Kolva
Sign inStart Free Trial

Data Processing Agreement

GDPR-compliant agreement governing Kolva's processing of personal data on behalf of customers.

Effective: April 18, 2026|Last updated: April 18, 2026|v1.0 · EN|

Data Processing Agreement

Version: 1.0
Effective Date: April 18, 2026
Last Updated: April 18, 2026
Document Owner: Talentee LLC (trading as Kolva)

This Data Processing Agreement ("DPA") supplements and forms part of the Kolva Terms of Service (the "Principal Agreement") between Talentee LLC, a Wyoming limited liability company with its registered office in Sheridan, Wyoming, United States ("Kolva", "Processor", "we" or "us") and the entity identified as the customer in the applicable order form or signup flow ("Customer", "Controller", "you").

This DPA reflects the parties' agreement with regard to the processing of Personal Data that Kolva carries out on behalf of Customer when providing the Kolva platform and related services (the "Service"). It is designed to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection ("FADP") and, to the extent applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's LGPD and other analogous data protection laws ("Data Protection Laws").

In the event of any conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the subject matter addressed herein.

1. Definitions

1.1 Capitalised terms used but not defined in this DPA have the meanings given in the Principal Agreement or in the applicable Data Protection Laws.

1.2 For the purpose of this DPA:

  • "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • "Controller" means the natural or legal person who determines the purposes and means of the Processing of Personal Data, which, for the purpose of this DPA, is the Customer.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Personal Data" means any information processed by Kolva on behalf of Customer in the context of the Service that relates to an identified or identifiable natural person, including data transferred from Customer's ERP, CRM or other connected systems.
  • "Processing" means any operation performed on Personal Data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, disclosure, combination, restriction, erasure or destruction.
  • "Processor" means the natural or legal person that processes Personal Data on behalf of the Controller, which, for the purpose of this DPA, is Kolva.
  • "Personal Data Breach" has the meaning set out in Article 4(12) GDPR.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor).
  • "Sub-processor" means any third party engaged by Kolva (or its Affiliates) to Process Personal Data on behalf of Customer.
  • "Support Personnel" means Kolva employees and contractors who are bound by confidentiality obligations and whose duties may require access to Customer's Personal Data for legitimate support, incident response or configuration assistance.

2. Scope, Roles and Purpose

2.1 Roles. With respect to Personal Data processed under this DPA, Customer is the Controller and Kolva is the Processor. Where Customer itself acts as a processor for another controller (for example, an enterprise customer hosting multiple subsidiaries), Kolva acts as a sub-processor and the obligations in this DPA apply accordingly.

2.2 Scope. This DPA applies to all Personal Data that Kolva processes on behalf of Customer in connection with the Service, including Personal Data that is synchronised into the Kolva platform by a Kolva agent deployed in Customer's environment or transmitted through cloud integrations with Customer's existing information systems.

2.3 Documented instructions. Customer's documented instructions to Kolva are set out in (i) the Principal Agreement, (ii) this DPA, (iii) Customer's use of the Service (including configuration choices, connector selection, user permissions and data exports), and (iv) any additional written instructions agreed by the parties. Kolva will process Personal Data only in accordance with those instructions, unless required to do otherwise by applicable law. In that case Kolva will, to the extent legally permitted, inform Customer of the legal requirement before carrying out the Processing.

2.4 Subject matter and duration. The subject matter of the Processing is the provision of the Service. The Processing starts when Customer first uses the Service and continues until expiration or termination of the Principal Agreement and completion of the return or deletion obligations set out in Section 12.

2.5 Nature and purpose. The nature of the Processing includes hosting, storage, structuring, retrieval, display, AI-assisted analysis, recommendation generation, synchronisation with Customer's source systems, notifications, auditing and security monitoring. The purpose is to provide, secure, maintain, support and improve the Service for Customer's benefit.

