Pylos Data Processing Agreement
Effective Date: June 21, 2026
Last Updated: June 21, 2026
1. Background and Scope
This Data Processing Agreement (the "DPA") is entered into between Pylos LLC, a Texas limited liability company ("Pylos," "we," or "us"), and the customer that has accepted Pylos's Terms of Service ("Customer" or "you"). This DPA forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement").
This DPA applies whenever Pylos processes Personal Data on behalf of Customer in connection with the Service. To the extent of any conflict between this DPA and the Agreement, this DPA controls with respect to data protection matters.
If you do not process Personal Data in a way that requires a DPA under applicable law, this DPA still applies to govern Pylos's handling of any Personal Data you do provide.
2. Definitions
- Personal Data means information relating to an identified or identifiable individual that Customer uploads, transmits, or otherwise makes available to the Service, and that Pylos processes on Customer's behalf. Personal Data includes data about Customer's staff, congregants, speakers, and others identifiable from Customer Content.
- Customer Data means all data, including Personal Data, that Customer provides to or generates through the Service.
- Processing means any operation performed on Personal Data, including collection, storage, modification, disclosure, transmission, and deletion.
- Controller means the party that determines the purposes and means of Processing.
- Processor means a party that Processes Personal Data on behalf of a Controller.
- Subprocessor means a third party engaged by Pylos to Process Personal Data in connection with the Service.
- Security Incident means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Pylos.
- Applicable Privacy Laws means United States federal and state laws relating to the privacy and protection of Personal Data, including the California Consumer Privacy Act (CCPA/CPRA), the Texas Data Privacy and Security Act (TDPSA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and similar state-level privacy laws.
Capitalized terms used but not defined here have the meanings given in the Agreement or the Privacy Policy.
3. Roles of the Parties
For purposes of this DPA and Applicable Privacy Laws:
- Customer is the Controller of Personal Data Processed by Pylos. Customer determines the purposes and means of Processing Personal Data and is responsible for ensuring it has a lawful basis to provide Personal Data to Pylos.
- Pylos is the Processor of Personal Data on Customer's behalf, processing such data only on Customer's documented instructions and as necessary to provide the Service.
- For Personal Data that Pylos collects directly from individuals (such as Account Holders signing up for the Service or website visitors), Pylos acts as a Controller, and Pylos's Privacy Policy governs.
4. Customer Instructions and Lawful Basis
Customer instructs Pylos to Process Personal Data:
(a) as necessary to provide the Service in accordance with the Agreement;
(b) as necessary to comply with applicable law;
(c) as further described in the Privacy Policy and this DPA.
Customer represents and warrants that:
(a) Customer has a lawful basis to provide Personal Data to Pylos and to authorize the Processing described in this DPA, the Agreement, and the Privacy Policy;
(b) Customer has provided all necessary notices and obtained all necessary consents for the Processing of Personal Data by Pylos and its Subprocessors, including consents from individuals identifiable in Customer Content (such as pastors, speakers, congregants, and minors and their parents or guardians);
(c) Customer's use of the Service complies with all Applicable Privacy Laws.
5. Nature, Purposes, and Categories of Processing
Subject matter of Processing: Pylos's Service, as described in the Agreement.
Duration of Processing: As long as Customer uses the Service, plus any retention periods described in the Privacy Policy.
Nature and purpose of Processing: Pylos Processes Personal Data to provide the Service, including hosting, transcribing, analyzing, distributing, and displaying Customer Content; supporting Customer accounts; and providing the features and outputs described in the Agreement.
Categories of Personal Data: Personal Data may include names, email addresses, photographs, voice recordings, audio-only sermon recordings, video recordings, transcripts, and other information identifying individuals appearing in Customer Content or associated with Customer's account.
Categories of individuals: Customer's Account Holders and Authorized Users; pastors, speakers, congregants, guests, and other individuals identifiable in Customer Content.
6. Pylos's Obligations as Processor
Pylos will:
(a) Process Personal Data only on Customer's documented instructions, as set forth in this DPA, the Agreement, and the Privacy Policy, except where required by law;
(b) ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations;
(c) implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data, taking into account the nature of the data and the risks of Processing;
(d) assist Customer in responding to requests from individuals exercising their rights under Applicable Privacy Laws (such as access, correction, or deletion requests), to the extent reasonable and as further described in section 9;
(e) assist Customer in meeting Customer's own obligations under Applicable Privacy Laws, including obligations regarding security, breach notification, and data protection assessments, taking into account the nature of Processing and the information available to Pylos;
(f) at Customer's choice, delete or return Personal Data after the end of the provision of services relating to Processing, subject to retention permitted under the Agreement (including for Aggregated Data, Derived Data, and trained models) and as required by law.
7. Aggregated and Derived Data
As described in the Agreement, Pylos has the right to retain and use Aggregated Data and Derived Data (including data used in or derived from machine learning models) for purposes beyond providing the Service. This right survives termination of the Agreement.
Aggregated Data and Derived Data, by their nature, do not identify individual Customers or data subjects, and Pylos's use of such data is not subject to the deletion and return obligations in section 6(f).
