Data Processing Agreement
Controller to Processor Terms
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Platform Terms of Service (the "Principal Agreement") between:
Customer (the "Controller"): The entity that has entered into the Principal Agreement with CAIO
Address: As specified in the Principal Agreement
and
CAIO LLC (the "Processor")
Charlotte, North Carolina, United States
This DPA is effective as of the date the Principal Agreement is accepted (whether by clickthrough acceptance, account creation, or execution), or, if later, when Controller begins using Services that involve Processing of Personal Data.
1. DEFINITIONS
Capitalized terms not defined herein have the meanings given in the Principal Agreement. For purposes of this DPA:
"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); (d) the Colorado Privacy Act; (e) the Virginia Consumer Data Protection Act; and (f) other applicable privacy laws.
"Controller" means the entity that determines the purposes and means of Processing Personal Data.
"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
"Derived Learnings" means generalized, de-identified knowledge, techniques, patterns, and operational insights extracted from advisory engagements that do not identify Controller or reveal Controller's specific proprietary business information.
"Personal Data" means any information relating to an identified or identifiable natural person that Controller provides to Processor or that Processor Processes on Controller's behalf in connection with the Services.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Processor" means an entity that Processes Personal Data on behalf of a Controller.
"Services" means the services provided by Processor to Controller under the Principal Agreement, including the CAIO Bridge platform, advisory services, and related tools.
"Session Recording Data" means audio, video, and transcript recordings of advisory sessions, consulting calls, and onboarding meetings between Processor personnel and Controller or Controller's authorized users.
"Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission for international data transfers.
"Sub-processor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.
2. SCOPE AND ROLES
2.1 Roles of the Parties
(a) Platform Services: Where Controller uses the CAIO Bridge platform to process Personal Data of Controller's contacts, prospects, and customers, Controller is the Controller and Processor acts as the Processor.
(b) Advisory Services: Where Processor records advisory sessions involving Controller's personnel, Processor acts as Controller for the Session Recording Data (as Processor determines the purposes and means of recording), and as joint Controller with Controller for any Personal Data of Controller's personnel or business contacts discussed during sessions.
(c) Each Party shall comply with its obligations under Applicable Data Protection Laws in accordance with its role.
2.2 Scope of Processing
Processor shall Process Personal Data only as necessary to provide the Services and in accordance with Controller's documented instructions, except where Processor acts as Controller for Session Recording Data as described in Section 2.1(b). The details of Processing are set forth in Annex 1.
2.3 Controller's Responsibilities
Controller represents and warrants that:
- It has the legal authority to provide Personal Data to Processor
- Personal Data has been collected in compliance with Applicable Data Protection Laws
- It has provided any required notices and obtained any required consents from Data Subjects, including consent for session recording where Controller's personnel participate in advisory sessions
- Its instructions to Processor comply with Applicable Data Protection Laws
- It has appropriate legal basis for any outreach, enrichment, or automated processing conducted through the Platform on Controller's behalf
3. PROCESSOR OBLIGATIONS
3.1 Processing Instructions
Processor shall:
- Process Personal Data only on documented instructions from Controller, including regarding transfers to third countries, unless required by applicable law
- Immediately inform Controller if, in Processor's opinion, an instruction infringes Applicable Data Protection Laws
- Not Process Personal Data for any purpose other than as necessary to provide the Services, except for (i) Derived Learnings as permitted under the Principal Agreement, and (ii) aggregated, anonymized data as described in Section 3.10
3.2 Confidentiality
Processor shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
Taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of Processing, and the risks to Data Subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- AES-256 encryption for third-party credentials and sensitive configuration data
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to Personal Data in a timely manner following an incident
- Regular testing and evaluation of security measures
Specific security measures are described in Annex 2.
3.4 Sub-processors
(a) Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data, subject to the requirements of this Section.
(b) Processor shall maintain a list of current Sub-processors, available at getcaio.com/legal/subprocessors or upon request.
(c) Processor shall notify Controller at least fourteen (14) days before engaging a new Sub-processor or replacing an existing Sub-processor. If Controller objects to a new Sub-processor on reasonable grounds related to data protection, the Parties shall discuss the objection in good faith. If no resolution is reached, Controller may terminate the affected Services without penalty.
(d) Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
(e) Processor remains fully liable to Controller for the performance of Sub-processors' obligations.
3.5 Data Subject Rights
Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
3.6 Data Protection Impact Assessments
Upon Controller's request, Processor shall provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws and to the extent Controller does not otherwise have access to the relevant information. This includes assessments related to AI-powered processing features and automated decision-making capabilities of the Platform.
3.7 Personal Data Breach
(a) Processor shall notify Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.
