details, payment information)
- User authentication and access data
Data Security
Chrysolite AI implements appropriate technical and organizational measures to protect Personal Data, including:
- Bank-level encryption for data at rest and in transit
- Regular security audits and penetration testing
- Access controls and authentication mechanisms
- Employee training on data protection
- Incident response and breach notification procedures
Sub-Processors
Chrysolite AI may engage third-party sub-processors to assist in providing the Services. We maintain a list of authorized sub-processors and will notify customers of any changes.
All sub-processors are bound by data protection obligations equivalent to those in this DPA.
Data Subject Rights
Chrysolite AI will assist the Customer in responding to data subject requests, including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of data ("right to be forgotten")
- Data portability
- Restriction of processing
Data Breach Notification
In the event of a security breach affecting Personal Data, Chrysolite AI will notify the Customer without undue delay and within 72 hours of becoming aware of the breach. We will provide reasonable assistance in investigating and mitigating the breach.
Data Retention and Deletion
Upon termination of services, Chrysolite AI will delete or return all Personal Data to the Customer, unless retention is required by law. Customers can request data deletion at any time through their account settings or by contacting support.
International Data Transfers
Personal Data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by regulatory authorities.
Audit Rights
Upon reasonable notice, the Customer may audit Chrysolite AI's compliance with this DPA, subject to confidentiality obligations. We provide annual SOC 2 reports as evidence of our security controls.
Contact Us
For questions about this DPA or data processing practices: