Legal

Data Processing Addendum

Last updated: June 17, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the business client ("Client," "Controller") and KAVE ADVISORS LLC and/or KAVE ADVISORS SAS, operating as "Kyto" ("Kyto," "Processor"), for services that involve Kyto processing personal data on the Client's behalf (the "Agreement"). It applies to Kyto's processing of personal data of the Client's end users and contacts, including data handled through the WhatsApp Business Platform. Where this DPA conflicts with the Agreement on data-protection matters, this DPA prevails. This page is the standard form of Kyto's DPA; an executed copy is provided to Clients on onboarding. To request a signed DPA, contact info@kyto.io.

1. Definitions

"Data Protection Laws" means all laws applicable to the processing, including the EU/UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and Colombia's Ley 1581 de 2012 and Decreto 1074 de 2015. Terms such as "controller," "processor," "service provider," "personal data," "personal information," "data subject," "processing," "Responsable," and "Encargado" have the meanings given under the applicable Data Protection Laws. "Sub-processor" means any third party engaged by Kyto to process personal data under the Agreement.

2. Roles and Scope

The Client is the controller (Responsable) and Kyto is the processor (Encargado / service provider). The subject matter, duration, nature and purpose of processing, the types of personal data, and the categories of data subjects are described in Annex I. Kyto will process personal data only on the Client's documented instructions (including for transfers), with the Agreement and applicable statements of work constituting the Client's initial documented instructions, and solely to provide the services and for no other purpose. Kyto will inform the Client if, in its opinion, an instruction infringes Data Protection Laws.

3. Client (Controller) Obligations

The Client warrants that it has a valid lawful basis and has obtained all necessary rights, consents, and opt-ins to share end-user data with Kyto and the WhatsApp Business Platform and to message its end users, and that it maintains its own end-user privacy notice. The Client will indemnify Kyto for breach of this Section. The Client is responsible for honoring opt-out requests as described in the Terms of Service.

4. Kyto (Processor) Obligations

  • Instructions and purpose: process only on the Client's documented instructions and solely for the services
  • Confidentiality: ensure personnel and contractors authorized to process are bound by confidentiality
  • Security: implement and maintain the technical and organizational measures in Annex II, consistent with GDPR Art. 32 and meeting or exceeding industry standards
  • Assistance: assist the Client, by appropriate measures, with data-subject requests, security, breach notification, data protection impact assessments, and prior consultation

5. Sub-Processors

The Client provides general written authorization for Kyto to engage the sub-processors listed in Annex III. Kyto will maintain a current, versioned list, will notify the Client of any intended addition or replacement, and will give the Client a reasonable opportunity to object. Kyto will impose data-protection obligations on each sub-processor that are no less protective than this DPA by written contract, and Kyto remains fully liable to the Client for its sub-processors' performance.

6. Data Subject Requests

Taking into account the nature of the processing, Kyto will assist the Client, by appropriate technical and organizational measures, in responding to requests from data subjects to exercise their rights (access/know, deletion, correction, objection, portability, and others). Kyto will promptly notify the Client of any such request it receives directly and will not respond except on the Client's instructions. Kyto will notify the Client immediately if Meta forwards any user data-rights request relating to the Client's end users.

7. Personal Data Breach

Kyto will notify the Client without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Client's data, and will provide information reasonably necessary for the Client to meet its own notification obligations. For Colombian processing, Kyto will support the Client's ability to update, rectify, or suppress data within 5 business days where instructed, and acknowledges its own duty to report security incidents to the SIC where applicable.

8. Audits and Information

Kyto will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by the Client or its mandated auditor. Audits may be limited to once per 12-month period (except following a breach), subject to reasonable confidentiality and security conditions, and Kyto may satisfy audit requests by providing recognized third-party reports (such as SOC 2 or ISO 27001) where available.

9. Deletion, Return, and WhatsApp Account Portability

On termination of the services, Kyto will, at the Client's choice, delete or return the Client's personal data and delete existing copies, except to the extent retention is required by law or by Meta's platform rules (for example, limited access records that Meta requires Kyto to retain for at least one year after termination; such records do not include message content). On the Client's request to assume control of its WhatsApp Business Account, Kyto will assist in transferring the account and related data to the Client or a new provider within 30 calendar days and will promptly delete the account data from its systems unless instructed otherwise.

