Roles and Scope
1.1. This DPA applies to the extent that Aura processes Personal Data on behalf of the Client in the course of providing the Services under the Agreement.
1.2. For purposes of this DPA, the Client is the Data Controller and Aura is the Data Processor.
Nature and Purpose of Processing
2.1. Aura processes Personal Data to provide AI-powered communication services (voice, WhatsApp, etc.), scheduling automation, appointment management, marketing re-engagement, and CRM syncing.
Types of Data and Data Subjects
3.1. Data Subjects: End customers of the Client (e.g., salon clients).
3.2. Personal Data: Name, contact info (phone/email), booking history, preferences, responses to automated agents, and metadata.
Processor Obligations
Aura agrees to:
4.1. Process Personal Data only on documented instructions from the Client.
4.2. Ensure confidentiality of all staff handling Personal Data.
4.3. Implement appropriate technical and organizational measures (TOMs), including encryption, access controls, audit logs, and incident response plans.
4.4. Notify the Client without undue delay and in any case within 72 hours of becoming aware of a Personal Data Breach.
4.5. Assist the Client in fulfilling obligations regarding data subject rights, data protection impact assessments (DPIAs), and prior consultations.
Sub-Processors
5.1. Aura may engage Sub-Processors (e.g., Twilio, Meta, Retell AI) to support service delivery.
5.2. A current list of Sub-Processors is available upon request.
5.3. Aura shall impose data protection terms on all Sub-Processors equivalent to those in this DPA.
5.4. Aura shall notify the Client of any intended changes to Sub-Processors, allowing the Client to object on reasonable grounds.
International Data Transfers
6.1. Aura uses appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs), the UK Addendum, or other lawful mechanisms.
Data Retention and Deletion
7.1. Upon termination of the Agreement, Aura will delete or return all Personal Data upon written request from the Client.
7.2. If no request is received, data will be retained for up to 30 days post-termination to allow for account recovery, after which it will be securely deleted.
Audit Rights
8.1. The Client may audit Aura’s data processing compliance once annually upon 30 days' prior written notice, or more frequently if required by law or regulator.
Liability
9.1. Each party is liable for its own breaches of applicable data protection laws.
9.2. The Client is solely responsible for determining the lawfulness of the data it provides and for obtaining all necessary consents and notices.
Mergers, Acquisitions & Successors
10.1. In the event of a merger, acquisition, or sale of assets involving Aura, Personal Data may be transferred to the acquiring entity provided that such entity assumes obligations under this DPA or adopts data protection standards at least as protective.
Term and Termination
11.1. This DPA shall remain in effect for the duration of the Agreement and thereafter as long as Aura retains Personal Data on behalf of the Client.