Data Processing Agreement
Last updated: May 2026
Effective 11 May 2026. This Data Processing Agreement ("DPA") forms part of the Terms of Service between Perfect Design Enterprise (trading as Cyrus) ("Processor", "Cyrus", "we") and the customer ("Controller", "you") and governs the processing of personal data by Cyrus on your behalf.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined under applicable data protection laws, including GDPR and Malaysia's PDPA.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. In the context of Cyrus, this includes end users who interact with your bots and business contacts whose information is uploaded to the platform.
- "Controller" means you, the customer, who determines the purposes and means of Processing Personal Data through your use of Cyrus.
- "Processor" means Perfect Design Enterprise (trading as Cyrus), which processes Personal Data on behalf of the Controller.
- "Sub-Processor" means a third party engaged by Cyrus to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
2. Scope of Processing
2.1 Categories of Data Subjects
- End users who interact with your bots via web widget, WhatsApp, or Telegram
- Business contacts whose information is uploaded via knowledge base documents or catalog data
- Leads captured through the lead capture action plugin
- Individuals who make bookings through the booking system
2.2 Types of Personal Data Processed
- Conversation data — Message content (text, transcribed audio, image descriptions, extracted document text), timestamps, message IDs, delivery status
- Contact identifiers — Phone numbers (WhatsApp), Telegram user IDs, display names, email addresses (leads)
- User profiles — Name, role, company, location, budget, preferences, past interests, and open questions as extracted from conversations
- Lead information — Name, phone, email, company as captured by the lead capture plugin
- Booking information — Name, contact details, appointment date/time, service type
- Knowledge base content — Documents, URLs, and structured data uploaded by you that may contain Personal Data
- Media transcriptions and descriptions — Text derived from audio (via OpenAI Whisper), images (via GPT-4o vision), and documents (via text extraction)
2.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the Cyrus service as described in the Terms of Service, including:
- Generating AI-powered responses to end-user queries
- Building and maintaining conversation memory (rolling summaries and user profiles)
- Performing hybrid search retrieval (BM25 + vector) over knowledge base content
- Executing action plugins (lead capture, booking, escalation) as configured by you
- Displaying conversations and analytics in your dashboard
- Generating embeddings for search and analytics purposes
2.4 Duration of Processing
Processing continues for the duration of your service agreement with Cyrus, plus a retention period of 90 calendar days following termination or expiry of the agreement.
3. Processor Obligations
Cyrus shall:
- Process on instructions only — Process Personal Data only in accordance with your documented instructions, which are deemed to be the configuration choices you make in the Cyrus dashboard (bot settings, enabled actions, channel configuration). We will not process Personal Data for any other purpose unless required by applicable law, in which case we will inform you before processing unless prohibited from doing so.
- Ensure confidentiality — Ensure that all persons authorised to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
- Implement security measures — Implement and maintain appropriate technical and organisational measures as described in Section 4 of this DPA.
- Assist with data subject requests — Assist you in fulfilling your obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection, using the tools available in the dashboard and API.
- Notify of breaches — Notify you of any confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach, as detailed in Section 8.
- Support compliance assessments — Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.
- Delete data on termination — Upon termination of the service agreement and expiry of the 90-day retention period, delete all Personal Data processed on your behalf unless retention is required by applicable law. Deletion includes database records, Redis session data, and any cached embeddings.
4. Security Measures
Cyrus implements the following technical and organisational measures to protect Personal Data:
4.1 Encryption
- In transit — All data transmitted between clients and Cyrus services is encrypted using TLS 1.2 or higher. Caddy reverse proxy provides automatic TLS certificate management.
- Credentials at rest — Channel credentials (WhatsApp tokens, Telegram bot tokens) are encrypted using Fernet symmetric encryption before storage.
- Password hashing — User passwords are hashed using bcrypt with appropriate work factors.
4.2 Access Control
- Row-level tenant isolation — Every database query is filtered by
tenant_id, ensuring strict data separation between customers. No customer can access another customer's data. - API key domain restrictions — Widget API keys enforce domain allow-lists, preventing unauthorised embedding and access from unregistered origins.
- Internal API authentication — Administrative API endpoints are protected by bearer token authentication (
API_INTERNAL_TOKEN).
4.3 Integrity and Verification
- Webhook verification — WhatsApp webhooks are verified using HMAC-SHA256 signature validation. Telegram webhooks use constant-time secret token comparison.
- Rate limiting — Redis sliding-window rate limiting is applied per plan (RPM/RPS limits), per tenant (monthly quotas), and per IP address (120 requests/minute on widget endpoints).
- Duplicate message debounce — 5-second Redis-based deduplication prevents processing of duplicate messages.
4.4 Infrastructure
- All services are hosted on Hetzner Cloud infrastructure in Falkenstein, Germany (EU).
- Database backups are performed regularly using automated scripts.
- All application services are stateless; persistent state resides only in PostgreSQL, Redis, and the uploads volume.