2.6 Categories of Data Subjects. Personal Data may relate to Customer's employees, contractors, agents and other authorised users; Customer's clients, prospects and their contact persons; Customer's suppliers and their contact persons; and, where applicable, end users of Customer's products or services.

2.7 Categories of Personal Data. The Personal Data processed may include identification data (name, job title), contact data (business email, phone number, address), authentication data, professional and commercial data (order history, invoicing, receivables, visit notes, pipeline stage, competitor mentions), geolocation data (GPS coordinates tied to field visits), device and usage data (IP address, device identifier, log data), voice recordings (when Customer enables voice debrief features) and any other Personal Data that Customer chooses to submit to the Service. Customer is responsible for ensuring that the Service is not used to process special categories of Personal Data unless Customer has configured the Service appropriately and implemented any additional safeguards required under applicable law.

3. Obligations of the Processor

3.1 Compliance. Kolva shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law. In such a case Kolva shall inform Customer of that legal requirement before the Processing, unless the law prohibits such information on important grounds of public interest.

3.2 Confidentiality. Kolva ensures that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Kolva limits access to Personal Data to Support Personnel who require such access to perform their duties.

3.3 Security. Kolva takes all measures required pursuant to Article 32 GDPR as further described in Section 6 and Annex B.

3.4 Sub-processors. Kolva will not engage Sub-processors except in accordance with Section 5.

3.5 Assistance to Customer. Taking into account the nature of the Processing, Kolva assists Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligations to respond to requests for exercising Data Subject rights (Section 9), to ensure the security of Processing, to notify Personal Data Breaches, to carry out Data Protection Impact Assessments ("DPIA") and to consult supervisory authorities where required (Articles 32 to 36 GDPR).

3.6 Return or deletion. At the choice of Customer, Kolva deletes or returns all Personal Data to Customer after the end of the provision of services relating to the Processing, and deletes existing copies unless applicable law requires storage.

3.7 Audit information. Kolva makes available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to the conditions set out in Section 10.

3.8 Infringing instructions. Kolva shall immediately inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Obligations of the Controller

4.1 Customer warrants that it has a valid legal basis for the Processing of Personal Data carried out by Kolva on its behalf and that it has provided all notices and obtained all consents required under applicable Data Protection Laws.

4.2 Customer is responsible for configuring access, permissions, retention settings, consent banners, integrations and data exports in the Service in a manner that is lawful and consistent with Customer's internal policies.

4.3 Customer shall not instruct Kolva to Process Personal Data in a manner that would cause Kolva to violate Data Protection Laws. Customer shall indemnify Kolva for any claim arising from Customer's breach of this Section 4.

5. Sub-processors

5.1 General authorisation. Customer provides Kolva with a general written authorisation to engage Sub-processors to Process Personal Data on Customer's behalf, subject to the conditions set out in this Section 5.

5.2 Current Sub-processors. The list of Sub-processors in place as at the effective date of this DPA is set out in Annex C. Kolva maintains an up-to-date list at https://kolva.ai/legal/sub-processors.

5.3 Notification of changes. Kolva shall notify Customer of any intended changes to the list of Sub-processors (addition or replacement) at least thirty (30) days before the change takes effect, giving Customer the opportunity to object to such changes. Notification may be delivered by email, in-product notice or by updating the published Sub-processor list where Customer has subscribed to change notifications.

5.4 Objections. If Customer reasonably objects to the appointment of a new Sub-processor on data protection grounds, Customer shall notify Kolva in writing within fourteen (14) days of the notification. The parties shall work together in good faith to reach a resolution. If no resolution can be reached, Customer may terminate the part of the Service that cannot be provided without the objected-to Sub-processor, and obtain a pro-rata refund of any prepaid fees relating to the period after termination.

5.5 Sub-processor obligations. Kolva shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Kolva remains fully liable to Customer for the performance of its Sub-processors' obligations.

