Kai Trust Centre

Data Processing Agreement

Effective Date: 2 August 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between HelloKai Ltd. ("Kai", "we", "us") and you ("Customer", "you") for the use of Kai's services ("Services"). This DPA governs the processing of Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR") and UK Data Protection Act 2018.

2. Definitions

  • "Personal Data" has the meaning set out in applicable Data Protection Laws
  • "Data Protection Laws" means GDPR, UK GDPR, and other applicable privacy and data protection laws
  • "Data Controller" means the Customer who determines the purposes and means of processing
  • "Data Processor" means Kai, who processes Personal Data on behalf of the Customer
  • "Sub-processor" means any third party engaged by Kai to process Personal Data

3. Scope and Applicability

This DPA applies to all Personal Data processed by Kai on behalf of Customer in the provision of the Services. The categories of Personal Data and processing activities are detailed in Annex 1 below.

4. Roles and Responsibilities

4.1 Customer as Data Controller

Customer acknowledges that it:

  • Is the Data Controller for Personal Data submitted to the Services
  • Has the legal basis for processing and transferring Personal Data to Kai
  • Has provided all necessary notices to Data Subjects
  • Will comply with all applicable Data Protection Laws

4.2 Kai as Data Processor

Kai acknowledges that it:

  • Acts as a Data Processor on behalf of Customer
  • Will process Personal Data only on documented instructions from Customer
  • Will implement appropriate technical and organizational measures
  • Will assist Customer in meeting its compliance obligations

5. Processing Instructions

Kai will process Personal Data only:

  • On documented instructions from Customer, including those set out in this DPA
  • As necessary to provide the Services
  • As required by applicable law (with notice to Customer where legally permitted)

6. Security Measures

Kai implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, and availability
  • Regular testing and evaluation of security measures
  • Incident response and breach notification procedures

7. Sub-processors

7.1 Authorization

Customer provides general authorization for Kai to engage Sub-processors, subject to the conditions in this section.

7.2 Current Sub-processors

Current Sub-processors include:

  • Google Cloud Platform: Cloud infrastructure and hosting
  • OpenAI: AI processing and content generation
  • PostHog: Analytics and product insights

7.3 Sub-processor Requirements

Kai ensures that Sub-processors:

  • Are bound by written agreements with equivalent data protection obligations
  • Implement appropriate technical and organizational measures
  • Are subject to regular compliance monitoring

8. Data Subject Rights

Kai will assist Customer in fulfilling Data Subject requests by:

  • Providing access to Personal Data where technically feasible
  • Implementing corrections or updates as instructed
  • Deleting Personal Data upon request
  • Providing data in a portable format where applicable

9. Personal Data Breach

Kai will:

  • Notify Customer of any Personal Data breach without undue delay (within 24 hours where feasible)
  • Provide sufficient information to enable Customer to assess the breach
  • Assist Customer in breach notification obligations to authorities and Data Subjects
  • Implement immediate containment and remediation measures

10. Data Transfers

For transfers of Personal Data outside the EEA/UK:

  • Kai ensures adequate safeguards are in place
  • Standard Contractual Clauses apply where required
  • Additional protective measures are implemented as needed

11. Data Retention and Deletion

  • Personal Data is retained only as long as necessary for the Services
  • Data is deleted or returned upon termination of Services
  • Backup data is securely deleted within 90 days
  • Customer may request earlier deletion at any time

12. Audits and Compliance

Kai will:

  • Maintain records of processing activities
  • Submit to audits and inspections as required
  • Provide information necessary to demonstrate compliance
  • Notify Customer of any compliance issues

13. Liability and Indemnification

Each party's liability is limited to direct damages resulting from a breach of this DPA. Kai will indemnify Customer against claims arising from Kai's non-compliance with Data Protection Laws.

14. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination:

  • Kai will cease processing Personal Data
  • Data will be deleted or returned as instructed
  • Copies in backup systems will be securely deleted

Annex 1: Processing Details

Categories of Data Subjects

  • Customer's employees and authorized users
  • External contacts and collaborators
  • Recipients of messages and notifications

Categories of Personal Data

  • Identity data (names, usernames, email addresses)
  • Contact information
  • Communications content (messages, files, metadata)
  • Usage data (timestamps, interaction logs)
  • Integration data (from connected third-party services)

Processing Purposes

  • Providing the core feed aggregation service
  • AI-powered content analysis and summarization
  • User authentication and authorization
  • Service improvement and analytics
  • Customer support and troubleshooting

Processing Operations

  • Collection and ingestion of data from integrated services
  • Storage and organization of Personal Data
  • Analysis and processing using AI models
  • Transmission and display to authorized users
  • Backup and disaster recovery operations

Questions about data processing?
Contact our privacy team at privacy@hellok.ai for questions about this DPA or data processing practices.