SOC 2 Type I AttestedSundial is SOC 2 Type I attested.

Sundial Data Protection Agreement (DPA)

Effective as of October 15, 2025

This Data Protection Agreement (“DPA”) forms part of the services provided by Sundial Scheduling, LLC (“Sundial”) to its customers.

1. Roles of the Parties

Sundial acts as a Data Processor when processing Customer Personal Data in connection with providing the Sundial Chrome extension and related services.

The Customer acts as the Data Controller and determines the purposes and means of processing.

2. Subject Matter & Duration

Sundial processes Customer Personal Data only for the purpose of providing the services described in Sundial’s documentation and enterprise review materials.

Processing lasts for the duration of the customer’s use of Sundial’s services, unless otherwise required by law.

3. Categories of Data Processed

  • User Identifiers: Email address (via Google OAuth).
  • Usage Data: Extension feature usage (non-sensitive).
  • Calendar Data: Accessed only upon explicit user action. No event content is stored.
  • Sundial applies strict data minimization principles.

4. Processor Obligations

Sundial shall:

Process Customer Personal Data only on documented instructions from the Customer.

Implement appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Short-lived OAuth tokens (not stored).
  • Least-privilege access controls and periodic access reviews.

Ensure that employees and contractors authorized to process data are bound by confidentiality obligations.

Notify the Customer without undue delay after becoming aware of a Personal Data Breach.

Assist the Customer in fulfilling obligations regarding data subject rights (access, deletion).

Delete or return Customer Personal Data at termination of services.

5. Subprocessors

Sundial uses subprocessors to deliver its services, each of which is reviewed for security and compliance.

The current list of Sundial subprocessors is maintained at https://trysundial.ai/security#6-security-governance.

Customer will be notified of any intended changes to subprocessors.

6. International Transfers

All Customer Personal Data is stored in the U.S. If transfers outside the U.S. occur, Sundial will rely on appropriate safeguards such as Standard Contractual Clauses.

7. Compliance & Certification

  • Sundial has achieved SOC 2 Type I attestation (Aug 2025) and is undergoing Type II review.
  • Sundial undergoes regular third-party penetration testing.
  • Sundial maintains a comprehensive set of security and compliance policies (available on request).

8. Liability

Sundial’s aggregate liability under this DPA shall be subject to the limitations of liability agreed under the main customer agreement.