6. Security Measures

6.1 Kolva implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Processing, in accordance with Article 32 GDPR. These measures are further described in Annex B and include, at minimum:

6.1.1 encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256);

6.1.2 envelope encryption of integration credentials and other highly sensitive configuration values using AWS Key Management Service ("AWS KMS") with AES-256-GCM as the symmetric algorithm and a customer-managed key;

6.1.3 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (including Row-Level Security policies at the database layer, role-based access control, multi-factor authentication for privileged access and network segmentation);

6.1.4 the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident (including encrypted backups and point-in-time recovery);

6.1.5 a process for regularly testing, assessing and evaluating the effectiveness of security measures (including vulnerability scanning, dependency updates, code review and periodic penetration testing); and

6.1.6 immutable audit logging of privileged access to Personal Data (Section 7).

6.2 Kolva will not materially decrease the level of protection of security measures during the term of the Principal Agreement.

7. Support Access to Encrypted Credentials

This Section 7 describes the exceptional circumstances in which Kolva Support Personnel may access the encrypted integration credentials that Customer uploads to the Service during agent onboarding or through the cloud onboarding wizard. This section is material to Customer's consent and forms an integral part of the DPA.

7.1 Purpose of support access. Integration credentials (database user names, passwords, API keys, service account tokens and connection details for Customer's ERP, CRM and other systems) are stored by Kolva in an encrypted form using envelope encryption with AWS KMS (Section 6.1.2). Kolva does not access the plaintext form of those credentials in the ordinary course of providing the Service. However, exceptional circumstances may require Support Personnel to temporarily retrieve the plaintext credentials in order to (a) diagnose an integration failure that cannot be reproduced or resolved with logs alone, (b) restore sync after a structural change in Customer's source system, (c) assist Customer in rotating credentials upon request, or (d) respond to a legitimate support request escalated by Customer through an authorised channel.

7.2 Customer control: the kill-switch. Support access is enabled by default when Customer accepts this DPA. Customer may disable support access at any time from the Security settings page in the Kolva application (Settings → Security → Support Access). When support access is disabled, the server-side decrypt endpoint returns an authorisation error (HTTP 403) before any KMS call is made, and Support Personnel cannot retrieve plaintext credentials regardless of their authentication status. Customer acknowledges that disabling support access may materially impair Kolva's ability to diagnose incidents on Customer's integrations, which in turn may delay or prevent the resolution of sync issues.

7.3 Strong authentication. Every plaintext decryption is protected by a valid second factor. A Support Personnel member must present (a) a single sign-on session tied to the Kolva corporate identity provider, and (b) a valid time-based one-time password ("TOTP") generated from a hardware-bound authenticator tied to that individual. Access tokens and TOTP codes are short-lived and cannot be replayed.

7.4 Stated reason and ticket reference. Support Personnel cannot trigger a decryption without providing a free-text reason (minimum ten characters) and, where applicable, a reference to the Customer-initiated support ticket that motivates the access. The reason and ticket reference are captured in the immutable audit log described in Section 7.6.

7.5 DPA consent acknowledgement. At each decryption event, Support Personnel must affirmatively acknowledge in the user interface that (a) Customer has accepted the current version of this DPA, (b) support access has not been disabled by Customer, and (c) the access is strictly necessary for the stated reason. This acknowledgement is recorded alongside the other audit fields.

7.6 Immutable audit log. Every decryption is recorded in the audit_config_access table in the Kolva database. The record includes the identity of the Support Personnel member, the Customer, the integration, the timestamp, the reason, the ticket reference (if any), the IP address of the caller, the approximate duration of the access, the specific fields retrieved and the DPA version that was current at the time. The table is protected by PostgreSQL rules that reject updates and deletions, ensuring that audit entries cannot be modified or erased after creation.

7.7 Transparency to Customer. Customer's security administrators may review the audit log for their company at any time through Settings → Security → Audit Log. The audit log exposes the date and time of each access, the reason and ticket reference, the approximate duration and the fields accessed. For privacy reasons the audit log visible to Customer identifies the accessing party as "Kolva Support" rather than naming the individual Support Personnel member; the name and contact details of the Support Personnel member remain available internally at Kolva and will be disclosed to Customer upon reasonable request (for example in the context of a security incident investigation or a regulatory inquiry).

