Data Processing Addendum

In this Addendum, "Customer" is the business entity that agrees to our Terms of Service, and "Kalcend" is Kalcend Technologies Pvt. Ltd., DS-Suite 22, TC 24/3088/2, Dotspace Business Center, Kaudiar Square, Thiruvananthapuram, Kerala 695003, India. For personal data the Customer uploads or processes through the Service ("Customer Personal Data"), the Customer is the data controller / Data Fiduciary and Kalcend is the data processor / Data Processor.

• Subject matter: provision of the Kalcend platform
• Duration: the term of the Customer's subscription, plus deletion periods
• Nature & purpose: hosting, transmitting, and processing Customer Personal Data to deliver the Service on the Customer's instructions
• Types of data: contact identifiers, message and conversation content, voice audio/transcripts, uploaded documents, and integration data
• Data subjects: the Customer's contacts, end-users, and personnel

• Process Customer Personal Data only on the Customer’s documented instructions, including the Terms and this Addendum
• Ensure personnel authorised to process the data are bound by confidentiality
• Implement appropriate technical and organisational security measures (Section 4)
• Engage sub-processors only under Section 3 and remain responsible for their performance
• Assist the Customer in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment duties
• Make available information needed to demonstrate compliance and allow for audits (Section 9)

The Customer authorises Kalcend to engage the sub-processors listed below. We impose data-protection obligations on each that are no less protective than this Addendum. We will give notice of any new sub-processor and allow the Customer a reasonable period to object on legitimate data-protection grounds.

• Encryption of data in transit (TLS) and at rest for primary stores
• Encrypted storage of connected-account credentials
• Role-based, organisation-scoped access controls and least-privilege key management
• Environment isolation between staging and production
• Audit logging and monitoring
• Regular vulnerability patching and review

Kalcend will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide the information the Customer reasonably needs to meet its own notification obligations to authorities (including the Data Protection Board of India) and affected data subjects.

Core Customer Personal Data is stored in India (Google Cloud asia-south1). Where sub-processors (OpenAI, Anthropic, Browserbase, Twilio, Slack, Composio, PostHog, Paddle, Algolia and Brevo) process data outside India, transfers are made under the recipients' contractual data-protection commitments, and under Standard Contractual Clauses or an equivalent safeguard for data subject to the GDPR/UK GDPR.

Taking into account the nature of the processing, Kalcend will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, correction, erasure, withdrawal of consent, and similar). Requests we receive directly relating to a Customer's data will be referred to that Customer.

On termination of the Service, Kalcend will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies unless retention is required by law. Active-system data is deleted promptly and purged from backups on the next cycle.

Kalcend will make available information reasonably necessary to demonstrate compliance with this Addendum and, on reasonable prior notice and subject to confidentiality, contribute to audits conducted by the Customer or an auditor it mandates.