Data Processing Agreement

Last updated July 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between your organization (the "Customer", acting as data controller) and Bylio (acting as data processor). It applies where Bylio processes personal data on the Customer's behalf under the General Data Protection Regulation (GDPR) and applicable EEA and Norwegian data protection law. If you need a countersigned copy for your records, email hello@bylio.io.

1. Scope of processing

  • Subject matter: providing the Bylio service to the Customer.
  • Duration: for as long as the Customer uses the service, plus the retention periods in the Privacy Policy.
  • Nature and purpose: hosting, generating, storing, and transmitting interview and draft content so the Customer can create and approve it.
  • Types of personal data: names and email addresses of the Customer's team and experts, and any personal data the Customer includes in interviews or drafts.
  • Categories of data subjects: the Customer's team members and the experts it chooses to interview.

2. Bylio's obligations

As processor, Bylio will:

  • process personal data only on the Customer's documented instructions, including the instructions given by using the service, unless required by law to do otherwise;
  • ensure people authorized to process the data are bound by confidentiality;
  • put in place appropriate technical and organizational security measures under Article 32 of the GDPR, including access controls and isolation of each organization's data;
  • assist the Customer, taking into account the nature of the processing, in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment duties;
  • notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data;
  • at the Customer's choice, delete or return the personal data at the end of the service, except where the law requires it to be kept.

3. Sub-processors

The Customer authorizes Bylio to use the sub-processors described on our Sub-processors page to help provide the service. Bylio remains responsible for its sub-processors' performance of these obligations. Bylio will give the Customer notice of a new sub-processor before it starts processing the Customer's personal data, so the Customer can object on reasonable data protection grounds.

4. International transfers

Where Bylio or a sub-processor transfers personal data outside the EEA, the transfer is made under an adequacy decision or Standard Contractual Clauses, together with any additional measures needed to protect the data.

5. Audits

On reasonable written request, and no more than once a year unless required by a supervisory authority, Bylio will make available the information needed to show it is meeting these obligations, and will cooperate with a proportionate audit conducted on reasonable notice and under confidentiality.

6. Order of precedence

If there is a conflict between this DPA and the rest of the Terms of Service about the processing of personal data, this DPA controls.