7.8 Monthly digest. Where Customer has enabled the monthly digest in Settings → Security → Notifications, Kolva will send a monthly email summary from support@kolva.ai listing the number of accesses, the ticket references and a link to the full audit log for the relevant period. Digests are enabled by default.

7.9 Access minimisation. Decrypted credentials are displayed in the Kolva support console for a strictly limited period of time (up to sixty seconds by default) and are not persisted in any form outside of the transient display. Support Personnel are instructed to copy only the credentials strictly necessary for the stated diagnostic task and never to share them through unmanaged channels.

7.10 Training and supervision. All Support Personnel complete annual security and privacy training that covers the obligations of this Section 7. Access to the support decryption console is limited to employees holding the "Founder" or "Senior Support" role as defined in Kolva's internal access policy, and that role membership is reviewed quarterly.

7.11 Revocation of access. Customer may at any time (a) disable support access as described in Section 7.2, (b) rotate the integration credentials from within the Service or directly in the source system, or (c) terminate the Principal Agreement in accordance with its terms. Upon termination, Kolva revokes the ability of all Support Personnel to decrypt Customer's integration credentials and proceeds with the return or deletion of Personal Data in accordance with Section 12.

8. Personal Data Breaches

8.1 Kolva notifies Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

8.2 The notification shall at minimum:

  • describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
  • communicate the name and contact details of the Data Protection Officer or other contact point;
  • describe the likely consequences of the Personal Data Breach; and
  • describe the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.3 Where and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

8.4 Kolva cooperates with Customer and takes such reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. Customer is responsible for notifying the competent supervisory authority and Data Subjects where required under Data Protection Laws.

9. Data Subject Rights

9.1 Taking into account the nature of the Processing, Kolva assists Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the rights of Data Subjects laid down in Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

9.2 Kolva will not respond to a Data Subject request directly, except on Customer's documented instructions or where required by law. Kolva will promptly forward any such request it receives to Customer.

9.3 The Service provides self-service features that allow Customer to export, rectify or delete Personal Data associated with individual users, clients or prospects. Where additional assistance is required, Customer may contact Kolva at privacy@kolva.ai.

10. Audits

10.1 Kolva makes available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, including the results of third-party audits, penetration test reports (summaries), certifications (when available) and responses to standard security questionnaires.

10.2 Where the information referred to in Section 10.1 is, in Customer's reasonable opinion, insufficient to demonstrate compliance, Customer (or an independent and qualified auditor mandated by Customer and bound by confidentiality obligations that are no less protective than those binding Kolva employees) may conduct an audit, subject to the following conditions:

  • audits take place no more than once per calendar year, except where required by a supervisory authority or following a Personal Data Breach;
  • Customer provides at least thirty (30) days prior written notice;
  • the audit is conducted during normal business hours and in a manner that does not unreasonably interfere with Kolva's business operations;
  • the auditor signs a non-disclosure agreement acceptable to Kolva;
  • Customer bears the costs of the audit unless the audit reveals material non-compliance with this DPA.

10.3 The parties will discuss the scope and timing of the audit in advance. Audit reports are the confidential information of Kolva and may not be disclosed to third parties without Kolva's prior written consent, except as required by law.

11. International Data Transfers

11.1 Personal Data may be transferred to and Processed in jurisdictions other than the one in which Customer is established, including the United States. Transfers are carried out in accordance with a valid transfer mechanism under applicable Data Protection Laws.

11.2 SCCs. To the extent the transfer of Personal Data from the European Economic Area, the United Kingdom or Switzerland to Kolva or to a Sub-processor located in a country not benefitting from an adequacy decision involves a transfer covered by the SCCs, the parties are deemed to have entered into Module Two (Controller to Processor) of the SCCs, which are hereby incorporated by reference, with the following selections:

  • the optional docking clause (Clause 7) applies;
  • in Clause 9(a), option 2 applies (general written authorisation) with the notice period set out in Section 5.3;
  • in Clause 11(a), the optional redress mechanism does not apply;
  • in Clauses 17 and 18, the governing law and forum are those of the Republic of Ireland, unless otherwise required by local law.