(b) The notification shall include, to the extent known: (i) a description of the nature of the breach; (ii) categories and approximate number of Data Subjects affected; (iii) categories and approximate number of Personal Data records affected; (iv) likely consequences of the breach; and (v) measures taken or proposed to address the breach.
(c) Processor shall cooperate with Controller's investigation of and response to the breach and shall not inform any third party of the breach without Controller's prior consent, except as required by law.
3.8 Deletion and Return
(a) Upon termination or expiration of the Principal Agreement, or upon Controller's request, Processor shall, at Controller's choice, delete or return all Personal Data to Controller and delete existing copies, within thirty (30) days of the request.
(b) Processor may retain Personal Data to the extent required by law, provided that Processor maintains confidentiality and does not Process the data except as required by law.
(c) Derived Learnings that have been extracted and de-identified prior to termination are not subject to deletion or return obligations, as they do not constitute Personal Data.
(d) Third-party credentials (BYO) will be disconnected and deleted within five (5) business days of termination.
3.9 Audit Rights
(a) Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by Controller or Controller's auditor.
(b) Controller may conduct audits upon reasonable notice (at least thirty (30) days), during normal business hours, and no more than once per year (unless required by a supervisory authority or following a Personal Data Breach).
(c) Controller shall bear its own audit costs. If an audit reveals material non-compliance, Processor shall bear the cost of the audit and any remediation.
(d) Processor may satisfy audit requests by providing: (i) third-party audit reports (e.g., SOC 2); (ii) completed security questionnaires; or (iii) other documentation demonstrating compliance.
3.10 Aggregated and Anonymized Data
Processor may create aggregated, anonymized datasets from Personal Data processed under this DPA, provided that such datasets: (a) cannot reasonably be used to identify any Data Subject, Controller, or Controller's customers; (b) are used solely for product improvement, benchmarking, and platform development; and (c) are not shared in a form that could identify Controller. This processing constitutes a legitimate interest of Processor and does not require additional Controller instructions.
4. AI AND AUTOMATED PROCESSING
4.1 AI Processing
The Services include AI-powered features that Process Personal Data to generate content, analysis, research, and automated actions. Controller acknowledges that:
- Personal Data may be transmitted to AI Sub-processors (currently Anthropic) for processing
- AI Sub-processors process data only as needed to generate the requested output and do not use API inputs for model training
- AI outputs may be inaccurate and Controller is responsible for reviewing outputs before use
4.2 Automated Decision-Making
The Platform provides automated scoring, prioritization, and recommendation features (such as prospect scoring, engagement scoring, and ICP matching). These features assist Controller's decision-making but do not make binding decisions about individuals without Controller-configured human review. Controller is responsible for configuring appropriate human oversight for automated processing features.
4.3 Voice Data Processing
Where Controller enables voice features, audio data is processed by voice infrastructure Sub-processors (currently ElevenLabs for synthesis and OpenAI Whisper for transcription). Audio data is processed in real-time and is not retained by voice Sub-processors beyond the processing session, except as required for service delivery.
4.4 Session Recording Processing
Where advisory sessions are recorded:
- Recordings are processed by meeting intelligence Sub-processors (currently Granola) for transcription, summarization, and note generation
- Session Recording Data is retained according to the retention schedule in Annex 1
- Controller may request deletion of specific recordings at any time
- Derived Learnings may be extracted from session content as described in the Principal Agreement
5. INTERNATIONAL DATA TRANSFERS
5.1 Transfer Mechanisms
To the extent Processor transfers Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing adequate data protection:
- The Standard Contractual Clauses (Module 2: Controller to Processor) shall apply and are incorporated by reference into this DPA
- For transfers from the UK, the UK Addendum to the SCCs shall apply
- For transfers from Switzerland, the SCCs shall apply with necessary modifications
5.2 SCC Specifications
For purposes of the SCCs:
- Controller is the "data exporter" and Processor is the "data importer"
- The optional docking clause in Clause 7 applies
- Option 2 in Clause 9(a) applies; Sub-processor changes shall be notified as provided in Section 3.4
- The optional language in Clause 11(a) does not apply
- Option 1 in Clause 17 applies; governing law is Ireland
- Disputes under Clause 18 shall be resolved by the courts of Ireland
5.3 Additional Safeguards
Processor shall implement supplementary measures as necessary to ensure that Personal Data transferred internationally receives protection essentially equivalent to that guaranteed within the EEA, including encryption and access controls.
