Data Processing Agreement

Last updated: 11 February 2026 | UK GDPR Article 28 Compliant

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Client ("Controller", "you") and Saiko Music Group Ltd ("Processor", "we", "Saiko"), and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under UK GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Roles and Responsibilities

2.1 Controller (Client)

You, the Client, are the Controller of the personal data you input, upload, or create within the Platform. This includes campaign data, creator information, outreach content, and any personal data you choose to process through the Service. You are responsible for:

• Ensuring you have a lawful basis for processing the personal data
• Obtaining any necessary consents from data subjects
• Providing data subjects with appropriate privacy notices
• Responding to data subject requests (with our assistance as needed)

2.2 Processor (Saiko)

Saiko acts as the Processor when handling personal data on your behalf. We process personal data only on your documented instructions and for the purposes of providing the Service. We are responsible for:

• Processing data only in accordance with your instructions and this DPA
• Implementing appropriate technical and organisational security measures
• Assisting with data subject requests
• Notifying you of any personal data breaches without undue delay
• Maintaining records of processing activities

3. Scope of Processing

3.1 Subject Matter

The Processor processes Personal Data as necessary to provide the Saiko Intelligence platform services, including AI-powered campaign strategy, creator discovery, outreach management, and analytics.

3.2 Duration

Processing continues for the duration of the service agreement. Upon termination, data is handled in accordance with Section 9 (Data Deletion).

3.3 Types of Personal Data

3.4 Categories of Data Subjects

• Client employees and team members (users of the Platform)
• TikTok creators (whose publicly available data is processed for campaign purposes)
• Third parties whose contact information is uploaded by the Client

4. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data:

4.1 Access Control

• Role-based access control (viewer, manager, admin, owner hierarchy)
• Mandatory two-factor authentication for administrative accounts
• Strong password requirements (minimum 12 characters with complexity)
• 30-minute session inactivity timeout
• Account lockout after 5 failed login attempts within 15 minutes

4.2 Encryption

• All data in transit encrypted via HTTPS/TLS
• Passwords hashed with bcrypt (never stored in plaintext)
• API keys and 2FA secrets encrypted at rest with Fernet symmetric encryption
• Database backups encrypted before off-site transfer

4.3 Data Isolation

• Multi-tenant architecture with logical data separation per client
• All database queries scoped to authenticated tenant
• AI conversations, memories, campaigns, and creator data isolated per tenant
• Cross-tenant access prevention verified through security audit

4.4 Backup and Recovery

• Daily automated PostgreSQL database backups at 03:00 UTC
• 7-day daily rotation + 4-week weekly retention
• Off-site backup storage with Backblaze B2
• Backup integrity verification

4.5 Monitoring

• Login audit trail with IP address and user agent logging
• Rate limiting per tenant per endpoint
• Error alerting with email notifications for system failures
• Uptime monitoring via external service

5. Sub-processors

5.1 Authorised Sub-processors

The Controller authorises the use of the sub-processors listed on our Sub-processor List page. The current sub-processors are:

5.2 Changes to Sub-processors

We will notify you at least 30 days in advance before engaging a new sub-processor or making material changes to existing sub-processor arrangements. Notification will be sent to your registered email address and posted on our Sub-processor List page.

If you object to a new sub-processor, you may notify us within 14 days of our notification. We will work with you to find a reasonable solution. If no resolution is possible, you may terminate the affected services.

6. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests, including:

• Access requests — We provide data export functionality in JSON and CSV formats.
• Rectification requests — Account data can be updated through the Platform.
• Erasure requests — We provide a data deletion process with 30-day grace period or immediate deletion on request.
• Portability requests — Data export includes all client data in machine-readable formats.

We will respond to Controller assistance requests within 10 business days.

7. Data Breach Notification

7.1 Notification Timeline

In the event of a personal data breach, the Processor will:

• Notify the Controller without undue delay, and in any case within 48 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach

7.2 Cooperation

The Processor will cooperate with the Controller and provide reasonable assistance in:

• Investigating the breach and its impact
• Fulfilling the Controller's obligation to notify the ICO (within 72 hours) and affected data subjects
• Implementing remedial measures

8. Audits and Inspections

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. Upon reasonable request (no more than once per year, with 30 days' notice), the Controller may audit or appoint an independent auditor to verify compliance, subject to:

• Confidentiality obligations regarding any information accessed during the audit
• Audits being conducted during normal business hours with minimal disruption
• The Controller bearing the costs of the audit

9. Data Deletion

9.1 Upon Termination

Upon termination of the service agreement, at the Controller's choice, the Processor will either:

• Return all Personal Data to the Controller in a machine-readable format (JSON/CSV), and then delete all copies; or
• Delete all Personal Data, including from backups within 90 days

9.2 Deletion Scope

Deletion covers all tenant data including: user accounts, campaigns, creator records, outreach logs, AI conversation histories, AI memories, team memberships, invitations, usage logs, and any associated metadata.

9.3 Certification

Upon request, the Processor will provide written confirmation that all Personal Data has been deleted in accordance with this DPA.

10. International Transfers

Where Personal Data is transferred to sub-processors outside the UK, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the ICO, or reliance on adequacy decisions where applicable.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

12. Term and Termination

This DPA is effective from the date you first access the Platform and continues until termination of the service agreement. Obligations relating to data deletion and confidentiality survive termination.

13. Contact

For DPA-related enquiries: