This DPA supplements the Fahmix AI Terms of Service and is incorporated by reference. Enterprise tenants counter-sign in /dashboard/compliance/dpa; SMB tenants are bound by clicking through this page during onboarding.
1. Scope
This DPA applies to any Personal Data that SayShan Technologies ("Processor") processes on behalf of the Customer ("Controller") in connection with the Fahmix AI platform.
2. Roles
Customer is the Controller (and/or Processor where Customer's end users are concerned). SayShan Technologies is the Processor (and where it engages further processors, a sub-processor). The approved sub-processor list is at /trust/subprocessors.
3. Categories of data
- End-customer identifiers (name, email, phone, IP-hash)
- Conversation content (text, voice transcripts)
- Consent + DSAR metadata
- Billing data (Stripe / SSLCommerz / bKash / Nagad)
4. Security measures (Annex II)
- Tenant isolation via Postgres Row-Level Security on every tenant-scoped table
- SHA-256 hash-chained append-only audit (EU AI Act Article 26)
- Five-stage guardrails on every external-input path
- Per-tenant rate limiting + identity step-up for risk-tiered actions
- Encryption-in-transit (TLS 1.2+) and at-rest (Supabase + vendor-default)
- SOC 2 Type I evidence collection in progress (Vanta + Dansa D'Arata Soucia)
5. International transfers (Annex IV)
Each tenant selects a homeRegion (us / eu / apac / bd) at provisioning. Production data is pinned to that region. Cross-region transfers happen only for:
- Stripe billing meter events (Stripe-managed transfer)
- Optional alternative LLM providers when Customer opts in (Anthropic, OpenAI)
- Aggregated, anonymized telemetry (Langfuse, PostHog) when Customer opts in
Where transfers exit the EEA, the EU Standard Contractual Clauses (Module 2 + Module 3 as applicable) apply, supplemented by the UK Addendum and Swiss Addendum.
6. Sub-processor notification
SayShan Technologies gives Customer 30 days' notice of any new sub-processor via the Trust Center subprocessors page and a dashboard notification. Customer may object in writing within 15 days; absent an objection, the change takes effect.
7. Data-subject rights (DSAR)
Customer's end users may file access / rectification / erasure / restriction / portability / objection requests via /portal/dsar?tenant=<API_KEY>. Processor fulfills within 30 days. Erasure preserves the audit chain per Article 17(3)(b/d).
8. Term & termination
On termination, Processor will, at Customer's choice, return or delete Personal Data within 30 days, excluding audit-chain entries retained for the compliance period.
9. Signatures
For Customer: signature recorded electronically in /dashboard/compliance/dpa. For Processor: Sayed S., CEO, SayShan Technologies — pre-signed via certificate hash.
This is a template. Counter-signed copies live in your tenant's secure vault. For questions email [email protected].