Document 3 of 4

Data Processing Agreement

Data Processing Agreement (DPA)

Auto-execute: on paid plan subscription
Version: 1.0
URL: caiku.ai/en/dpa
๐Ÿ“‹ About this DPA

This DPA is an addendum to the Terms of Service โ€” automatically effective when Customer subscribes to a CAIKU paid plan. This document enables Customer and CAIKU to comply with PDPA Section 40 (Data Controller-Processor relationship).

๐Ÿ“‹ Bilingual Notice

This English version is provided for convenience. In case of conflict between Thai and English versions, the Thai version shall prevail for matters governed by Thai law.

1. Parties & Purpose

This DPA is an addendum to the Terms of Service. The parties are:

  • Data Controller: Customer (the company subscribed to CAIKU)
  • Data Processor: CAIKU

This DPA sets out the terms under which CAIKU processes personal data on behalf of Customer, in compliance with PDPA Section 40.

2. Scope of Processing

ElementDetails
Data TypeEnd-user data: name, phone number, email, conversation logs, voice recordings
Data SubjectsEnd-users that Customer interacts with via CAIKU (Customer's customers)
PurposeProviding the AI Agent service as configured by Customer
DurationThroughout subscription + retention period (per Privacy Policy)
Sub-processorsOpenAI, Anthropic, Google, Twilio, Supabase (full list in Section 5)

3. CAIKU's Obligations (Data Processor)

  1. Process data only on Customer's instructions
  2. Maintain confidentiality โ€” not disclose Customer data to third parties
  3. Apply appropriate security measures (encryption, access control, audit logs)
  4. Assist Customer in responding to DSR requests within 14 days
  5. Notify Customer of any data breach within 72 hours
  6. Delete data when Customer cancels service (within 30 days of request)
  7. Permit audit upon Customer's request (1 per year โ€” Customer's expense)
  8. Sign DPAs with all sub-processors

4. Customer's Obligations (Data Controller)

  1. Obtain consent from Customer's end-users as required by PDPA
  2. Provide Customer's own Privacy Notice
  3. Verify legal basis for each processing purpose
  4. Respond to DSR requests from Customer's end-users
  5. Maintain confidentiality of access credentials
  6. Not upload sensitive data under PDPA Section 26 without explicit consent

5. Sub-Processors

Customer pre-authorizes CAIKU to use the sub-processors listed in Annex A below. CAIKU will provide 30 days' advance notice when adding a new sub-processor โ€” Customer has the right to object and terminate the service.

5.1 Annex A โ€” Current Sub-Processors

VendorServiceLocationDPA Status
OpenAI, L.L.C.GPT API + Realtime API + WhisperUSAโœ“ Signed
Anthropic PBCClaude APIUSAโœ“ Signed
Google LLCGemini + CloudUSA / Asiaโœ“ Signed
Twilio Inc.Voice telephonyUSAโœ“ Signed
Retell AI / VapiVoice agent infrastructureUSAโœ“ Signed
Supabase Inc.Database + AuthUSA / EUโœ“ Signed
Railway Corp.App hostingUSAโœ“ Signed
Cloudflare Inc.CDN + securityGlobalโœ“ Signed

6. Security

CAIKU applies the security measures specified in Privacy Policy Section 7. Additional details:

  1. Encryption in transit: TLS 1.3+
  2. Encryption at rest: AES-256
  3. Access control: Role-based + MFA + IP whitelist option
  4. Audit logs: 5-year retention
  5. Backup: Daily + 30-day rolling retention
  6. Incident response: 24/7 on-call team
  7. Penetration testing: Annual third-party
  8. Vulnerability scanning: Continuous (automated)

7. International Transfer

Data may be transferred internationally (primarily to USA) via sub-processors. CAIKU uses Standard Contractual Clauses (SCCs) in DPAs with all sub-processors. Customer acknowledges and consents to these transfers.

8. Data Subject Rights

If Customer's end-user submits a DSR directly to CAIKU:

  1. CAIKU will forward the request to Customer within 5 business days
  2. Customer is responsible for responding to the end-user (Customer is Data Controller)
  3. CAIKU will assist in execution (delete, export, correct) per Customer's instructions

9. Audit Rights

  1. Customer may audit CAIKU once per year
  2. 30 days' advance notice required
  3. Customer bears the audit cost
  4. CAIKU may require an NDA prior to audit
  5. Alternative โ€” Customer may accept CAIKU's SOC 2 / ISO 27001 reports in lieu

10. Termination

  1. This DPA terminates when the Terms of Service terminate
  2. CAIKU deletes data within 90 days of termination
  3. Customer may export data within the first 30 days
  4. A deletion certificate is issued upon request