Legal
Last updated: June 8, 2026
In this DPA:
Ccyfer processes personal data on your behalf for the following purposes:
| Processing Activity | Categories of Data | Legal Basis |
|---|---|---|
| User account management | Names, emails, business details of your team members | Contract performance |
| AI tool operation | Business descriptions, audience data, product details you enter | Contract performance |
| Platform analytics | Usage patterns, tool interactions (anonymised) | Legitimate interest |
| Client workspace management | Client names, websites, social handles you input | Contract performance |
| Billing and invoicing | Names, billing addresses, payment identifiers | Legal obligation |
| Security monitoring | Login events, access logs, IP addresses | Legitimate interest |
As your Data Processor, Ccyfer agrees to:
You provide general written authorisation for Ccyfer to engage the following sub-processors. We will notify you 30 days in advance of adding new sub-processors:
| Sub-processor | Location | Processing Activity | Data Categories |
|---|---|---|---|
| Google Firebase / Firestore | India (Mumbai) | Database, authentication, file storage | All platform data |
| Google Cloud Platform | India (Mumbai) | Hosting, functions, storage | All platform data |
| Anthropic PBC | USA | AI content generation (Claude API) | Tool inputs only |
| OpenRouter Inc. | USA | AI model routing and fallback | Tool inputs only |
| Stripe / Razorpay | USA / India | Payment processing | Billing data only |
For AI sub-processors located in the USA, data transfers are governed by Standard Contractual Clauses (Module 2: Controller to Processor). Only the minimum necessary data (tool inputs, not full personal profiles) is transferred to AI providers.
Ccyfer has implemented the following technical and organisational measures:
Encryption in transit
TLS 1.3 for all data in transit between client and server
Encryption at rest
AES-256 encryption for all stored data (Google Cloud default)
Access controls
Role-based access control; principle of least privilege
Authentication
Multi-factor authentication support; JWT with short expiry
Admin operations
All admin writes via server-side Cloud Functions, not client-side
API key security
All keys stored as environment secrets, never in client code
Audit logging
All admin actions and access events logged with timestamps
Vulnerability management
Regular dependency audits; security patches applied promptly
When you receive a data subject request (access, deletion, correction, portability) relating to personal data processed through the Platform, Ccyfer will:
Note: You remain the Data Controller and are responsible for responding to data subjects. Ccyfer acts only on your instructions.
In the event of a personal data breach affecting data processed under this DPA:
Processing within India occurs on Google Cloud infrastructure in the Mumbai (asia-south1) region. Where personal data is transferred outside India to AI sub-processors in the USA:
Ccyfer retains personal data processed under this DPA for:
Upon termination of the subscription or receipt of a deletion instruction, Ccyfer will delete or irreversibly anonymise all personal data within 30 days and provide written confirmation.
You have the right to audit Ccyfer's compliance with this DPA. Ccyfer will:
Ccyfer may satisfy audit obligations by providing third-party certifications or audit reports in lieu of physical audits.
This DPA is governed by the laws of India. Disputes arising under this DPA are subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India.
To exercise your rights under this DPA or for any questions, contact our Data Protection Officer at dpo@ccyfer.in.
DPA enquiries: dpo@ccyfer.in