Data Processing Addendum (DPA)

Last updated: September 22, 2025
This DPA forms part of the Terms of Service or other written agreement between Customer and Kolby AI (“Kolby”) governing Customer’s use of Kolby’s services (the “Agreement”). It reflects the parties’ agreement on the processing of Personal Data in accordance with applicable data protection laws, including the EU/UK GDPR and U.S. state privacy laws. If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict.

1) Roles & Relationship

For Customer Content that includes Personal Data and is submitted to the Kolby platform by or on behalf of Customer: Customer is the Controller (or Business) and Kolby is the Processor (or Service Provider). For account administration data, product telemetry, billing, marketing sites, and similar Kolby-determined processing, Kolby acts as an independent Controller. Details are set out in our Privacy Policy.

2) Key Definitions

  • Personal Data: any information relating to an identified or identifiable natural person processed under this DPA.
  • Controller/Processor: as defined by GDPR (and Business/Service Provider under applicable U.S. law).
  • Data Protection Laws: EU/EEA/UK data protection laws, Swiss FADP, and applicable U.S. state privacy laws (e.g., CCPA/CPRA).
  • Sub-processor: any third party engaged by Kolby to process Personal Data for the Service.
  • Standard Contractual Clauses (“SCCs”): the EU Commission 2021/914 clauses, as implemented below.

3) Processing & Documented Instructions

Kolby will process Personal Data only (a) to provide and improve the Service; (b) in accordance with Customer’s documented instructions as set forth in the Agreement and this DPA; and (c) as required by law. Customer is responsible for the lawfulness of its instructions and for providing required notices and obtaining necessary consents.

Processing details (subject matter, duration, nature, purpose, data types, and data subjects) are described in Annex I.

4) Sub-processors

  • Customer authorizes Kolby to engage Sub-processors to support the Service. Kolby remains responsible for Sub-processors’ obligations.
  • Kolby imposes data protection terms on Sub-processors that are at least as protective as those in this DPA.
  • Current core Sub-processors are listed on our Security page and/or AUP. Kolby will provide notice of material changes and, where required, an opportunity to object.

5) International Transfers & SCCs

Where Kolby’s processing involves a transfer of Personal Data outside the EEA/UK/Switzerland to a country not recognized as providing an adequate level of protection, the parties agree the SCCs are incorporated by reference:

  • EU SCCs (2021/914): Module 2 (Controller→Processor) and/or Module 3 (Processor→Processor), as applicable.
  • UK Addendum: The UK International Data Transfer Addendum (or IDTA) applies to UK transfers.
  • Swiss Addendum: Swiss FADP terms apply mutatis mutandis to Swiss transfers.

The SCCs/Addenda will prevail for the relevant transfers. Annexes in this DPA serve as Annexes to the SCCs/Addenda. Execution of the Agreement is deemed execution of the SCCs/Addenda where required by law.

6) Security Measures

Kolby implements appropriate technical and organizational measures designed to protect Personal Data, as described in Annex II and our Security page. Kolby will maintain certifications or third-party assessments where described on that page and will not materially decrease the overall security of the Service.

7) Data Subject Requests

Taking into account the nature of the processing, Kolby will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as feasible, for Customer to respond to requests to exercise Data Subject rights (access, deletion, correction, portability, restriction, objection). If Kolby receives a request directly, Kolby will promptly notify Customer and not respond except to direct the requester to Customer, unless legally required.

8) Personal Data Breach

Kolby will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data, and provide information reasonably available to assist Customer in meeting any breach notification obligations. Such notice is not an acknowledgement of fault. Customer is responsible for required notifications to individuals/regulators.

9) Audit & Compliance

  • Kolby will make available information necessary to demonstrate compliance with this DPA (e.g., summaries of audits/assessments) and will allow audits by Customer or its appointed auditor no more than annually, on reasonable notice, during normal business hours, and subject to confidentiality and safety controls.
  • Where feasible, the parties will rely on independent third-party reports and questionnaires to meet audit needs and minimize disruption.

