GDPR Compliance

Pyze's Role Under GDPR

Pyze operates as both a Data Processor and a Data Controller, depending on the context:

GDPR Principles We Follow

Lawfulness, Fairness & Transparency

We process personal data with a valid legal basis, communicate clearly about our data practices, and maintain a comprehensive Privacy Policy.

Purpose Limitation

Customer data is processed solely to deliver the contracted Services. We do not sell personal data or use it for advertising purposes.

Data Minimization

Pyze collects only data necessary to provide the Services. Customers control the scope and nature of data collected within the platform.

Accuracy

We support customers in maintaining accurate data and provide mechanisms for correction and updating.

Storage Limitation

Data is retained only as long as necessary to provide services and meet contractual and legal obligations. Upon termination, data is deleted or returned per customer instructions.

Integrity & Confidentiality

We implement appropriate technical and organizational measures to protect personal data, including encryption, access controls, monitoring, and incident response. See our Security & Compliance page.

Accountability

Pyze maintains records of processing activities, conducts regular security reviews and SOC 2 audits, and provides audit support to customers.

Data Subject Rights

Pyze supports the exercise of GDPR data subject rights:

• Right of Access — Obtain confirmation and copies of personal data
• Right to Rectification — Correct inaccurate personal data
• Right to Erasure — Request deletion of personal data
• Right to Restrict Processing — Limit how data is processed
• Right to Data Portability — Receive data in a structured format
• Right to Object — Object to processing based on legitimate interests

For data processed on behalf of customers, individuals should direct requests to the relevant customer (Data Controller). Pyze will assist customers in fulfilling these requests as required.

International Data Transfers

Pyze may process data in the United States, EU, APAC, or other jurisdictions. Where personal data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data residency controls via customer-managed deployment options

Data Processing Addendum

Our Data Processing Addendum (DPA) provides GDPR-compliant contractual terms covering:

• Documented processing instructions
• Confidentiality obligations
• Technical and organizational security measures
• Subprocessor management and notification
• Breach notification within required timeframes
• Assistance with data subject rights and regulatory obligations
• Data deletion and return upon termination
• Audit rights

Subprocessors

Pyze maintains a list of subprocessors used to support service delivery. All subprocessors are contractually bound to equivalent data protection obligations. Customers are notified of material changes.

Deployment & Data Residency

Pyze supports customer-managed deployments on Google Cloud Platform, enabling organizations to:

• Keep data within EU regions or other required jurisdictions
• Maintain full control over data residency
• Meet strict InfoSec and regulatory requirements

Breach Notification

In the event of a personal data breach, Pyze will:

• Notify affected customers without undue delay
• Provide information about the nature and scope of the breach
• Assist customers in meeting their notification obligations to supervisory authorities and data subjects

Key Resources

Contact

For GDPR or data protection inquiries:

Pyze, Inc.
Redwood City, CA
privacy@pyze.com