Data Processing Agreement (DPA)
Last updated: January 29, 2026 Version: 1.0
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Cyclora (“Processor”) and the user or entity using our services (“Controller”). This DPA applies to the processing of personal data that Cyclora performs on behalf of the Controller.
This DPA is entered into in accordance with the General Data Protection Regulation (GDPR), Colombia’s Law 1581 of 2012 (general Habeas Data), Law 1266 of 2008 (financial Habeas Data), Decree 1377 of 2013, Brazil’s LGPD, California’s CCPA/CPRA, and other applicable data protection legislation.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion)
- Controller: The entity that determines the purposes and means of processing
- Processor: The entity that processes personal data on behalf of the Controller (Cyclora)
- Sub-processor: A third party engaged by the Processor to assist with processing
- Service Data: Personal data processed by Cyclora to provide the services
3. Roles and Responsibilities
3.1 Cyclora as Processor
When a user or store uses Cyclora to manage their customers’ data (e.g., invoice data, customer bicycle information, maintenance records), Cyclora acts as Processor of such data.
3.2 Cyclora as Controller
Cyclora acts as Controller for:
- User account data (registration, profile)
- Platform usage and analytics data
- Subscription billing and payment data
3.3 Processor Obligations
Cyclora commits to:
- Process personal data only according to the Controller’s documented instructions
- Ensure that personnel authorized to process data have committed to confidentiality
- Implement appropriate technical and organizational measures to protect data
- Respect the conditions for engaging sub-processors
- Assist the Controller in fulfilling data subject rights requests
- Assist the Controller in complying with security obligations, breach notifications, and impact assessments
- Delete or return all personal data upon termination of the relationship, as instructed by the Controller
- Make available to the Controller all information necessary to demonstrate compliance
4. Security Measures
Cyclora implements the following technical and organizational measures:
4.1 Technical Measures
- Encryption in transit: TLS 1.2+ for all communications
- Encryption at rest: AES-256 for stored data
- Access control: Multi-factor authentication for internal systems
- Network segmentation: Production environment isolation
- Monitoring: Intrusion detection and continuous monitoring
- Backups: Encrypted backups with defined retention
- Logging: Data access audit logging
4.2 Organizational Measures
- Documented information security policies
- Regular staff training on data protection
- Role-based access controls (principle of least privilege)
- Security incident management processes
- Periodic risk assessments
5. Sub-processors
5.1 Authorized Sub-processors
The Controller authorizes Cyclora to engage the following sub-processors:
| Sub-processor | Purpose | Country/Region | Privacy Policy |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage | USA (us-east-1) | AWS Privacy |
| Google Cloud Platform | Authentication services (OAuth) | USA | Google Privacy |
| MercadoPago | Payment processing | Argentina/Colombia | MP Privacy |
| Google Analytics | Web analytics (anonymized data) | USA | Google Privacy |
| Expo (React Native) | Mobile services, push notifications | USA | Expo Privacy |
| Cloudflare | CDN, DDoS protection, DNS | Global | CF Privacy |
5.2 Change Notification
Cyclora will notify the Controller at least 30 days in advance before adding or replacing sub-processors, providing the opportunity to object. Notification will be made via:
- Email to the Controller’s registered contact
- Update to this page with the current list
5.3 Objections
If the Controller reasonably objects to a new sub-processor, Cyclora will make commercially reasonable efforts to offer an alternative. If not possible, the Controller may terminate the service without penalty.
