1. Parties
This agreement is between Kwamle Media (the "Processor" / Data Processor) and the Customer (the "Controller" / Data Controller) using the kwamlemedia.com / app.kwamlemedia.com platform.
2. Definitions
- "Personal Data": any information relating to an identifiable natural person.
- "Processing": any operation performed on personal data (collection, storage, use, transfer, deletion).
- "GDPR": the EU General Data Protection Regulation (Regulation 2016/679).
- "CCPA": the California Consumer Privacy Act.
- "Sub-processor": any third party that processes data on behalf of Kwamle.
3. Scope of processing
Kwamle processes personal data for the following purposes:
- Operating marketing-automation services and smart bots.
- Managing Meta pages and accounts and interacting with the customer's audience.
- Generating analytics and statistics.
- Executing AI calls according to the customer's settings.
The data includes: names, phone numbers, email addresses, Facebook/Instagram identifiers, message content, and comments.
4. Kwamle's obligations as a processor
- Process data only on the customer's documented instructions.
- Ensure data confidentiality among all staff who have access to it.
- Apply appropriate security measures (Article 32 of GDPR).
- Assist the customer in responding to data-subject requests.
- Notify the customer of any data breach within 72 hours.
- Do not engage a sub-processor without the customer's consent.
- Delete or return the customer's data when the service ends.
5. Security measures
- Encryption of data in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control (RBAC) and the principle of least privilege.
- Audit logs retained for 12 months.
- Annual third-party penetration testing.
- Two-factor authentication for staff on production systems.
- Encrypted backups every 24 hours in a different geographic location.
- A vulnerability-management program plus immediate security updates.
6. Current sub-processors
| Processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Infrastructure hosting | Amsterdam, Frankfurt |
| Cloudflare | CDN, DDoS protection | Global (Edge Network) |
| OpenAI | AI models (optional) | United States |
| Google (Gemini) | AI models (optional) | Global |
| Anthropic | AI models (optional) | United States |
| Stripe | Payment processing | United States, Ireland |
| Paymob | Payment processing (Egypt) | Cairo |
| Postmark | Email delivery | United States |
The customer may object to adding a new sub-processor within 30 days of being notified.
7. International data transfers
When transferring data outside the European Economic Area, we rely on:
- The new Standard Contractual Clauses (SCCs 2021).
- Adequacy decisions for countries approved by the European Commission.
- A Transfer Impact Assessment (TIA) for every sub-processor relationship.
8. Data breaches
When a breach is detected:
- Notify the customer within 72 hours with the incident details.
- Provide a comprehensive report on the cause, scope, and actions taken.
- Fully cooperate in the response and in reporting to regulators.
9. Right to audit
The customer has the right to:
- Request the annual SOC 2 Type II report.
- Conduct an annual audit with 30 days prior notice, at their own expense.
- Obtain summarized penetration-test results.
10. Data deletion at end of service
- Upon termination of the agreement, Kwamle deletes all personal data within 90 days.
- Billing records are retained for 7 years (an accounting requirement).
- The customer is given a JSON/CSV copy of their data before deletion upon request.
Ready to sign?
Contact our legal team to receive a signed DPA for your organization.