8. Subprocessors
Customer authorizes Pylos to engage Subprocessors to Process Personal Data in connection with the Service. Pylos will:
(a) enter into written agreements with each Subprocessor that impose data protection obligations substantially similar to those in this DPA;
(b) remain liable to Customer for the acts and omissions of its Subprocessors with respect to Personal Data, to the same extent Pylos is liable for its own performance under this DPA;
(c) maintain a list of categories of Subprocessors used to provide the Service. A current summary of major Subprocessors is available on request to luke@getpylos.com.
Pylos may add, remove, or replace Subprocessors at its discretion as the Service evolves. Pylos will provide notice of material changes through updates to the Privacy Policy or this DPA.
9. Data Subject Rights and Customer Requests
Customer is responsible for responding to requests from individuals exercising their rights under Applicable Privacy Laws (including rights to access, correct, delete, or port their Personal Data, and rights to opt out of certain Processing).
Pylos will provide reasonable assistance to Customer in responding to such requests, including by:
(a) providing tools or processes through the Service that allow Customer to fulfill access, deletion, and portability requests;
(b) responding to specific requests for assistance from Customer within a reasonable time;
(c) implementing requests to delete or restrict Processing of Personal Data, to the extent technically feasible and consistent with Pylos's other rights under the Agreement (including with respect to Aggregated Data, Derived Data, and trained models).
If Pylos receives a request directly from an individual that is properly directed to Customer, Pylos will redirect the request to Customer or refer the individual to Customer.
10. Security
10.1. Security Measures
Pylos will maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data, including:
(a) encryption of Personal Data in transit and at rest through our infrastructure providers' built-in encryption;
(b) access controls limiting access to Personal Data to authorized personnel with a legitimate need to know;
(c) authentication and credential-management practices;
(d) logging and monitoring of access to Personal Data;
(e) periodic review of Pylos's security practices.
The specific safeguards may evolve over time as Pylos improves the Service. Pylos will not materially weaken its security posture during the term of the Agreement.
10.2. Security Incident Notification
If Pylos confirms a Security Incident materially affecting Customer's Personal Data, Pylos will notify Customer within seventy-two (72) hours of confirmation. The notification will include, to the extent then known:
(a) a description of the nature of the Security Incident;
(b) the categories and approximate volume of Personal Data affected;
(c) the likely consequences of the Security Incident;
(d) the measures taken or proposed by Pylos to address the Security Incident and mitigate its possible adverse effects.
Pylos will provide updates as additional information becomes available and will cooperate reasonably with Customer in responding to the Security Incident, including with respect to Customer's notification obligations under Applicable Privacy Laws.
A notification or response by Pylos under this section is not an acknowledgment of fault or liability.
11. Audits and Assessments
Pylos will make available to Customer information reasonably necessary to demonstrate Pylos's compliance with this DPA, including by responding to reasonable inquiries from Customer about Pylos's data protection practices.
If Customer is required by Applicable Privacy Laws to conduct an audit, Customer may, no more than once per twelve-month period, request that Pylos respond to a written questionnaire about its data protection practices. Pylos will respond within a reasonable time.
On-site audits by Customer are not provided as a default but may be agreed in writing for enterprise customers with legitimate regulatory requirements, at Customer's expense.
12. International Data Transfers
The Service is intended for use by customers in the United States, and Personal Data is generally Processed in the United States or by Subprocessors that operate United States-based infrastructure. Customer acknowledges and agrees to such Processing.
If Pylos Processes Personal Data outside the United States, Pylos will use commercially reasonable measures designed to provide an appropriate level of protection for such data.
This DPA does not include the European Economic Area (EEA) Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement, or other cross-border transfer mechanisms required for transfers from those regions. The Service is not directed to individuals in the EEA, the United Kingdom, or other regions outside the United States.
13. Term and Termination
This DPA is effective as of the date Customer accepts the Agreement and continues until the Agreement terminates.
On termination, Pylos's rights and obligations regarding Personal Data are governed by section 13 of the Agreement, the Privacy Policy, and section 6(f) of this DPA.
Provisions of this DPA that by their nature should survive termination (including those relating to Aggregated Data and Derived Data, confidentiality, indemnification, and limitations of liability under the Agreement) survive termination.
14. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability in the Agreement. This DPA does not create separate liability beyond what is set forth in the Agreement.
15. Updates to This DPA
Pylos may update this DPA from time to time. We will post the updated version at getpylos.com/dpa and update the "Last Updated" date.
For material changes, we will provide reasonable notice. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the changes.
16. Miscellaneous
16.1. Order of Precedence
In the event of conflict between this DPA, the Agreement, and the Privacy Policy regarding the Processing of Personal Data: (a) this DPA controls over the Agreement; (b) this DPA controls over the Privacy Policy; (c) all three documents should be read together where possible.
16.2. Independent Document
If a court holds any provision of this DPA invalid or unenforceable, the remaining provisions remain in full force and effect.
16.3. No Third-Party Beneficiaries
This DPA does not create any rights enforceable by any third party.
17. Contact
For questions or notices regarding this DPA, contact:
Pylos LLC
3708 E 29th St, Unit #342, Bryan, TX 77802
Email: luke@getpylos.com