11.3 UK Addendum. Where the transfer is subject to the UK Data Protection Act 2018 and the UK GDPR, the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office ("ICO") is deemed incorporated and applies to such transfers.

11.4 Swiss transfers. For transfers subject to Swiss FADP, references in the SCCs to "GDPR" are understood as references to the FADP, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner ("FDPIC"), and references to "Member State" are read so as not to exclude Data Subjects residing in Switzerland from exercising their rights.

11.5 Transfer impact assessments. Kolva has carried out a transfer impact assessment for its Sub-processors and will make it available to Customer on request. Customer acknowledges that it has been given the opportunity to review that assessment before entering into this DPA.

12. Term, Return and Deletion

12.1 This DPA takes effect when Customer accepts it (including by clicking through during signup, by installing the Kolva desktop agent, or at hub activation) and remains in force for as long as Kolva Processes Personal Data on behalf of Customer.

12.2 Upon termination or expiration of the Principal Agreement, Kolva will, at Customer's choice and upon written instruction received within thirty (30) days of termination, return to Customer or delete all Personal Data in its possession. Absent any instruction from Customer within that period, Kolva will delete the Personal Data ninety (90) days after termination.

12.3 Backups containing Personal Data are deleted in accordance with Kolva's backup rotation policy within thirty (30) days following the primary deletion described in Section 12.2.

12.4 Kolva may retain Personal Data to the extent required by applicable law, in which case it will continue to apply the security measures set out in this DPA for as long as the Personal Data is retained.

13. AI-Specific Processing

13.1 The Service includes features that rely on artificial intelligence models operated by Kolva directly or by AI Sub-processors (see Annex C).

13.2 When Customer uses AI features, Personal Data is transmitted to AI Sub-processors through encrypted API calls. AI Sub-processors do not retain Personal Data beyond the lifetime of the API request and do not use Customer Data to train their foundation models, consistent with the enterprise terms that Kolva has negotiated with each of them.

13.3 AI outputs may contain derived insights but, to the extent practicable, not raw Personal Data that was not already known to Customer.

13.4 The AI processing performed by the Service does not produce decisions that have legal effect on Data Subjects or similarly significantly affect them without human review. Customer is responsible for instituting human review where AI outputs inform decisions that may have such effects.

13.5 Customer may disable individual AI features from the company settings page, or limit the categories of data sent to AI Sub-processors via the data-residency settings where available.

14. General Provisions

14.1 Versions and updates. Kolva may publish updated versions of this DPA to reflect changes in Data Protection Laws, new Sub-processors, material changes to the Service or improvements in security controls. Material changes will be notified to Customer at least thirty (30) days in advance. Where Customer's continued use of the Service amounts to acceptance of the new version under the Principal Agreement, Customer may object to material changes in accordance with Section 5.4.

14.2 Consent capture. Kolva records the acceptance of each DPA version in an immutable consent_log table that includes the identity of the accepting party, the time of acceptance, the SHA-256 hash of the document text shown, the context of acceptance (signup, agent install, hub activation), the scroll depth reached and the dwell time elapsed before acceptance.

14.3 Order of precedence. In the event of any conflict or inconsistency between (a) the SCCs, (b) this DPA, and (c) the Principal Agreement, the following order of precedence applies: (i) the SCCs, (ii) this DPA, and (iii) the Principal Agreement.

14.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

14.5 Governing law and jurisdiction. Except where Data Protection Laws require otherwise, this DPA is governed by the law of the State of Wyoming, United States, and the parties submit to the exclusive jurisdiction of the courts of that jurisdiction, without prejudice to the rights of Data Subjects to bring a claim before any supervisory authority or court having jurisdiction under Data Protection Laws.

