Karmaflow.ai Data Processing Addendum (DPA)

Last Updated: Aug 27, 2025

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Order Form, Statement(s) of Work, or other written or electronic agreement (the "Agreement") between Karmaflow Inc. d/b/a Karmaflow.ai ("Karmaflow.ai", "Provider", "Processor", "we", "us") and the customer entity identified in the Agreement ("Customer", "Controller", "you").

This DPA applies to the extent Karmaflow.ai processes Personal Data on behalf of Customer in the course of providing the Services. Customer enters into this DPA on behalf of itself and, where required, on behalf of its authorized Affiliates.

Order of Precedence. If there is a conflict between this DPA and the Agreement, this DPA controls for data-protection matters.

1. Definitions

Capitalized terms not defined here have the meanings in the Agreement. References to "GDPR" include the EU GDPR and the UK GDPR as applicable.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings in the GDPR.

"Customer Personal Data" means Personal Data processed by Karmaflow.ai on behalf of Customer in connection with the Services.

"Data Protection Laws" means all laws relating to data protection, privacy, and electronic communications that apply to the Processing of Customer Personal Data, including GDPR, UK GDPR, PIPEDA, CCPA/CPRA, and any substantially similar U.S. state privacy laws, in each case as amended.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Standard Contractual Clauses" or "SCCs" means the EU Commission's Standard Contractual Clauses for data transfers to third countries (Module Two, Controller-to-Processor), per Implementing Decision (EU) 2021/914.

"Sub-processor" means any third-party Processor engaged by Karmaflow.ai to process Customer Personal Data.

2. Roles & Instructions

2.1 Roles. Customer is Controller; Karmaflow.ai is Processor.

2.2 Instructions. Karmaflow.ai will process Customer Personal Data only on documented instructions from Customer, including via the Agreement, this DPA, the admin/configuration of the Services by or for Customer, and as required by law. If an instruction violates Data Protection Laws, Karmaflow.ai will promptly inform Customer (unless law prohibits such notice).

2.3 Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data and of the Processing, including providing notices and obtaining consents (e.g., for recording/monitoring of voice, chat, SMS, and email as configured by Customer).

2.4 No Sale/Share. With respect to Customer Personal Data, Karmaflow.ai does not "sell" or "share" Personal Data as those terms are defined by the CCPA/CPRA.

3. Processor Obligations

3.1 Confidentiality. Karmaflow.ai ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

3.2 Security. Karmaflow.ai implements and maintains technical and organizational measures appropriate to the risk, as described in the Agreement's Schedule B (Security & Data Handling) and in Annex II to this DPA (together, the "TOMs").

3.3 Sub-processors.

Authorization. Customer provides a general authorization for Karmaflow.ai to engage Sub-processors.

List & Notice. Karmaflow.ai maintains a current Sub-processor list at /sub-processors and will provide >= 30 days' prior notice of additions or replacements (e.g., via the page or email to subscribed recipients).

Objection. Customer may object on reasonable data-protection grounds by written notice within 10 business days of publication. If the Parties cannot resolve the objection in good faith, either Party may terminate the affected Service(s) without penalty.

Flow-down & Liability. Karmaflow.ai will bind Sub-processors to data-protection obligations no less protective than this DPA and remains fully liable for Sub-processors' performance.

3.4 Data Subject Requests. Taking into account the nature of the Processing, Karmaflow.ai will assist Customer by appropriate technical and organizational measures, where possible, for fulfilling Customer's obligations to respond to requests under Data Protection Laws (access, deletion, correction, portability, restriction, objection, and opt-out rights). Karmaflow.ai will promptly notify Customer of any request it receives directly from a Data Subject.

3.5 Security Incidents. Karmaflow.ai will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and will provide information reasonably available for Customer to meet its obligations, and will cooperate on remediation. Notification is not an admission of fault.

3.6 Impact Assessments & Consultation. Upon request, Karmaflow.ai will provide reasonable assistance for data protection impact assessments (DPIAs) and prior consultations with supervisory authorities related to Customer's use of the Services, to the extent required by law and limited to the information available to Karmaflow.ai.

3.7 Return/Deletion. Upon termination of the applicable Order Form(s), Karmaflow.ai will, at Customer's choice, delete or return Customer Personal Data and delete existing copies within 30 days, unless applicable law requires retention (see also Agreement §5.4 and Schedule B).

3.8 Government Requests. Where legally permitted, Karmaflow.ai will notify Customer of any legally binding request for disclosure by a public authority. Karmaflow.ai will challenge unlawful or overbroad requests and will disclose only the minimum amount of data required by law.

4. Audit & Information Rights

Upon written request and subject to confidentiality obligations, Karmaflow.ai will make available information reasonably necessary to demonstrate compliance with this DPA, which may include third-party audit reports or summaries (e.g., SOC 2 Type II) when available. On-site audits are permitted only if required by law or a competent authority, and then no more than once in any 12-month period, on reasonable notice, during normal business hours, and without disrupting operations. Customer bears its audit costs; Karmaflow.ai will bear its own, except where a material non-compliance is found.

