Data Processing Agreement

Version 1.2 · Last updated April 15, 2026

This Data Processing Agreement ("DPA") forms part of the Kazozo Terms of Service or Master Services Agreement ("Agreement") between the customer ("Controller") and Kazozo, Inc. ("Processor," "Kazozo"). It governs the processing of Personal Data by Kazozo on behalf of the Controller in connection with the Kazozo service (the "Service").

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in the GDPR (Regulation (EU) 2016/679). "Personal Data," "Data Subject," "Controller," "Processor," "Processing," and "Personal Data Breach" have the meanings in GDPR Article 4. "Customer Personal Data" means Personal Data that Kazozo processes on behalf of the Controller in providing the Service.

2. Scope and roles

Kazozo acts as a Processor (or Sub-processor, where the Controller is itself a processor) of Customer Personal Data. The Controller acts as the Controller (or Processor-Controller, as applicable) and is solely responsible for the lawfulness of its collection and the instructions it gives Kazozo.

Subject matter: provision of the Kazozo AI agent platform. Duration: the term of the Agreement plus any retention period. Nature and purpose: hosting, processing, and analyzing customer communications to operate AI agents configured by the Controller. Types of Personal Data: contact details (name, email, phone), conversation content, user-submitted metadata. Categories of Data Subjects: the Controller's end users, leads, customers, employees, and other individuals who interact with the Service.

3. Processing instructions

Kazozo processes Customer Personal Data only on documented instructions from the Controller, including as set out in the Agreement, this DPA, and the Controller's use of configuration options in the Service. If Kazozo believes an instruction violates applicable data-protection law, it will inform the Controller without undue delay.

Kazozo will not use Customer Personal Data for its own purposes, for advertising, or to train shared AI models without the Controller's explicit written consent.

4. Confidentiality and personnel

Kazozo ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory). Access is granted on a need-to-know basis and is revoked promptly on role change or termination.

5. Security measures

Kazozo maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include, without limitation:

• Encryption — TLS 1.2+ for data in transit; AES-256 for data at rest.
• Access control — role-based access, SSO with MFA for Kazozo personnel, audit logs of administrative actions.
• Tenant isolation — logical separation of customer data at the database and application layer.
• Secure development — peer code review, dependency scanning, secret scanning, automated testing on the path to production.
• Backup and recovery — encrypted, geographically redundant daily backups with tested restoration.
• Vulnerability management — continuous monitoring, time-bound patching SLAs, annual external penetration testing.
• Incident response — documented runbooks, on-call rotation, post-incident review.

The current detailed list of measures is described on our Trust & Security page and updated as controls evolve.

6. Subprocessors

The Controller provides general authorization for Kazozo to engage Sub-processors to assist in providing the Service. The current list is maintained at kazozo.com/subprocessors.html.

Kazozo will give the Controller at least 30 days' advance notice before adding or replacing a Sub-processor, by updating the subprocessors page and notifying subscribed customers. The Controller may object to a new Sub-processor on reasonable, documented data-protection grounds within 14 days. Kazozo will work in good faith to address the objection; if no resolution is reached, the Controller may terminate the affected portion of the Service without penalty for the remainder of the current term.

Kazozo imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains responsible to the Controller for the Sub-processor's performance.

7. Data subject rights

Kazozo provides the Controller with self-service tools (export, deletion, correction) within the Service to respond to Data Subject requests. Where Kazozo receives a request directly from a Data Subject, it will, without undue delay, forward the request to the Controller without responding to the substance unless legally required.

Kazozo will assist the Controller, taking into account the nature of the processing, with its obligations under GDPR Articles 32–36 (security, breach notification, impact assessments, prior consultation), at a cost reasonably reflecting the effort involved.

8. Breach notification

Kazozo will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach involving Customer Personal Data. The notice will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

9. Audit and information

Kazozo will make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, including its current security documentation, penetration-test summaries, and a completed SIG Lite or CAIQ questionnaire on request.

On reasonable prior written notice (at least 30 days) and no more than once per 12-month period (unless required by a regulator or following a Personal Data Breach), the Controller may conduct an audit, either directly or through an independent third-party auditor bound by confidentiality. Audits must be scoped to data-protection matters, conducted during business hours, and designed to minimize disruption. The parties will agree on scope and timing in advance.

10. International transfers

To the extent Customer Personal Data originating in the EEA, United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Commission Decision 2021/914/EU), Module Two (Controller to Processor) or Module Three (Processor to Processor, as applicable), which are incorporated by reference into this DPA. For UK transfers, the UK International Data Transfer Addendum (version B1.0) is incorporated and applies. Where available and applicable, Kazozo's certification under the EU–US Data Privacy Framework (and UK and Swiss extensions) may also be relied on.

11. Retention and return

Kazozo processes Customer Personal Data for the duration of the Agreement and for a grace period of 30 days thereafter during which the Controller may export its data. After the grace period, Kazozo will delete or anonymize Customer Personal Data within 90 days, except where retention is required by law or for the defense of legal claims, in which case the data remains subject to the confidentiality and security obligations of this DPA.

12. Liability and term

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement. This DPA terminates automatically on termination of the Agreement; Kazozo's obligations with respect to any data retained after termination survive until that data is deleted or returned.

Contact

For DPA execution, redlines, or data-protection questions, contact legal@kazozo.com. For data subject requests, contact privacy@kazozo.com. Our EU representative and UK representative details are available on request.