6. CALIFORNIA-SPECIFIC PROVISIONS
To the extent the CCPA/CPRA applies to Processing:
- Processor is a "Service Provider" as defined in the CCPA
- Processor shall not sell or share Personal Data
- Processor shall not retain, use, or disclose Personal Data for any purpose other than performing the Services or as permitted by the CCPA
- Processor shall not combine Personal Data with data from other sources except as permitted by the CCPA
- Processor certifies that it understands these restrictions and will comply with them
- Processor shall assist Controller in responding to consumer rights requests within the timeframes required by the CCPA/CPRA
7. GENERAL PROVISIONS
7.1 Order of Precedence
In the event of a conflict between this DPA and the Principal Agreement regarding Personal Data Processing, this DPA shall prevail. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.
7.2 Liability
Each Party's liability under this DPA is subject to the limitations of liability in the Principal Agreement, except that such limitations shall not apply to the extent prohibited by Applicable Data Protection Laws.
7.3 Term
This DPA shall remain in effect for the duration of the Principal Agreement and thereafter until all Personal Data has been deleted or returned in accordance with Section 3.8.
7.4 Amendments
Processor may update this DPA to reflect changes in Applicable Data Protection Laws or Processing activities, with reasonable notice to Controller. Material changes that adversely affect Controller's rights require Controller's consent.
7.5 Entire Agreement
This DPA, including its Annexes, constitutes the entire agreement between the Parties regarding the subject matter hereof and supersedes all prior discussions and agreements.
ACCEPTANCE
This DPA is incorporated into and forms part of the Platform Terms of Service and, where applicable, the Master Services Agreement (each, a "Principal Agreement"). By creating an account, accessing, or using the Platform, you agree to the terms of this DPA. If you have executed an MSA with CAIO, this DPA is also incorporated into and governed by that MSA.
Where Controller requires a separately executed DPA (e.g., for regulatory compliance or internal procurement), CAIO will provide a countersignable version upon request. The terms of such executed DPA will supersede this clickthrough version to the extent of any conflict.
Annex 1 — Details of Processing
A. Subject Matter and Duration
Processor Processes Personal Data to provide the Services described in the Principal Agreement for the duration of the Principal Agreement.
B. Nature and Purpose of Processing
| Service Component | Processing Purpose |
|---|---|
| CRM & Pipeline | Contact storage, relationship management, deal tracking, activity logging, engagement scoring |
| Prospecting & Enrichment | Company discovery, contact enrichment from third-party sources, ICP scoring, email verification, domain validation |
| Multi-Channel Outreach | Email delivery via Instantly/Resend, LinkedIn automation via HeyReach, engagement tracking (opens, clicks, replies, connections), unsubscribe/opt-out management |
| Call Tracking | Call recording storage, transcription, AI analysis of call content (sentiment, action items, key points), follow-up generation |
| AI Content Generation | Processing inputs and Contact Data to generate text content, research dossiers, email personalization, and blog posts using AI models |
| AI Agent Operations | Autonomous and semi-autonomous agent execution including prospect research, contact discovery, sequence personalization, reply classification, content creation, and workflow orchestration |
| Market Intelligence | RSS feed processing, Gmail newsletter ingestion (configured senders only), content analysis, relevance scoring, digest compilation |
| Proposals & Invoicing | Document creation, delivery, electronic signature collection, acceptance tracking, payment processing via Stripe |
| Advisory Services | Session scheduling via Google Calendar/Cal.com, session recording and transcription via Granola/video conferencing tools, note generation, action item tracking, onboarding workflow management |
| Voice Processing | Voice synthesis (ElevenLabs) and transcription (Whisper) for internal briefings, session notes, and configured voice interactions |
| Notifications | Sending task reminders, alerts, and intelligence notifications via Slack and email |
C. Categories of Data Subjects
- Controller's employees and authorized platform users
- Controller's business contacts (prospects, leads, customers)
- Recipients of Controller's outreach communications (email and LinkedIn)
- Signatories to proposals created through the Platform
- Participants in advisory sessions (Controller's personnel and CAIO personnel)
- Individuals whose information appears in enrichment data sources
D. Categories of Personal Data
- Identity Data: Names, job titles, profile photos
- Contact Data: Email addresses, phone numbers, business addresses, LinkedIn URLs
- Professional Data: Employer, employment history, industry, company size, tech stack, LinkedIn profiles
- Account Data: Login credentials (hashed), authentication tokens, workspace configuration
- Communication Data: Email content, LinkedIn message content, SMS content, communication history
- Call Data: Phone numbers, call recordings, transcripts, AI-extracted call summaries and insights
- Session Recording Data: Audio/video recordings, transcripts, AI-generated notes and action items from advisory sessions
- Voice Data: Audio input for transcription and voice synthesis outputs
- Engagement Data: Email opens, clicks, replies; LinkedIn connection and message status; call outcomes; engagement scores
- Usage Data: IP addresses, device information, activity logs, feature usage patterns
- Signature Data: Electronic signatures, IP addresses, timestamps
- Financial Data: Deal amounts, proposal values, invoice data (payment card data processed solely by Stripe)
E. Special Categories of Data
The Services are not intended for Processing special categories of Personal Data (e.g., health data, racial or ethnic origin, religious beliefs, biometric data). Controller shall not submit such data to the Platform. Note: call recordings and session recordings may incidentally capture sensitive information disclosed by participants; Controller is responsible for managing participant disclosures.
