Data Processing Agreement (DPA)

This DPA regulates the processing of personal data carried out by Camaly during the provision of its services, including automations, artificial intelligence agents, external integrations, APIs, operational workflows, and other platform functionalities. Camaly will process personal data only in accordance with documented instructions from the Controller and exclusively for the purposes of executing the contracted services.

For the purposes of this Agreement, the following definitions apply:

• "Personal Data": any information related to an identified or identifiable natural person.

• "Controller": natural or legal person responsible for decisions regarding data processing.

• "Processor": Camaly, responsible for carrying out processing on behalf of the Controller.

• "Subprocessors": outsourced service providers used by Camaly to execute part of the processing operations.

Camaly undertakes to:

a) process personal data in accordance with lawful, documented instructions provided by the Controller;

b) adopt appropriate technical and organizational measures for data protection, including encryption, authentication, access control, active monitoring, and incident prevention;

c) ensure that employees authorized to process personal data are subject to confidentiality obligations;

d) notify the Controller, within a reasonable time, of any personal data breach that may result in risk to data subjects;

e) not use personal data for any purpose other than the execution of contracted services.

The Controller declares itself responsible for:

a) ensuring that it has an adequate legal basis for the collection and provision of personal data processed by Camaly;

b) not sending excessive, sensitive, or unnecessary data;

c) respecting applicable legislation regarding privacy and data protection;

d) providing clear, accurate, and documented instructions on data processing.

Camaly may use subprocessors to execute certain technical or operational operations, such as hosting, infrastructure, AI processing, message delivery, payments, and digital security. Subprocessors currently used include, among others:

• AWS – Amazon Web Services (hosting, security)

• Google Cloud Platform (processing and infrastructure)

• OpenAI and Anthropic (artificial intelligence processing)

• Stripe (payments)

• Meta Platforms (WhatsApp Business API and Meta Cloud API)

• Cloudflare (security, firewall, optimization, and CDN)

The list may be updated periodically, with the Controller guaranteed the right to request clarifications about new subprocessors.

Camaly may transfer personal data to other countries, including the United States. In such cases, it will adopt adequate safeguards, such as Standard Contractual Clauses (SCC), in addition to technical and organizational measures capable of ensuring the adequate level of protection required by legislation.

Camaly implements security measures compatible with international standards, including encryption, granular access control, environment segregation, backups, continuous monitoring, and robust governance practices to prevent unauthorized access, loss, alteration, or destruction of data.

In case of a personal data breach that may result in risk to data subjects, Camaly will notify the Controller within a reasonable time after its identification, informing:

a) nature of the breach;

b) data and affected data subjects;

c) measures taken for mitigation;

d) recommendations for the Controller.

Upon termination of the contractual relationship between the parties, Camaly will delete or return to the Controller all processed personal data, except in cases where legislation requires retention for an additional period (such as tax and accounting obligations).

The Controller may request additional information about Camaly's privacy and security practices, with reasonable transparency ensured about implemented measures, provided there is no violation of trade secrets, intellectual property, or operational security.

This Agreement may be updated periodically. The most recent version will be published on Camaly's website and will take effect from its publication.

Questions or requests regarding this DPA may be sent to: support@camaly.io.