5. International Data Transfers

5.1 Processing Locations. Karmaflow.ai and its Sub-processors may process data in locations where they operate. Cross-border transfers will comply with Data Protection Laws.

5.2 EEA/Swiss/UK Transfers. For Customer Personal Data subject to the GDPR/Swiss DPA/UK GDPR transferred to a country not deemed adequate:

• EU SCCs. The SCCs (Module Two, Controller-to-Processor) are incorporated by reference. Clause 7 (Docking) applies. Clause 9(a): Option 2 (General Authorization). Clause 17: Governing law Ireland. Clause 18(b): Courts of Ireland. The information required by the SCCs is set out in Annexes I-III of this DPA.
• UK Addendum. For UK transfers, the UK International Data Transfer Addendum (Version B1.0) supplements the SCCs and is incorporated by reference.
• Swiss Add-On. For Swiss transfers, the SCCs will be read to align with Swiss law requirements, including references to Swiss authorities and the definition of sensitive data.

6. Jurisdiction-Specific Terms

6.1 California (CCPA/CPRA). For the CCPA/CPRA, Customer is Business and Karmaflow.ai is Service Provider. Karmaflow.ai will (a) not sell or share Customer Personal Data; (b) not retain, use, or disclose Customer Personal Data except to provide the Services for Customer's purposes and as otherwise permitted by law; and (c) not combine Customer Personal Data with personal data received from another person, except as permitted by the CPRA.

6.2 Canada (PIPEDA). Karmaflow.ai will meet its obligations as a processor under PIPEDA and assist Customer in meeting its own obligations, including for access requests and breach notifications where required.

6.3 Other U.S. State Laws. Where applicable, Karmaflow.ai will support Customer's compliance with substantially similar requirements under other U.S. state privacy laws (e.g., Virginia, Colorado, Connecticut, Utah).

7. Governing Law

Except as otherwise required by the SCCs/UK Addendum, this DPA is governed by the laws of Ontario, Canada, with venue in Ottawa, Ontario.

Annex I - Details of Processing

A. Parties

Data Exporter (Controller): The Customer entity identified in the Agreement.
Contact: As set in the Order Form or by notice.

Data Importer (Processor): Karmaflow Inc. d/b/a Karmaflow.ai.
Address: 150 Elgin St, Ottawa, ON K2P 1L5, Canada.
Contact (privacy): legal@karmaflow.ai.
Role: Processor of Customer Personal Data to provide the Services.

B. Description of Transfer

Categories of Data Subjects: Customer's end-users, customers, leads/prospects, employees, contractors, and other individuals whose data is submitted to the Services by or for Customer.

Categories of Personal Data:

• Contact - names, email addresses, phone numbers, postal addresses.
• Authentication - usernames, hashed credentials, role/permission metadata.
• Communications - content and metadata of voice calls, SMS, chat sessions, and emails; timestamps, durations, source/destination identifiers; transcripts and summaries.
• Technical - IP addresses, device identifiers, browser/user-agent, usage logs, diagnostics.
• Service Metadata - volumes, latencies, error rates, token counts, model routing decisions.

Special Categories/Sensitive Data (if any): Not intended. Customer agrees not to submit special categories of data or children's data under COPPA unless expressly permitted by the Agreement and configured for such purpose. Communications content may incidentally contain sensitive data at Customer's discretion.

Frequency & Duration: Continuous for the term of the Agreement; retained and deleted per Agreement §5.4 and this DPA §3.7.

Nature & Purpose: Hosting, processing, transmission, storage, retrieval, analytics, orchestration of AI Outputs, customer support, security and operations of the Services.

C. Competent Supervisory Authority

For the SCCs: Irish Data Protection Commission.

Annex II - Technical & Organizational Measures (TOMs)

Karmaflow.ai maintains the TOMs summarized below (further described in MSA Schedule B):

• Governance & Risk - documented ISMS; risk assessments; policies and standards; workforce training.
• Access Controls - least privilege; SSO/MFA where supported; role-based access; periodic access reviews; secure key management.
• Encryption - TLS 1.2+ in transit; encryption for secrets and tokens; secure storage of credentials.
• Secure Development - secure SDLC; code review; dependency scanning; static/dynamic analysis; change control.
• Vulnerability & Patch - regular scanning; timely remediation; penetration testing by qualified third parties (summary available on request).
• Monitoring & Logging - centralized logging; anomaly detection; alerting; tamper-resistant logs.
• Business Continuity - backups; recovery procedures; resilience engineering; tested runbooks.
• Incident Response - documented IR plan; defined roles; customer notification workflows; post-incident reviews.
• Vendor Management - security diligence of Sub-processors; contractual safeguards; continuous monitoring.
• Data Management - data minimization; retention schedules; deletion within 30 days post-term (unless law requires retention).
• Privacy by Design - feature reviews; data mappings; configurable controls for Customer (opt-in/opt-out, consents, recording announcements).

Annex III - Sub-processors

Customer provides a general authorization for Karmaflow.ai to use the Sub-processors listed at:
/sub-processors

Customers may subscribe for notice of changes by emailing legal@karmaflow.ai. Karmaflow.ai will provide >= 30 days' advance notice of new Sub-processors.