Skip to content

Data Processing Terms

Data Processing Terms

Data Processing Terms

Current as of 13 July 2026

Bily offers contract-specific data processing terms whenever a customer’s configured use requires Bily to process personal data on the customer’s behalf. Customers should complete the authorised DPA process before enabling that processing. This page explains the review path and the subjects covered. It is not itself a Data Processing Addendum and does not become part of an agreement merely because it is viewed or linked.

When a DPA applies

A DPA is relevant when a customer is a controller or processor and instructs Bily to process personal data as the customer’s processor or subprocessor. Bily’s processing of website visitors, account administration, billing, security, support, and Bily’s own business communications is generally covered by the Privacy Policy in Bily’s controller capacity rather than by a customer DPA.

What the DPA covers

  • The parties’ controller, processor, service-provider, and subprocessor roles.

  • The subject matter, duration, nature, and purpose of processing.

  • Categories of personal data and data subjects relevant to the customer’s configured Service.

  • Documented instructions, confidentiality, personnel access, and security obligations.

  • Assistance with rights requests, impact assessments, regulator enquiries, and personal-data incidents where required.

  • Subprocessor authorisation, the applicable provider schedule, and a process for material objections.

  • International-transfer safeguards that apply to the parties and the relevant processing locations.

  • Return, deletion, or isolation of data at the end of the Service, subject to legal and operational retention duties.

  • Reasonable information and audit mechanisms proportionate to the Service and risk.

Security schedule

The DPA may include or incorporate a description of technical and organisational measures appropriate to the contracted scope. Public practices are summarised in the Security Overview. A signed document may add commitments, but Bily will not include certifications, residency, backup, response-time, or audit claims that are not supported for the purchased Service.

Subprocessors and transfers

The contract package identifies or makes available the subprocessors relevant to the customer’s scope and sets any required change-notice process. See Subprocessors. For a UK restricted transfer not covered by adequacy regulations, the signed DPA can incorporate the ICO-approved International Data Transfer Agreement or the ICO-approved UK Addendum to the EU Standard Contractual Clauses, together with the required transfer assessment and supplementary measures. For an EEA restricted transfer, the signed DPA can incorporate the applicable EU Standard Contractual Clauses and transfer assessment. Another lawful mechanism may apply where the contract identifies it.

Rights requests and customer instructions

The customer remains responsible for verifying and deciding requests from individuals whose data it controls. Bily assists through supported product workflows and reasonable verified instructions. The customer should provide enough information to identify the account, property, person, data category, jurisdiction, and requested action without sending unnecessary personal data.

Deletion and return

A DPA should reflect the actual product and retention architecture rather than promise instant deletion from every system. Supported property-removal workflows delete relevant application records and tenant resources and invalidate caches. Billing, security, fraud-prevention, legal, immutable-log, and backup records may follow separate limited retention. Customer-directed destinations control their own copies.

How to request the contract package

  • Organisation legal name, country, and company or registration number.

  • Primary legal or privacy contact and authorised signer.

  • Bily plan or proposed service scope and the properties or regions involved.

  • Whether the organisation is acting as controller, processor, or both.

  • Known categories of personal data, data subjects, and any restricted-transfer requirement.

  • Required deadline and any customer paper that must be reviewed.

Send the request to [email protected]. The addendum becomes binding only when accepted through an authorised contract process. If an executed DPA conflicts with this page, the executed DPA controls.