Data Processing Agreement

Version 2026-07-10 · Last updated: July 10, 2026

This Data Processing Agreement ("DPA") supplements the Dally Terms of Service (the "Agreement") between you ("Customer") and Dally Platforms, Inc., a Delaware corporation ("Dally"). It is incorporated by reference into the Agreement and takes effect when you accept the Agreement — no signature is required (GDPR Article 28(9) permits contracts in electronic form). If you require a countersigned copy, email support@dally.ai.

This DPA applies where Dally processes Personal Data on your behalf that is subject to the GDPR, UK GDPR, or similar data protection laws — most notably the content of direct messages, comments, and audience engagement processed when you enable audience features. Terms not defined here have the meaning given in the Agreement.

1. Definitions

"Customer Account Data" means personal data about your relationship with Dally: your name, contact information, and billing details. "Customer Usage Data" means service usage data collected to operate, secure, and improve the Services (activity logs, telemetry, abuse-prevention signals). "Customer Content" means the content you or your End Users provide through the Services — including content and messages synced from your connected platforms — and the outputs Dally generates from it (transcripts, hooks, insights, and other derivatives, the "Atoms").

"End User" means an individual whose Personal Data Dally processes on your behalf — for Dally this includes your audience members: people who message, comment on, or engage with your connected accounts.

"Data Protection Laws" means applicable privacy laws, including the EU GDPR, the UK GDPR and Data Protection Act 2018, the Swiss FADP, and the CCPA as amended by the CPRA. "EU SCCs" means the standard contractual clauses approved in Commission Implementing Decision (EU) 2021/914 of 4 June 2021; "UK Addendum" means the ICO's International Data Transfer Addendum to the EU SCCs. The terms "controller," "processor," "Personal Data," "Personal Data Breach," and "processing" have their GDPR meanings.

2. Relationship of the Parties; Processing of Personal Data

With respect to Customer Content, you are the controller (or a processor for another controller) and Dally is your processor. This processor role does not cover the processing described in Section 8, where Dally acts as an independent controller. You are responsible for the accuracy, quality, and legality of the Personal Data you provide, the means by which you acquired it, and your instructions to Dally. You represent that you have provided any notices and obtained any consents your use of the Services requires with respect to your End Users.

Dally will process Customer Content only (i) to provide the Services described in the Agreement and Exhibit A, (ii) per this DPA and your other documented instructions — which include the features you enable and the settings you choose — and (iii) as required by law — in which case Dally will inform you of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Dally will immediately inform you if, in its opinion, an instruction infringes Data Protection Laws. You instruct Dally to process Customer Content through the subprocessors in Exhibit B, including AI subprocessors, to generate the Atoms and audience intelligence the Services provide. Dally does not use Customer Content to train general-purpose AI models.

On termination of the Agreement, or on your deletion request, Dally will — at your choice — return Customer Content to you via the Services' export functionality and/or delete it, deleting existing copies within 30 days, unless law requires retention (anything retained for that reason stays protected under this DPA and is isolated from further processing). Copies in encrypted backups and operational traces expire on their fixed rolling windows thereafter. Atoms that have been irreversibly anonymized so they cannot be re-associated with you or any End User may be retained as aggregate benchmarks; Dally will not attempt to re-identify them.

CCPA / CPRA.Except for Customer Account Data and Customer Usage Data, Dally is a "service provider" under the CCPA/CPRA. Dally does not sell or share Personal Data received under the Agreement, does not retain, use, or disclose it except to perform the Services or as the CCPA/CPRA permits, does not combine it with data from other sources except as permitted, does not use it outside its direct business relationship with you, provides the same level of privacy protection the CCPA/CPRA requires of businesses, and will notify you if it can no longer meet these obligations — in which case you may take reasonable and appropriate steps to stop and remediate unauthorized use. These commitments apply to the extent the CCPA applies to your business, and personal information carries its CCPA meaning there. Dally certifies that it understands these restrictions.

3. Authorized Subprocessors

You provide general written authorization for Dally to engage the subprocessors listed in Exhibit B, and additional subprocessors as needed to provide the Services. At least 15 days before a new subprocessor processes Customer Content, Dally will update Exhibit B and notify you by email to your account address (you may additionally subscribe to change notices by emailing subprocessors@dally.ai with the subject "Subscribe"). You may object in writing within 10 days of notice on reasonable data-protection grounds; if Dally cannot offer a commercially reasonable alternative, you may discontinue the affected feature and receive a pro-rated refund of any prepaid fees for it.

Dally enters written agreements with each subprocessor imposing in substance the same data protection obligations as this DPA, and remains liable to you for their performance.

4. Security of Personal Data

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Dally maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Exhibit C describes these measures.

5. International Transfers

Dally's processing operations are in the United States, and you acknowledge that transfer there is necessary to provide the Services. Transfers of Personal Data from the EEA are made under the EU SCCs, which are incorporated into this DPA by reference: Module Two (controller to processor) applies where you are a controller and Module Three (processor to subprocessor) where you are a processor; in Clause 9, Option 2 (general authorization) applies with the notice period in Section 3; in Clause 17, Irish law governs. Exhibits A and B supply the processing details for Annex I of the EU SCCs and Exhibit C for Annex II; a completed, executed SCC and UK Addendum package with your party details is available on request via support@dally.ai. Transfers from the UK are made under the UK Addendum, and from Switzerland with the FADP adaptations, each incorporated by reference.

If Dally is compelled by a law enforcement or government agency to disclose Customer Content, it will give you reasonable notice unless legally prohibited, and will not disclose Customer Content to such agencies voluntarily.

6. Rights of Data Subjects

If Dally receives a request from a Data Subject (for example, an audience member seeking access to or deletion of their data), Dally will notify you where legally permitted and advise the requester to contact you; you are responsible for responding, and Dally will act on your documented instructions — or directly where law requires it. Taking into account the nature of the processing, Dally will provide reasonable assistance — including through the Services' own deletion and export functionality — to help you meet your obligations to Data Subjects.

7. Assistance, Audits, and Breach Notification

Taking into account the nature of the processing and the information available to it, Dally will reasonably assist you with your obligations under GDPR Articles 32 to 36 — security of processing, breach notification, data protection impact assessments, and consultations with supervisory authorities — and maintains records sufficient to demonstrate compliance with this DPA.

On written request (no more than once per calendar year), Dally will make available information demonstrating compliance — third-party certifications and audit reports once obtained, or, where those are not sufficient under Data Protection Laws, will accommodate an audit or inspection by you or your mandated auditor during business hours, with reasonable notice, at your cost, scoped to your data — and additionally where a supervisory authority requires it or following a Personal Data Breach. Dally has not yet obtained SOC 2 or ISO 27001 certification; until it does, audits follow the request path above.

In the event of a Personal Data Breach affecting Customer Content, Dally will notify you without undue delay after becoming aware of it (target: within 72 hours) and provide reasonable cooperation for your notification obligations under GDPR Articles 33 and 34.

8. Dally's Role as an Independent Controller

For Customer Account Data, Customer Usage Data, and the processing of your own content and performance data for the purposes described in Section 3c of the Privacy Policy, Dally is an independent controller (not a joint controller): it processes that data to manage its relationship with you, operate and secure the Services, bill, comply with law, prevent fraud and abuse, and improve and develop its products, as described in the Privacy Policy. Dally may de-identify or anonymize Personal Data and retain aggregate, de-identified benchmarks as described in Section 2.

9. Changes; Order of Precedence

Dally will not change the substantive terms of this DPA by simply republishing this page: material changes will be notified to you (by email or in-product notice) with an opportunity to object before they apply to you. Subprocessor list changes follow the lighter notice path in Section 3.

In the event of conflict, the order of precedence is: (1) the applicable Standard Contractual Clauses, (2) this DPA, (3) the Agreement.

Exhibit A — Details of Processing

Nature and purpose. Dally processes Customer Content to provide its content intelligence service: syncing content, messages, and performance data from connected platforms; generating transcripts, insights, and other Atoms via AI subprocessors; computing aggregate benchmarks; presenting results to you; and, where you approve, publishing content to your connected platforms. Duration: the term of the Agreement plus the deletion window in Section 2.

Categories of Data Subjects. You and your authorized team members; your audience members — individuals who send direct messages to, comment on, or otherwise engage with your connected accounts; and individuals appearing in public content metadata.

Categories of Personal Data. Content and message data — captions, media, timestamps, permalinks, performance metrics, and, where you enable audience features, the content of direct messages and comments received by your connected accounts with the usernames of their senders; and derived Atoms (transcripts, hooks, insights). Customer Account Data and usage telemetry are processed under Section 8 (Dally as controller), not under this DPA's processor scope.

Special categories. None intentionally collected. Audience messages may incidentally contain sensitive data their senders chose to include; Dally applies the same protections to all message content, and you agree not to instruct processing designed to elicit special-category data.

Exhibit B — Authorized Subprocessors

Data exporter: Customer. Data importer: Dally Platforms, Inc. (Delaware, United States), as processor. Frequency: continuous, as you use the Services. The current subprocessor list:

CompanyPurposeLocation
Vercel Inc.Application hosting and edge computeUnited States, global edge
Supabase Inc.Managed Postgres, authentication, file storageUnited States (AWS us-east-1)
Cloudflare Inc.Object storage (R2), CDNUnited States, global edge
Inngest Inc.Durable processing queueUnited States
Modal Labs, Inc.GPU compute for transcription and CV inferenceUnited States
Anthropic PBCClaude AI modelsUnited States
OpenAI, L.L.C.Whisper transcription and GPT models (fallback)United States
Google LLCGemini API for visual understandingUnited States
Groq Inc.Whisper transcription (fallback)United States
OpenRouter, Inc.LLM API gateway (routing pinned to US inference providers)United States
Langfuse GmbHLLM observability and tracingUnited States (US cloud region)
PostHog Inc.Product analytics and session replayUnited States
Stripe, Inc.Billing and payment processingUnited States
Bright Data Ltd.Public profile data collectionGlobal
Apify Technologies s.r.o.Public profile data collection (alternate)Czech Republic / EU

Exhibit C — Technical and Organizational Security Measures

  • Tenant isolation: Customer data lives in a multi-tenant Postgres database with row-level security scoping every query to the owning creator, exercised by automated isolation tests that run recurringly.
  • Encryption: TLS 1.2+ for all data in transit, including traffic to AI subprocessors; encryption at rest for all stores. OAuth tokens live in the encrypted-at-rest database with access restricted to server-side service-role credentials.
  • Access control: Authentication via Supabase Auth; service-role credentials restricted to server-side code; administrative access limited to named accounts.
  • AI routing controls: LLM traffic is routed to US-based inference providers under no-training terms; model requests carry only the data the feature requires.
  • Availability and recovery: Automated daily database backups with point-in-time recovery; durable object storage; configuration as code under version control.
  • Logging: Runtime, database, and job-execution logs; LLM request tracing for debugging, retained on a limited window.
  • Minimisation and retention: Queries scoped to the platforms actually connected; deletion on account termination within 30 days; per-creator deletion path at /data-deletion.
  • Subprocessor TOMs: Each subprocessor maintains its own certified measures (SOC 2 / ISO 27001 where available); Dally reviews subprocessor security annually.

© 2026 Dally Platforms, Inc. All rights reserved.