14.6 Contact.

  • Data Protection Officer: dpo@kolva.ai
  • Legal inquiries: legal@kolva.ai
  • Security inquiries: security@kolva.ai
  • Privacy inquiries: privacy@kolva.ai
  • Mailing address: Talentee LLC, Sheridan, Wyoming, United States.

Annex A — Description of the Processing

Controller: the Customer identified at signup (company name, registered address and primary contact captured during account creation).

Processor: Talentee LLC (trading as Kolva), Sheridan, Wyoming, United States.

Categories of Data Subjects: Customer's employees, agents, customers, prospects, suppliers and their contact persons, and where applicable, end users of Customer's products or services.

Categories of Personal Data: identification, contact, professional, authentication, commercial, geolocation, device, usage, voice (where enabled) and any Personal Data Customer chooses to submit.

Special categories of Personal Data: none by default; Customer is responsible for ensuring any special categories are submitted only with adequate safeguards.

Nature of the Processing: hosting, storage, structuring, retrieval, display, AI-assisted analysis, recommendation generation, synchronisation with Customer's source systems, notifications, auditing and security monitoring.

Purpose: provision, support, security and improvement of the Service.

Duration: for the term of the Principal Agreement plus the return or deletion period set out in Section 12.

Frequency of transfer: continuous.

Annex B — Technical and Organisational Measures

Kolva implements the following measures (non-exhaustive):

1. Pseudonymisation and encryption: TLS 1.2+ in transit; AES-256 at rest for the application database; AES-256-GCM + AWS KMS envelope encryption for integration credentials and other highly sensitive configuration.
2. Confidentiality, integrity, availability and resilience: Row-Level Security policies at the database layer; role-based access control in the application; multi-factor authentication for all Kolva privileged access; network segmentation; WAF in front of the application gateway; DDoS protection at the edge; redundant hosting with automatic failover where available.
3. Restore capability: encrypted backups with point-in-time recovery; documented restore procedures; annual disaster recovery testing.
4. Testing and evaluation: static application security testing on every change; automated dependency vulnerability scanning; periodic third-party penetration testing; annual security review of Sub-processors.
5. Access control and auditing: single sign-on tied to the Kolva corporate identity provider; least-privilege access to production; time-based one-time password (TOTP) required for plaintext integration credential decryption; immutable audit_config_access log for every decryption.
6. Physical security of sub-processor facilities: relied upon through Sub-processors' own certifications (see Annex C).
7. Personnel security: background checks where permitted; confidentiality obligations in employment and contractor agreements; mandatory annual security and privacy training.
8. Incident response: documented incident response plan; on-call rotation; tabletop exercises.
9. Transfer and portability: self-service data export in the application; API access for programmatic extraction.
10. Data minimisation and retention: configurable retention by data category; automatic purge of trial data; deletion of backups within thirty (30) days after primary deletion.

Annex C — Approved Sub-processors (as of the Effective Date)

  • Supabase, Inc. (United States, EU hosting available) — managed Postgres, authentication and storage for the Kolva application database.
  • Vercel Inc. (United States) — application hosting and serverless functions.
  • Amazon Web Services, Inc. (European Union region) — AWS Key Management Service (KMS) for envelope encryption of integration credentials.
  • Stripe, Inc. (United States) — payment processing for subscriptions.
  • Resend, Inc. (United States) — transactional email delivery (including support access digests and security notifications).
  • OpenAI, L.L.C. (United States) — AI language model processing for selected AI features.
  • Anthropic PBC (United States) — AI language model processing for selected AI features.
  • Inngest, Inc. (United States) — background job orchestration for scheduled syncs and asynchronous processing.

The up-to-date list is available at https://kolva.ai/legal/sub-processors.

This DPA is a template designed to comply with applicable Data Protection Laws as at the Effective Date. Customers are encouraged to have the document reviewed by their own qualified legal counsel before signing.