F. Frequency of Transfer
Continuous, as Personal Data is entered, generated, or received through normal use of the Services.
G. Retention Period
| Data Type | Retention Period |
|---|---|
| Platform Data (CRM, content, contacts) | Duration of Principal Agreement + 30 days |
| Call Recordings & Transcripts | Duration of Principal Agreement + 30 days (or per Workspace configuration) |
| Session Recordings | 12 months from recording date, or engagement period + 6 months (whichever is longer) |
| Email Engagement Data | 24 months from event date |
| Third-Party Credentials | Duration of account; deleted within 5 business days of termination |
| Billing Records | 7 years (legal requirement) |
See Privacy Policy for complete retention schedule.
Annex 2 — Technical and Organizational Security Measures
Processor implements the following security measures:
1. Access Control
- Role-based access controls limiting employee access to Personal Data (member/admin/owner roles)
- Multi-factor authentication for administrative access
- Unique user identification and authentication (BetterAuth)
- Automatic session timeout (30-day session with daily token refresh)
- Access logging and monitoring
- Super admin access restricted and audited
2. Encryption
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest, including third-party API keys, OAuth tokens, and sensitive configuration data
- Secure password hashing (bcrypt)
- Secure key management practices
3. Infrastructure Security
- Hosting on SOC 2 compliant cloud infrastructure (Vercel for application, Supabase for database)
- Network segmentation and firewalls
- DDoS protection (Vercel Edge Network)
- Regular security patching and updates
- Geographic redundancy for critical data
4. Application Security
- Secure software development practices
- Input validation (Zod schema validation) and output encoding
- Protection against common vulnerabilities (OWASP Top 10)
- Dependency vulnerability scanning
- API rate limiting per workspace and per endpoint
- CRON job authentication via bearer tokens
5. Data Isolation
- Workspace-level data isolation at the database layer (all queries scoped by workspaceId)
- Middleware-enforced workspace resolution on every API request
- No commingling of customer Personal Data between workspaces
- Email domain restrictions for workspace access where configured
6. Personnel Security
- Background checks for employees with access to Personal Data
- Confidentiality agreements
- Security awareness training
- Access revocation upon termination
7. Incident Response
- Documented incident response procedures
- Designated security contacts
- Breach notification within 48 hours
- Post-incident review and remediation
8. Business Continuity
- Regular data backups (managed by Supabase)
- Backup encryption
- Disaster recovery procedures
- Geographic redundancy for critical data
9. Vendor Management
- Due diligence on Sub-processors
- Contractual data protection requirements
- Periodic review of Sub-processor security
- Sub-processor change notification (14-day advance notice)
10. AI-Specific Security
- AI model inputs transmitted via encrypted API connections
- No customer data used for third-party model training (Anthropic API zero-retention policy)
- Agent autonomy controls with human checkpoint enforcement
- Decision queue audit trail for all agent actions
Annex 3 — List of Sub-processors
Current as of the DPA Effective Date. Updated list available at getcaio.com/legal/subprocessors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, deployment, edge network | United States |
| Supabase Inc. | PostgreSQL database hosting | United States |
| Stripe, Inc. | Payment processing, subscription management | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Anthropic PBC | AI content generation, analysis, agent capabilities | United States |
| ElevenLabs, Inc. | Voice synthesis infrastructure | United States |
| Granola | Meeting intelligence, session transcription, note generation | United States |
| Quo | Call tracking, recording, transcription, SMS | United States |
| HeyReach | LinkedIn automation services | European Union |
| Apollo.io, Inc. | Contact and company data enrichment | United States |
| ZeroBounce, Inc. | Email address verification and validation | United States |
| Serper | Web search API for research and enrichment | United States |
| Cal.com, Inc. | Scheduling and booking services | United States |
| Google LLC | Calendar integration, OAuth authentication, Google Meet | United States |
| Slack Technologies, LLC | Workspace notifications, alerts, intelligence distribution | United States |
| Instantly.ai | Email outreach campaign delivery and tracking | United States |