Kalvo Data Processing Addendum

    Last updated: May 4, 2026

    This Data Processing Addendum ("DPA") forms part of the Agreement between Kalvo ("Processor") and the Customer ("Controller") for Personal Data processed on behalf of the Customer in connection with the Services.

    1. Roles

    For Personal Data about Recipients and leads that the Customer uploads or processes, the Customer is Controller and Kalvo is Processor. For account and billing data Kalvo collects directly from you, Kalvo is Controller (see Privacy Policy).

    2. Processor obligations

    Kalvo processes Personal Data only on documented instructions unless law requires otherwise; ensures confidentiality of authorized personnel; implements appropriate technical and organizational measures (Annex C to be provided on request); assists with data subject requests and Articles 32–36 GDPR; deletes or returns data after service end unless law requires retention; allows one audit per 12 months on 30 days' notice, subject to confidentiality and your expense unless material non-compliance is found.

    3. Subprocessors

    The list at /subprocessors applies. Kalvo gives 30 days' notice of changes; you may object as described there.

    4. International transfers

    EEA: EU Standard Contractual Clauses (2021/914), Module 2, incorporated by reference. UK: UK International Data Transfer Addendum B1.0. Switzerland: SCCs read to include FADP. Canada: PIPEDA accountability and contractual safeguards.

    5. Security incidents

    Kalvo notifies you without undue delay and within 48 hours of becoming aware of a Personal Data Breach affecting your data, with information required under Article 33(3) GDPR where applicable.

    6. Liability

    Subject to the Terms of Service limitation of liability.

    7. Precedence

    SCCs prevail over this DPA; this DPA prevails over conflicting Terms provisions.

    Annex A: SCC Module 2 selections (available on request).

    Annex B: Description of processing — categories include account identifiers, call metadata, lead/contact fields you upload; purposes are providing the dialer; duration per Privacy Policy retention.

    Annex C: Security measures summary — TLS, access control, encryption at rest where used, logging.

    CONTACT: legal@kalvo.io