Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("the Responsible Party") and Ordaily ("the Operator") for the provision of the Ordaily AI executive assistant service. It governs the processing of Personal Information as defined in the Protection of Personal Information Act, 2013 ("POPIA").

1. Roles

For the avoidance of doubt: the customer is the Responsible Party for the Personal Information of their contacts, correspondents, and employees processed through the Service. Ordaily is the Operator processing this Personal Information on the documented instructions of the customer.

2. Scope and purpose of processing

Ordaily will process Personal Information only for the purposes of:

• Providing the AI executive assistant features described in the customer's selected subscription tier
• Generating triage classifications, summaries, draft replies, and briefings on the customer's instruction
• Storing operational data necessary to deliver the Service (account info, OAuth tokens, processed summaries)
• Complying with legal obligations under South African law

3. Categories of personal information and data subjects

Categories of Personal Information processed: names, email addresses, phone numbers, calendar metadata, contact lists, AI-generated email and meeting summaries, optional health/wellness data (where WHOOP is connected), and WhatsApp messages (where the integration is enabled). Categories of data subjects: the customer's own user(s), the customer's correspondents, meeting attendees, and contact list members.

4. Operator obligations

Ordaily will:

• Process Personal Information only on the documented instructions of the Responsible Party
• Ensure that personnel authorised to process Personal Information are under a duty of confidentiality
• Implement appropriate technical and organisational security measures (encryption at rest and in transit, role-based access control, audit logging)
• Assist the Responsible Party in responding to data subject requests and regulatory enquiries
• Notify the Responsible Party of any security compromise without undue delay after becoming aware of it
• Delete or return all Personal Information at the end of the engagement, subject to legally-required retention

5. Sub-processors

Ordaily uses the following sub-processors to deliver the Service: Anthropic PBC (USA), ElevenLabs Inc (USA), Twilio Inc (USA, with alternates 360dialog and Meta Cloud API), Google LLC (USA), Microsoft Corporation (USA), PayFast (South Africa), Fly.io Inc (USA, Johannesburg region), WHOOP Inc (USA, optional), and the Ordaily Brain service which hosts each customer's per-tenant Second Brain. The Brain service receives only AI-generated structured summaries and Brain onboarding answers, and operates under a separate Data Processing Agreement with Ordaily with the same security commitments as this DPA. Ordaily will give the Responsible Party at least 30 days' notice of any intended changes to this list.

6. Cross-border transfers

Some sub-processors process Personal Information outside South Africa. Ordaily relies on each sub-processor's contractual commitments and certifications (SOC 2 Type II, ISO 27001, where applicable) as evidence of an adequate level of protection.

7. Audit rights

The Responsible Party may, on reasonable written notice and not more than once per twelve-month period, request information demonstrating Ordaily's compliance with this DPA. Ordaily will respond to such requests within 30 days.

8. Liability

Each party's liability under this DPA is governed by the limitations set out in the main Terms and Conditions of Service.

9. Term and termination

This DPA remains in effect for the duration of the customer's subscription. On termination, Ordaily will delete all Personal Information processed under this DPA within 90 days, subject to legally-required retention periods set out in the Privacy Policy.

10. Contact