Data Processing Agreement
Last updated: July 2025
1. Scope & Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Colabe ("Processor") and the business entity using the Service ("Controller"). This DPA governs how Colabe processes personal data on behalf of the Controller in connection with the Service.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transfer, and deletion.
"Sub-processor" means a third party engaged by Colabe to process Personal Data on behalf of the Controller.
3. Data Processing Details
Categories of data subjects: Business owners, employees, customers of the Controller's business.
Types of personal data: Names, email addresses, phone numbers, addresses, transaction data, communication content, device identifiers.
Purpose of processing: Providing the Colabe platform services including AI-powered business operations, payment processing, customer communications, and analytics.
Duration: For the duration of the service agreement plus the data retention period outlined in the Privacy Policy.
4. Processor Obligations
Colabe shall:
- Process Personal Data only on documented instructions from the Controller.
- Ensure that persons authorized to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Assist the Controller in responding to data subject rights requests.
- Delete or return all Personal Data upon termination of the agreement, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and allow audits.
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach.
5. Sub-processors
Colabe engages the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & data storage | US / EU regions |
| Stripe | Payment processing | US / EU |
| OpenAI | AI model inference | US |
| Amazon SES | Transactional email delivery | US / EU |
| Amazon SNS | SMS delivery | US / EU |
The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the agreement.
6. International Transfers
Where Personal Data is transferred outside the EU/EEA or the country of origin, Colabe ensures appropriate safeguards through: (a) EU Standard Contractual Clauses (SCCs); (b) adequacy decisions; (c) other legally recognized transfer mechanisms. The latest SCCs adopted by the European Commission (2021/914) are incorporated by reference.
7. Security Measures
Colabe implements the following security measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Access controls with role-based permissions and multi-factor authentication.
- Regular vulnerability assessments and penetration testing.
- Automated backup and disaster recovery procedures.
- Logging and monitoring of access to Personal Data.
- Employee security training and background checks.
8. Data Breach Notification
In the event of a personal data breach, Colabe will: (a) notify the Controller within 72 hours of becoming aware; (b) provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate; (c) cooperate with the Controller in notifying supervisory authorities and affected data subjects as required by law.
9. Audits
Colabe shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller may conduct audits, including inspections, with reasonable notice (at least 30 days). Colabe will cooperate with audits and provide access to relevant facilities and records.
10. Term & Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, Colabe will, at the Controller's election, return or delete all Personal Data within 30 days, unless retention is required by applicable law. Colabe will provide certification of deletion upon request.
11. Contact
For questions about this DPA or to exercise your rights, contact our Data Protection Officer at dpo@colabe.app.
Ready to get started?
Hire your first AI employee and see results from day one.