10. International Transfers

Where the processing involves transfers from the EEA or UK to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two, controller-to-processor, and Module Three, processor-to-sub-processor) and, for UK data, the UK International Data Transfer Addendum, with the Annexes completed by reference to Annexes I–III of this DPA. A transfer impact assessment is conducted where required, and the Standard Contractual Clauses prevail in the event of conflict with this DPA. For transfers from Colombia, the parties enter into the international transmission terms required by Decreto 1074 de 2015 (Título 2.2.2.25) and rely on a valid transfer basis under current SIC guidance.

11. CCPA / CPRA Service Provider Terms

With respect to personal information subject to the CCPA/CPRA, Kyto is a "service provider." Kyto will:

  • not sell or share the personal information;
  • not retain, use, or disclose the personal information for any purpose other than the specific business purposes of performing the services set out in the Agreement;
  • not retain, use, or disclose the personal information for any commercial purpose other than those specified business purposes;
  • not retain, use, or disclose the personal information outside the direct business relationship with the Client;
  • not combine the personal information with personal information from other sources, except as permitted by the CCPA/CPRA;
  • provide the same level of privacy protection required of businesses by the CCPA/CPRA;
  • grant the Client rights to take reasonable and appropriate steps to ensure Kyto uses the personal information consistently with the Client's obligations (including audit/monitoring rights);
  • grant the Client the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of the personal information;
  • enable the Client to respond to verifiable consumer requests; and
  • notify the Client if Kyto determines it can no longer meet its obligations under the CCPA/CPRA.

The specified business purposes are those described in the Agreement and Annex I (operating and supporting the Client's messaging and automation services).

12. Meta Platform and WhatsApp Terms

With respect to data obtained through Meta's platforms (including the WhatsApp Business Platform), Kyto will: use such data only on the Client's instructions and solely to provide the services; not build or augment profiles of WhatsApp users; not sell, license, or transfer the data to any third party; not use the data for retargeting on or off Meta's platforms; and not use the data to train, develop, or improve any AI or machine-learning models. Client end-user data is processed using the paid tier of the Google Gemini API and is not used to train, develop, or improve any AI or machine-learning models; it is never routed to any free or consumer AI tier, and sub-processors are contractually prohibited from using it for model training. These commitments are stated identically in Kyto's Privacy Policy and in its responses to Meta's App Review data-handling questionnaire.

13. Colombia — Encargado Duties

When acting as Encargado under Ley 1581 de 2012, Kyto will: guarantee the data subject's habeas-data rights; maintain the security and confidentiality of the information; update, rectify, or suppress data within 5 business days when instructed by the Responsable; process data only for the authorized purposes and per the Responsable's instructions; apply the Responsable's data-treatment policy; and inform the Responsable of any security incidents.

14. Liability and Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. In case of conflict, the order of precedence is: (1) the Standard Contractual Clauses (where incorporated); (2) this DPA; (3) the Agreement.

15. Term

This DPA takes effect on acceptance of the Agreement and remains in force while Kyto processes personal data for the Client. Sections that by their nature should survive termination will do so.

Annex I — Details of Processing

  • Subject matter: provision of messaging and workflow automation services, including on the WhatsApp Business Platform
  • Duration: the term of the Agreement
  • Nature and purpose: receiving, generating, routing, and storing messages and related records to operate the Client's automations and customer communications
  • Types of personal data: end-user phone numbers and WhatsApp profile names; message content and metadata; opt-in/opt-out records; CRM/business records the Client chooses to sync
  • Categories of data subjects: the Client's customers, leads, and contacts
  • Special categories: none intended; the Client must not submit sensitive or regulated data through the services

Annex II — Security Measures

  • Encryption of personal data in transit and, where supported, at rest
  • Role-based access controls, least-privilege access, and authentication for systems handling personal data
  • Network and application security controls and logging/monitoring
  • Pseudonymization or minimization where practicable
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Regular review and testing of the effectiveness of these measures
  • Incident response procedures and personnel confidentiality and training

Annex III — Approved Sub-Processors

The current sub-processors are those listed in Section 8 of our Privacy Policy (including Meta/WhatsApp, n8n, Make, Google Gemini API/Cloud, HubSpot, Vercel, Sanity, and NeetoCal, as applicable to the services). An up-to-date list with processing locations is available at info@kyto.io.

Contact

Kyto — KAVE ADVISORS LLC / KAVE ADVISORS SAS

Email: info@kyto.io

Website: https://kyto.io