Ir para o conteúdo

Data Processing Agreement

Última atualização: 2026-05-15

This DPA is incorporated into the Terms of Service and applies whenever the Service processes personal data of your end-users on your behalf. By using Kuaray Oka, you accept this DPA. Enterprise customers requiring a signed copy can request one via info+privacy@kuaray.tech.

1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings given in the GDPR (Regulation 2016/679). Equivalent LGPD terms ("controlador", "operador", "titular", "dado pessoal", "tratamento", "suboperador") are deemed interchangeable for this DPA.

"Customer Personal Data" means personal data of your end-users (visitors to your landing pages, leads, booking customers, WhatsApp conversation partners) that Kuaray Oka processes on your behalf through the Service.

2. Roles

For Customer Personal Data, you are the Controller and Kuaray Oka is the Processor. You determine the purposes and means of processing (the forms you publish, the WhatsApp number you connect, the calendar you expose). We process only on your documented instructions, which include the configuration choices you make in-product and the operation of the Service itself.

3. Subject matter, duration, nature, purpose

Subject matter: Processing of personal data collected through your landing pages, booking calendars, contact-capture flows, and WhatsApp integration.

Duration: For as long as you maintain an active workspace, plus the retention windows described in our Privacy Policy.

Nature and purpose: Storage, retrieval, transmission, organisation, and erasure of Customer Personal Data so that the Service can render landing pages, accept lead and booking submissions, send notification emails, and operate the WhatsApp AI agent feature.

Types of personal data: name, email address, phone number, free-text inputs, conversation transcripts, attribution parameters (UTMs, click IDs), IP address (transient, for rate-limiting only).

Categories of data subjects: Visitors to your landing pages who voluntarily submit information via forms, booking flows, or WhatsApp.

4. Processor obligations

We will:

  • process Customer Personal Data only on your instructions;
  • keep Customer Personal Data confidential and ensure persons authorised to process it are bound by confidentiality;
  • maintain appropriate technical and organisational measures (see Section 7);
  • assist you (taking into account the nature of the processing) in responding to data-subject requests;
  • notify you without undue delay (and within 72 hours where required by GDPR Art. 33) of any Personal Data Breach affecting your workspace;
  • at termination, delete Customer Personal Data as described in the Privacy Policy unless retention is required by law;
  • make available the information necessary to demonstrate compliance and contribute to audits — practically, by providing up-to-date documentation, security overviews on request, and a point-of-contact for follow-up questions.

5. Sub-processors

You give general authorisation to engage the sub-processors listed at /legal/subprocessors. We will publish any addition or replacement on that page at least 14 days before it takes effect. You can object to a sub-processor change in writing; if we cannot accommodate your objection, you may terminate the affected service.

6. International transfers

Customer Personal Data is processed in the United States (AWS us-east-1). Where this constitutes a restricted transfer under GDPR Chapter V, the parties incorporate the EU Commission's Standard Contractual Clauses (Implementing Decision 2021/914) as follows: Module Two (Controller to Processor) applies, with Clauses 7 (docking), 9(a) Option 2 (general written authorisation for sub-processors, 14-day notice period), 11(a) (no independent dispute resolution body), 17(c) (governing law: Republic of Ireland), 18(b) (forum and jurisdiction: Republic of Ireland). Where the data exporter is located in Brazil, the parties rely on equivalent contractual safeguards under LGPD Art. 33 II.

7. Security measures

We implement and maintain, at minimum:

  • TLS 1.2+ for all data in transit;
  • AES-256 encryption at rest for primary database, backups, and object storage;
  • bcrypt password hashing;
  • secrets stored in AWS Secrets Manager, accessed via least- privilege IAM roles;
  • private-subnet database with security-group ingress restricted to application containers;
  • JWT-based authentication with RS256-signed tokens and short lifetimes;
  • per-IP rate limiting on public endpoints;
  • multi-AZ database with daily encrypted backups;
  • versioned infrastructure-as-code review and CI checks before production deployment.

8. Data subject requests

If a data subject contacts us directly with a request relating to Customer Personal Data, we will not respond substantively unless you instruct us to. We will forward the request to you and assist you in fulfilling it, including by providing data export or deletion at a workspace-scoped level on request.

9. Liability

Each party's liability under this DPA is subject to the limitation-of-liability provisions of the Terms of Service. Nothing in this DPA limits or excludes either party's liability to a data subject under applicable data-protection law.

← Kuaray Oka