Data Processing Agreement
Last updated: July 3, 2026
This Data Processing Agreement (DPA) is entered into by and between Klariqo (India) and the legal entity accessing or using Klariqo's services (Client), and governs the processing of Personal Data in connection with the services provided under the Klariqo Terms of Service.
1. Scope, Roles & Interpretation
Parties and Roles
The parties agree that for the purposes of processing Personal Data under this DPA, the Client acts as the Controller and Klariqo acts as the Processor of the Personal Data.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person that is processed by Klariqo on behalf of the Client in the course of providing the services.
- Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
- CCPA / CPRA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and all implementing regulations.
- GDPR: The General Data Protection Regulation (Regulation (EU) 2016/679) and equivalent national laws.
Scope
This DPA applies to the processing of Personal Data of the Client's callers, customers, and representatives in connection with Klariqo's Managed Voice AI and Compliance and QA Layer services.
2. Details of Processing
Subject Matter
The processing of Personal Data by Klariqo to provide conversational AI, automated call transcription, post-call recording ingestion, quality assurance (QA) evaluation, and the generation of signed, tamper-evident evidence records (vCons).
Nature and Purpose
- Managed Voice AI: Real-time speech-to-text transcription, conversational AI processing, real-time speech synthesis, and dual-channel call recording to handle incoming and outbound customer interactions.
- Compliance and QA Layer: Post-call read-only ingestion of call recordings, transcription, automated scorecard evaluation, compliance risk analysis, and the cryptographic signing and storage of vCon records.
Duration of Processing
The processing of Personal Data shall continue for the duration of the Client's active subscription, plus the standard deletion window of 30 days following the termination of the subscription, unless a longer retention period is explicitly requested by the Client or required by applicable law.
Categories of Data Subjects
The Client's callers, customers, consumer leads, employees, agents, or other representatives whose voices, interactions, or details are processed through the Klariqo platform.
Categories of Personal Data
- Audio recordings of voice conversations.
- Text transcripts derived from call audio.
- Telephony metadata, including call timestamps, call duration, phone numbers, and call routing directions.
- Automated QA evaluation scores, compliance flags, sentiment indicators, and customer conversation outcomes.
3. Processor Obligations
Documented Instructions
Klariqo shall process Personal Data only on the documented, written instructions of the Client, including instructions configured in the Client's dashboard, API integrations, and as set forth in this DPA and the Terms of Service. Klariqo shall immediately inform the Client if, in its opinion, an instruction infringes applicable data protection laws.
Confidentiality of Personnel
Klariqo shall ensure that all employees, contractors, and agents authorized to process Personal Data are bound by strict contractual or statutory confidentiality obligations.
Security Measures
Klariqo shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, accidental loss, or destruction. These measures include:
- Encryption in Transit: TLS/HTTPS for all dashboard sessions, API integrations, and call ingestion paths.
- Encryption at Rest: Storage databases, call recordings, and generated vCon records are encrypted using AES-256.
- Cryptographic Integrity: Every compliance record (vCon) is sealed with a SHA-512 hash and signed using an RS256 private key to make any tampering immediately detectable.
- Access Control: Role-based access permissions partition data visibility within the dashboard based on business need.
- Infrastructure Audits: Hosting infrastructure runs on SOC 2-compliant cloud providers (Cloudflare, Supabase, Google Cloud Platform).
Assistance with Data Subject Requests
Klariqo shall, taking into account the nature of the processing, implement technical and organizational measures to assist the Client in fulfilling its obligations to respond to data subjects exercising their rights under applicable privacy laws (such as access, deletion, and rectification).
Personal Data Breach Notification
Klariqo shall notify the Client in writing without undue delay, and in any event within 72 hours, after becoming aware of any accidental, unauthorized, or unlawful acquisition, disclosure, loss, or destruction of Personal Data processed under this DPA.
- Klariqo's notification shall provide reasonable details regarding the nature of the incident, the categories of data affected, and any mitigation measures taken.
- Klariqo shall make reasonable efforts to investigate and remediate the incident, and shall cooperate with the Client to satisfy any legal notification requirements.
4. Sub-Processors
General Authorization
The Client grants general written authorization to Klariqo to engage the sub-processors listed in Section 5 of the Klariqo Privacy Policy to perform infrastructure and specialized service delivery functions.
Notice of Changes
Klariqo shall provide at least 30 days advance notice to the Client of any planned additions or replacements to its sub-processor list. The Client may object to the change on reasonable data-protection grounds by notifying Klariqo in writing within 15 days of receiving the notice.
- If the Client objects, the parties shall discuss a mutually acceptable resolution.
- If no resolution is reached within 30 days, either party may terminate the affected services upon written notice.
Sub-Processor Agreements
Klariqo shall bind all engaged sub-processors to written agreements containing data-protection terms that are no less protective than those set forth in this DPA. Klariqo remains fully liable to the Client for the performance of its sub-processors' obligations.
Zero-Knowledge Witnessing
The Client acknowledges that JLINC, as a cryptographic witnessing partner, receives only zero-knowledge hashes and cryptographic signatures of compliance records. JLINC never receives raw audio, caller identities, transcript text, or QA scores.
5. International Data Transfers
US Processing Infrastructure
The Client acknowledges that Personal Data processed under this DPA is transferred to and processed on cloud infrastructure located in the United States.
Transfer Safeguards
To the extent that the transfer of Personal Data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to India or the United States requires appropriate transfer mechanisms under applicable laws, the parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent regulatory agreements, shall apply and are incorporated by reference.
6. Audit & Information Rights
Information Provision
Klariqo shall make available to the Client, upon reasonable written request, all information necessary to demonstrate compliance with the obligations set forth in this DPA.
Audits and Inspections
- Klariqo shall allow for and contribute to reasonable audits and inspections conducted by the Client or an independent auditor designated by the Client, to verify compliance with this DPA.
- Any such audit must be requested with at least 30 days advance written notice, shall occur no more than once per calendar year (except in the event of a documented data breach), and shall be conducted during normal business hours.
- The auditor must execute a strict confidentiality agreement prior to the audit, and the audit must be designed to minimize disruption to Klariqo's business operations. The Client shall bear all costs associated with the audit.
7. Deletion or Return of Data
Upon the termination of your subscription, Klariqo shall, at the choice of the Client, delete or return all Personal Data in its possession within 30 days, except where applicable local, state, or federal law requires ongoing retention of certain billing, corporate, or tax records.
The Client may elect to continue storing its signed vCon evidence records with Klariqo post-termination under an active, standalone evidence storage plan.
8. Limitation of Liability
The parties agree that any liability arising under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations, exclusions, and aggregate caps set forth in the Limitation of Liability section of the Klariqo Terms of Service.
9. CCPA & CPRA Specific Terms
To the extent that CCPA or CPRA applies to the processing of Personal Data under this Agreement, Klariqo agrees that:
- It acts as a Service Provider (or Processor) under the CCPA/CPRA.
- It shall not sell or share the Personal Data of consumers.
- It shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than the business purposes specified in the Agreement.
- It shall not combine Personal Data received from, or on behalf of, the Client with Personal Data that it receives from, or on behalf of, another person or entity, except as permitted under the CCPA/CPRA.