Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between:

Data Controller (Customer): The entity or person using Kallina AI services

Data Processor:
MEGA PROMOTING S.R.L.
IDNO: 1019600021765
Address: mun. Chișinău, str. Alexandru cel Bun 51, of.51
Republic of Moldova
IT Park Moldova Resident

This DPA supplements the Terms of Service and defines the parties' obligations regarding the protection of personal data processed in the context of using Kallina AI services.

For the purposes of this DPA:

• "Personal Data" - any information relating to an identified or identifiable natural person (Art. 4(1) GDPR)
• "Processing" - any operation performed on personal data (Art. 4(2) GDPR)
• "Controller" - entity that determines purposes and means of processing (Art. 4(7) GDPR)
• "Processor" - entity that processes data on behalf of the controller (Art. 4(8) GDPR)
• "Sub-processor" - third party engaged by processor for processing
• "Data Breach" - security incident affecting personal data

Subject matter: Provision of Kallina AI Voice services, including:

• Processing phone calls through AI receptionist
• Transcription and analysis of conversations
• Storage of recordings and transcriptions
• Generation of reports and analytics

Duration: Processing continues for the duration of the service agreement and the retention period specified thereafter.

Categories of personal data processed:

• User identification data (name, email, phone)
• Voice data (audio recordings of calls)
• Text transcriptions of conversations
• Call metadata (date, time, duration, caller number)
• Platform usage data

Categories of data subjects:

• Controller's employees and representatives
• Controller's customers and potential customers
• Callers (persons contacting the Controller by phone)

MEGA PROMOTING S.R.L., as processor, undertakes to:

• Process only on instructions: Process personal data only based on Controller's documented instructions (Art. 28(3)(a) GDPR)
• Confidentiality: Ensure authorized persons are bound by confidentiality (Art. 28(3)(b) GDPR)
• Security: Implement technical and organizational measures per Art. 32 GDPR
• Sub-processors: Not engage another processor without prior authorization
• Assistance: Assist Controller in fulfilling data subject rights obligations
• Deletion/Return: Delete or return all personal data at end of services
• Audit: Make available all information for compliance demonstration

We implement the following security measures per Art. 32 GDPR:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access Control: RBAC, mandatory MFA, least privilege principle
• Availability: Geographic redundancy, daily backups, RTO < 4h
• Monitoring: SIEM, intrusion detection, complete logging
• Physical: Certified data centers (ISO 27001, SOC 2)
• Organizational: Security policies, employee training, NDAs

Controller grants general authorization for sub-processor engagement with:

• 30 days prior notice of any changes
• Controller's right to object within 14 days
• Equivalent contractual obligations for sub-processors
• Processor remains liable for sub-processor actions

Complete list: /legal/subprocessors

Data transfers outside EEA only with appropriate safeguards:

• Standard Contractual Clauses (SCC) - Decision (EU) 2021/914
• Transfer Impact Assessments (TIA) - performed for each destination
• Supplementary measures - encryption, pseudonymization, access controls

In case of a personal data breach:

• Processor notifies Controller within 48 hours of becoming aware
• Notification includes all information required for authority notification (Art. 33(3) GDPR)
• Processor assists Controller in investigating and remedying the incident
• Processor documents all breaches in internal register

Processor assists Controller in responding to data subject requests regarding access, rectification, erasure, restriction, portability, and objection rights. Requests received directly are forwarded to Controller within 5 business days.

Each party is liable for damages caused by processing that violates GDPR, per Art. 82 GDPR. Controller is liable for its own breaches; Processor is liable only for breaches of processor-specific obligations or actions outside Controller's lawful instructions.

For questions regarding this DPA:

MEGA PROMOTING S.R.L.
IDNO: 1019600021765
Email: contact@kallina.info
Phone: +373 61 066 888