5. Sub-Processors
5.1 Authorised Sub-Processors
You authorise Cyrus to engage the following Sub-Processors for the purposes described:
| Sub-Processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Infrastructure hosting (servers, storage, network) |
| OpenAI, Inc. | United States | Text embeddings, chat completions, audio transcription (Whisper), image analysis (GPT-4o vision) |
| Anthropic, PBC | United States | Chat completions (Claude models, when configured) |
| Google LLC | United States | Chat completions (Gemini models, when configured or used as fallback) |
| xAI Corp. | United States | Chat completions (Grok models, default provider) |
| Meta Platforms, Inc. | United States | WhatsApp Business Cloud API message delivery (when WhatsApp channel is enabled) |
| Telegram FZ-LLC | United Arab Emirates | Telegram Bot API message delivery (when Telegram channel is enabled) |
| Cloudflare, Inc. | Global (edge network) | CDN, DNS, and DDoS protection for marketing site |
5.2 New Sub-Processors
Cyrus will notify you at least 14 days before engaging a new Sub-Processor by updating the Sub-Processor list on this page and, where possible, by email notification. You may object to a new Sub-Processor by contacting [email protected] within 14 days of notification. If you object and we cannot reasonably accommodate your objection, either party may terminate the affected portion of the service.
5.3 Sub-Processor Obligations
Cyrus ensures that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.
6. International Data Transfers
While Cyrus infrastructure is hosted in Germany (EU), Personal Data may be transferred to Sub-Processors located in the United States and other jurisdictions as listed in Section 5.1.
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not received an adequacy decision, Cyrus relies on:
- Standard Contractual Clauses (SCCs) — As adopted by the European Commission, incorporated into our agreements with relevant Sub-Processors.
- Sub-Processor certifications — Where applicable, Sub-Processors maintain their own transfer mechanisms (e.g., EU-US Data Privacy Framework certifications).
You may request copies of the relevant transfer safeguards by contacting [email protected].
7. Data Subject Rights
Cyrus provides the following tools to help you fulfil Data Subject requests:
- Access — View all conversations, user profiles, leads, and bookings in the Cyrus dashboard. Export data via API.
- Rectification — Edit conversation records, user profiles, and lead information through the dashboard.
- Erasure — Delete individual conversations, leads, or entire bot data through the dashboard. Full account deletion removes all associated data within 90 days.
- Portability — Export conversation data, knowledge base content, and lead information in JSON format via the API.
- Restriction — Disable specific bots or channels to stop further processing while retaining existing data.
Important limitation: Personal Data that has been sent to LLM providers (OpenAI, Anthropic, Google, xAI) for processing cannot be retroactively deleted by Cyrus from those providers' systems. LLM providers process data according to their own retention policies. As of the effective date of this DPA, the LLM providers we use do not retain API inputs/outputs for model training purposes.
8. Breach Notification
In the event of a confirmed Data Breach affecting Personal Data processed on your behalf, Cyrus will:
- Notify you within 72 hours of confirming the breach, via email to the address registered on your account.
- Provide the following information (to the extent known at the time of notification):
- Nature and scope of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate volume of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Provide updated information as the investigation progresses.
- Cooperate with you in notifying supervisory authorities and affected Data Subjects where required by applicable law.
9. Audit Rights
- You may request an annual security audit of Cyrus's data processing practices and security measures, subject to reasonable advance notice (minimum 30 days) and execution of a mutual non-disclosure agreement.
- Audits will be conducted during normal business hours and in a manner that does not unreasonably disrupt Cyrus's operations.
- Where Cyrus has obtained relevant third-party certifications or audit reports, these may be provided in lieu of a direct audit, subject to your reasonable acceptance.
- Costs of the audit are borne by you, except where the audit reveals material non-compliance by Cyrus, in which case Cyrus bears the cost.
10. Term and Termination
- This DPA takes effect on the date you accept the Cyrus Terms of Service and remains in effect for the duration of your service agreement.
- Obligations related to data protection survive for 90 days following termination of the service agreement, during which time Cyrus will complete deletion of Personal Data unless retention is required by applicable law.
- Sections 4 (Security Measures), 8 (Breach Notification), and 9 (Audit Rights) survive termination of this DPA to the extent necessary to fulfil their purposes.
11. Liability
- Cyrus's aggregate liability under this DPA is capped at the total amounts paid by you to Cyrus in the 12 months preceding the event giving rise to liability.
- The liability cap in this section does not apply to: (a) liability arising from unauthorised disclosure of Personal Data caused by Cyrus's wilful misconduct or gross negligence, or (b) liability arising from Cyrus's failure to follow your lawful processing instructions.
- Neither party excludes or limits liability for death, personal injury, or fraud.
12. Governing Law
This DPA is governed by the laws of Malaysia. For processing subject to GDPR, the relevant provisions of GDPR apply as mandatory law regardless of governing law.
13. Contact
For questions about this DPA or to exercise your rights:
Perfect Design Enterprise (trading as Cyrus)
Email: [email protected]
Security: [email protected]
Website: meetcyrus.ai