Sierra RealtimeSierra Realtime

Data Processing Agreement

Last updated: January 1, 2026

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service between Epic Essentials ("Processor", "we") and the customer organization ("Controller", "you") that uses the Sierra Realtime platform ("Service"). It applies whenever the Service Processes Personal Data on behalf of the Controller.

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the UK GDPR.

1. Roles & subject matter

The Controller determines the purposes and means of Processing. Sierra Realtime acts as a Processor (or Sub-processor where the Controller is itself a Processor for its own customers).

2. Scope of processing

  • Categories of data subjects: Controller's employees, contractors, customers, partners, and meeting / webinar guests.
  • Categories of personal data: identity (name, email, avatar), authentication credentials (password hash, MFA secrets), communication content (messages, files, recordings, transcripts), usage telemetry (IP, user-agent, timestamps), device tokens.
  • Special categories: not intentionally collected; if Controller's users transmit health, biometric, or other sensitive data via the Service, Controller is responsible for obtaining the consents required by Article 9 GDPR.
  • Processing operations: hosting, storage, transmission, encoding (audio/video), transcription (when AI services are enabled by Controller), backup, and deletion.
  • Duration: for the term of the underlying agreement, plus the deletion windows in Section 8.

3. Controller's instructions

We Process Personal Data only on documented instructions from the Controller. The Service's configuration (toggles, retention policies, integrations) constitutes documented instructions. We will inform the Controller if, in our opinion, an instruction infringes the GDPR.

4. Confidentiality

Personnel authorized to Process Personal Data are bound by confidentiality obligations and have completed data-protection training.

5. Security (Article 32)

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. See Annex II below for the list of measures.

6. Sub-processors (Article 28(2))

The Controller authorizes us to engage Sub-processors. We maintain a current list available at legal@epicessentials.xyz and notify the Controller of changes at least 30 days in advance, giving the Controller a reasonable opportunity to object. Each Sub-processor is bound by data-protection obligations equivalent to those in this DPA.

7. Data-subject rights & controller assistance

Sierra Realtime provides admin tooling to fulfill data-subject requests directly (export, correction, deletion). Where additional assistance is required, we will support the Controller within statutory timeframes.

8. Personal-data breach

We notify the Controller without undue delay (within 72 hours of becoming aware) of any Personal-Data Breach affecting the Controller's data, with the information required by Article 33(3) GDPR to the extent available.

9. Deletion or return

On termination, we delete or return all Personal Data Processed on behalf of the Controller within 30 days, unless retention is required by law or by the Controller's own legal-hold settings configured in the Service. Deletion is logged and an acknowledgement is available on request.

10. International transfers

Where Personal Data is transferred outside the EEA / UK / Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Module 2: Controller → Processor; or Module 3: Processor → Sub-processor) and the UK Addendum where applicable. The SCCs are incorporated by reference into this DPA.

11. Audits (Article 28(3)(h))

On reasonable notice (at least 30 days, no more than once per 12 months unless triggered by a breach), the Controller may audit our compliance with this DPA — either by reviewing our most recent SOC 2 / ISO 27001 report, or, where insufficient, by engaging an independent auditor at the Controller's expense.

12. Governing terms

This DPA is governed by the same law and forum as the underlying agreement. If there's any conflict between this DPA and the underlying agreement, this DPA controls with respect to data-protection matters.

Annex I — Description of processing

(Filled in based on the Controller's deployment configuration.)

Annex II — Technical & organizational measures

  • TLS 1.2+ for all data in transit; HSTS preload-listed; modern cipher suites only.
  • AES-256 at-rest encryption for object storage, with optional BYOK via AWS KMS / GCP KMS / HashiCorp Vault.
  • Bcrypt password hashing (cost ≥ 10); MFA via TOTP; SCIM provisioning; SAML / OIDC SSO; SSO group-to-role mapping.
  • Tenant isolation at the application layer (org-scoped queries) plus information barrier rules for stricter separation.
  • Audit logging of every privileged action; admin Customer Lockbox flow for out-of-band access; eDiscovery export.
  • Daily encrypted database backups; documented restore drill; quarterly backup-integrity tests.
  • Continuous dependency vulnerability scanning; mandatory code review; static + dynamic analysis on every release.
  • Background-checked operations personnel; least-privilege access via short-lived SSH certificates; documented incident-response runbook.
  • Annual third-party penetration test; SOC 2 Type II audit (in progress).