10) Return & Deletion

Upon termination or expiry of the Agreement, Kolby will, at Customer’s choice and to the extent supported by the Service, delete or return Customer Personal Data (unless retention is required by law or permitted for limited dispute-resolution, fraud-prevention, or security purposes). Deletion may occur from backups on the next standard cycle.

11) Government & Law-Enforcement Requests

If Kolby receives a legally binding demand for Customer Personal Data from a public authority, Kolby will (unless legally prohibited) promptly notify Customer and seek to limit the disclosure to what is lawfully required. Kolby will assess any conflicts of law and, where applicable, follow the SCCs’ requirements (e.g., transparency and challenge obligations).

12) Liability, Indemnity & Precedence

  • Each party’s liability arising from or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by law.
  • In case of conflict between this DPA and the Agreement, this DPA prevails for data protection matters. In case of conflict between this DPA and the SCCs/Addenda, the SCCs/Addenda prevail for the relevant transfers.

13) Changes

Kolby may update this DPA as permitted by the Agreement. Material changes will be notified to Customer as described in the Agreement and will apply prospectively. Continued use of the Service after the effective date constitutes acceptance.

14) Contact

DPA or privacy questions: privacy@kolby.com • Security: security@kolby.com • Legal: legal@kolby.com

Annex I – Details of Processing

Subject matter & duration: Processing of Customer Personal Data submitted to, stored in, or derived from use of Kolby’s Service for the term of the Agreement plus any retention required by law or permitted for dispute/security purposes.

Nature & purpose: Provision, maintenance, and improvement of AI-assisted call guidance, analytics, coaching, search across Customer-provided knowledge, and related support, security, and billing.

Categories of Data Subjects: Customer’s agents, end-customers, prospects, and other individuals whose data Customer inputs or captures via the Service.

Types of Personal Data: Contact details; account identifiers; call/meeting metadata; conversation content and transcripts; support interactions; usage telemetry; content Customer uploads (e.g., FAQs, policy updates). Customer should avoid uploading special category/sensitive data unless lawful basis and Kolby features/controls for such data are enabled.

Special Categories: Not required for the Service. If processed, only where strictly necessary, lawfully permitted, and configured by Customer.

Frequency of transfer: Continuous or as determined by Customer’s use.

Retention: As configured by Customer and the Agreement; otherwise deleted/returned at termination and purged from backups on standard cycles.

Competent supervisory authority: Determined in accordance with the GDPR (e.g., the supervisory authority of Customer’s main EU establishment). For UK transfers, the ICO.

Annex II – Technical & Organizational Measures (TOMs)

  • Access control: Role-based access; need-to-know; SSO/MFA where available; unique credentials; session management.
  • Encryption: TLS in transit; encryption at rest for primary data stores; key management via reputable cloud KMS.
  • Segregation & isolation: Logical separation of Customer environments; least-privilege for production access.
  • App & infra security: Secure SDLC; code review; dependency scanning; vulnerability management; hardened cloud baseline.
  • Monitoring & logging: Centralized logging; anomaly detection; alerting; incident response runbooks and on-call coverage.
  • Business continuity: Redundant cloud infrastructure; backups; tested restoration procedures.
  • Personnel: Security training; confidentiality agreements; background checks where legally permitted.
  • Third-party risk: Vendor due diligence; data protection terms with Sub-processors; periodic review.
  • Privacy by design: Minimize data; configurable retention; privacy mode options; audit trails.
  • Customer controls: Admin tools for access, export, and deletion; configurable retention; DSR request workflows.

Additional details and current certifications/assessments are available on our Security page.

Annex III – Authorized Sub-processors

Kolby engages a limited set of infrastructure, analytics, and model-inference providers to deliver the Service. The up-to-date list (including regions and roles) is published on our Security page. Customer may subscribe to change notifications where offered and may object to material changes as permitted by the Agreement.

This DPA is provided for convenience and does not constitute legal advice. We recommend you consult counsel to ensure this meets your compliance obligations.