Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Iklows ("Data Processor") and the Client subscribing to Iklows services ("Data Controller").

This agreement supplements the Terms of Service and governs the processing of personal data carried out by Iklows on behalf of the Client, in accordance with Regulation (EU) 2016/679 (GDPR).

• Personal data: any information enabling direct or indirect identification of a natural person
• Processing: any operation performed on personal data (collection, recording, transcription, analysis, storage, deletion)
• Data Controller: the Client who determines the purposes and means of processing
• Data Processor: Iklows, which processes data on behalf of the Client

Iklows processes the following personal data on behalf of the Client:

• Audio recordings of sales calls
• Text transcriptions of these calls
• Prospect data (name, position, company, contact details)
• Performance scores and associated AI analyses

This processing is carried out for the duration of the subscription contract between the Client and Iklows.

Iklows agrees to:

• Process data only on documented instructions from the Data Controller
• Ensure confidentiality of processed data
• Implement appropriate technical and organizational security measures
• Not sub-process without prior Client consent (except sub-processors listed in Article 5)
• Assist the Client in fulfilling its GDPR obligations
• Delete or return all data at the end of the contract
• Notify any security incident within 72 hours

The Client agrees to:

• Only use Iklows for lawful and documented purposes
• Obtain consent from recorded individuals before any call
• Inform data subjects of the processing of their data via Iklows
• Ensure accuracy of data entered in the platform
• List Iklows as a sub-processor in its own GDPR documentation

The Client authorizes Iklows to use the following sub-processors:

SCCs = Standard Contractual Clauses approved by the European Commission.

Iklows implements the following security measures:

• Data encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control (director, manager, sales rep) with Row Level Security
• Secure authentication via Supabase Auth
• Access logging and regular audits
• Data isolation per company (multi-tenant architecture)

Some sub-processors (Anthropic, Recall.ai, AssemblyAI) are established in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46 of the GDPR.

Audio data is transmitted solely for processing purposes (transcription/analysis) and is not retained by these sub-processors beyond the execution of the request.

In the event of a data breach, Iklows commits to:

• Notify the Client within 72 hours of becoming aware
• Provide a description of the nature of the breach and affected data
• Indicate measures taken or planned to address the breach
• Assist the Client in notifying the relevant data protection authority if necessary

At the end of the contract, Iklows will delete all Client data within 30 days, unless legally required to retain it. A deletion certificate can be provided upon request.

For any questions regarding this agreement or to exercise your rights:

Email : contact@iklows.io

Contact: Paul Pozzobon — Iklows