6. International Data Transfers
6.1 Transfer Mechanisms
For transfers of personal data outside the European Economic Area (EEA), Cyclora uses:
- Standard Contractual Clauses (SCCs): Modules approved by the European Commission (Decision 2021/914)
- Data Privacy Framework (DPF): For transfers to the USA where the sub-processor is certified
- Adequacy decisions: Where they exist for the destination country
6.2 Destination Countries
Data may be transferred to:
- United States: AWS, Google, Expo (under SCCs and/or DPF)
- Argentina: MercadoPago (EU adequacy decision)
- Colombia: Cyclora’s primary servers
6.3 Transfers under Colombian Law (Art. 26, Law 1581 of 2012)
For international transfers of personal data from Colombia, Cyclora complies with:
- SIC adequate countries list: Transfers are made to countries recognized by the SIC as having adequate levels of protection, or through contracts that guarantee the minimum conditions of Colombian law
- Art. 26 exceptions: Transfers necessary for the execution of the contract between the data subject and Cyclora, or with the data subject’s express authorization
- SIC registration: Cyclora is registered (or in the process of registering) in the National Database Registry (RNBD) pursuant to Decree 1377 of 2013
6.4 LATAM Transfers
For users in Latin American countries, the following additional considerations apply:
| Country | Applicable Law | Transfer Requirement |
|---|---|---|
| Brazil | LGPD (Lei 13.709/2018) | Standard contractual clauses or specific consent (Art. 33) |
| Mexico | LFPDPPP | Privacy notice and consent; contract with receiving third parties |
| Argentina | Law 25.326 | EU adequacy decision country; adequate level required |
| Chile | Law 21.719 (2024) | Consent or approved contractual clauses |
| Peru | Law 29733 | Data subject authorization or cross-border flow to adequate country |
| Ecuador | LOPDP (2021) | Adequate guarantees or explicit consent |
| Uruguay | Law 18.331 | EU adequacy decision country; adequate level required |
6.5 Transfer Impact Assessment (TIA)
Cyclora has conducted transfer impact assessments for each sub-processor in countries without adequacy decisions, considering the legal framework of the destination country and the supplementary measures implemented.
7. Security Breach Notification
7.1 Notification Obligation
In the event of a security breach affecting personal data, Cyclora commits to:
- Notify the Controller without undue delay and, in any case, within 72 hours of becoming aware of the breach
- Provide the following information (to the extent available):
- Nature of the breach, including categories and approximate number of affected data subjects
- Name and contact details of the data protection officer or point of contact
- Likely consequences of the breach
- Measures taken or proposed to remedy the breach and mitigate its effects
- Document all breaches, their effects, and corrective measures taken
7.2 Notification Process
- Primary channel: Email to the Controller’s privacy contact registered on the platform
- Secondary channel: Notification in the Cyclora administration panel
- Emergency channel: Phone (for high-risk breaches)
7.3 Assistance
Cyclora will assist the Controller in:
- Notifying the competent supervisory authority (when required)
- Communicating to affected data subjects (when required)
- Investigating and remediating the breach
8. Data Subject Rights
8.1 Assistance
Cyclora will assist the Controller in responding to data subject rights requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to object
- Right to restriction of processing
8.2 Response Time
Cyclora will respond to the Controller’s assistance requests within 10 business days.
9. Audit and Compliance
9.1 Right to Audit
The Controller has the right to audit compliance with this DPA. Audits must:
- Be notified at least 30 days in advance
- Be conducted during normal business hours
- Not interfere with Cyclora’s operations
- Be conducted at the Controller’s expense
9.2 Compliance Reports
Cyclora will make available:
- Current security certifications
- Penetration test results (executive summary)
- Third-party audit reports (when available)
10. Duration and Termination
10.1 Duration
This DPA remains in effect as long as Cyclora processes personal data on behalf of the Controller.
10.2 Effects of Termination
Upon termination:
- Cyclora will cease processing the Controller’s personal data
- At the Controller’s election, Cyclora will delete or return all personal data within 30 days
- Cyclora will provide written certification of deletion
- Confidentiality obligations survive termination
Exception: Data that must be retained due to legal obligation (e.g., invoices for 5 years under Colombian tax regulations).
11. Liability
Each party’s liability under this DPA is subject to the limitations set forth in the Terms of Service.
12. Governing Law
This DPA is governed by:
- For EU/EEA users: The laws of the Controller’s country, supplemented by the GDPR
- For Colombian users: The laws of the Republic of Colombia, including Law 1581 of 2012
- For Brazilian users: The LGPD (Lei Geral de Proteção de Dados)
- For other users: The laws of the Republic of Colombia
13. Contact
For inquiries about this DPA:
- Email: [email protected]
- Subject: DPA Inquiry - [Your name or entity]
To report security breaches:
- Email: [email protected]
- Subject: [URGENT] Breach Report - [Brief description]
This DPA supplements the Terms of Service and Privacy Policy of Cyclora.