Data Processing Agreement
Email legal@kaitalk.online with subject "DPA Request" — include your company name and jurisdiction. We'll review, counter-sign, and return within 5 business days.
1. Definitions
| Term | Definition |
|---|---|
| Controller | The natural or legal person who determines the purposes and means of processing Personal Data — i.e., the KAITALK enterprise customer. |
| Processor | KAITALK / Chany Ventures S. de R.L. de C.V., which processes Personal Data on behalf of the Controller. |
| Sub-processor | Any third party engaged by the Processor to process Personal Data in connection with providing the Service. |
| Data Subject | An identified or identifiable natural person whose Personal Data is processed. |
| Personal Data | Any information relating to an identified or identifiable natural person, including callers' phone numbers, voice recordings, transcriptions, and contact details. |
| Processing | Any operation performed on Personal Data, including collection, storage, use, transmission, or deletion. |
| GDPR | EU General Data Protection Regulation 2016/679. |
| LFPDPPP | Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Mexico). |
2. Scope and Nature of Processing
2.1 Subject Matter
KAITALK processes Personal Data to provide the AI customer care service: answering inbound phone calls, transcribing conversations, generating AI responses, scheduling appointments, and providing call logs to the Controller's dashboard.
2.2 Categories of Data Subjects
- Callers contacting the Controller's business telephone number
- Employees of the Controller who access the KAITALK dashboard
- Prospects and leads captured during inbound calls
2.3 Categories of Personal Data Processed
- Caller phone numbers and call metadata (timestamp, duration, status)
- Voice recordings (if enabled by the Controller)
- Conversation transcriptions and AI-generated summaries
- Contact information captured during calls (name, email, appointment details)
- Dashboard user email addresses and authentication tokens
2.4 Purpose Limitation
KAITALK processes Personal Data solely on documented instructions from the Controller (as expressed through the Service configuration and this DPA) and for no other purpose. KAITALK will notify the Controller if it believes an instruction violates applicable law.
3. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis for processing Personal Data under applicable law (e.g., legitimate interest, consent, or contractual necessity)
- It has provided appropriate disclosures to Data Subjects about AI-assisted call handling
- It will configure the Service in compliance with applicable data protection law
- It will promptly inform KAITALK of any changes to Data Subject rights requests or regulatory requirements that affect processing
4. Processor Obligations
- Instructions only: Process Personal Data only on the Controller's documented instructions
- Confidentiality: Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
- Security: Implement appropriate technical and organizational measures (see Section 5)
- Sub-processors: Engage Sub-processors only with prior written authorization (general authorization granted per Section 6)
- Assistance: Assist the Controller with Data Subject rights requests, DPIAs, and regulatory inquiries
- Deletion/Return: Delete or return all Personal Data upon termination of the Service (see Section 9)
- Audit: Make available information necessary to demonstrate compliance; support Controller audits on reasonable notice
5. Technical and Organizational Security Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | HTTPS/TLS 1.3 on all endpoints; Strict-Transport-Security enforced |
| Encryption at rest | Neon PostgreSQL with AES-256 encryption; OAuth tokens encrypted with AES-256-GCM |
| Access control | Magic-link passwordless authentication; role-based dashboard access; 30-day session TTL |
| Process isolation | AI execution environment cannot access production credentials or database URLs |
| Network security | Cloudflare WAF; CORS allowlist; Content-Security-Policy; rate limiting per endpoint |
| Audit logging | Billing events, security events, and API errors logged with full context |
| Vulnerability management | Dependency updates; security header enforcement; OWASP Top-10 controls |
| Backup | Neon PostgreSQL automated backups with point-in-time recovery |
6. Sub-processors
The Controller grants general authorization for KAITALK to engage the following Sub-processors. KAITALK will notify the Controller of any intended changes (additions or replacements) with 30 days' notice, allowing the Controller to object.
| Sub-processor | Country | Purpose |
|---|---|---|
| Render Inc. | United States | Application hosting and compute |
| Neon Inc. | United States | PostgreSQL database (personal data storage) |
| Twilio Inc. | United States | Voice telephony, inbound call routing, recordings |
| Stripe Inc. | United States / Mexico | Payment processing (USD and MXN accounts) |
| OpenAI LLC | United States | AI language model (call response generation) |
KAITALK has executed data processing agreements with each Sub-processor that impose equivalent obligations to those in this DPA.
7. International Data Transfers
All Sub-processors listed in Section 6 are located in the United States. Where Personal Data of EU or UK Data Subjects is transferred, KAITALK relies on Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914/EU). For Mexican Data Subjects, transfers are governed by the LFPDPPP Article 37 mechanisms.
8. Data Subject Rights
KAITALK will assist the Controller in fulfilling Data Subject rights requests within 12 hours of notification. The Controller is responsible for responding to Data Subjects directly. KAITALK provides:
- A self-service Data Subject Request portal at /dsr
- Technical export of call logs, transcriptions, and account data upon request
- Deletion of specific Data Subject records within 15 business days of verified request
9. Retention and Data Return
Upon termination or expiration of the KAITALK Service agreement:
- KAITALK will, at the Controller's election, return all Personal Data in machine-readable format (JSON/CSV) or securely delete it within 30 calendar days
- Backups containing Personal Data will be purged within 90 days
- KAITALK may retain anonymized/aggregated data for service improvement; this data cannot be used to re-identify Data Subjects
- Data retained for legal compliance (billing records, regulatory obligations) will be retained per applicable law and documented
10. Data Breach Notification
KAITALK will notify the Controller of a confirmed personal data breach within 48 hours of becoming aware of it. Notification will include:
- Description of the nature of the breach and categories/approximate number of Data Subjects affected
- Contact details of KAITALK's data protection point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Controller is responsible for notifying the relevant supervisory authority and Data Subjects in accordance with applicable law.
11. Limitation of Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the KAITALK Terms of Service. In no event shall either party be liable for indirect, incidental, special, or consequential damages arising from a breach of this DPA. KAITALK's aggregate liability for breaches of this DPA shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.
12. Term and Termination
This DPA remains in effect for the duration of the KAITALK Service agreement and terminates automatically upon expiration or termination of that agreement, subject to the data retention obligations in Section 9.
13. Governing Law and Jurisdiction
This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles. Disputes shall be resolved in the courts of Delaware. For customers whose operations are primarily in Mexico, Mexican law applies to the extent required by mandatory provisions of the LFPDPPP.
14. Contact
For DPA execution, questions, or Data Subject Rights assistance:
- Email: legal@kaitalk.online
- Privacy: privacidad@kaitalk.online
- DSR portal: www.kaitalk.online/dsr