Question 1

Does Keloa offer a DPA on the free plan?

Accepted Answer

Yes. The DPA is available to every customer on every plan, including the free Starter tier. There is no Enterprise gate.

Question 2

Is the Keloa DPA GDPR Article 28 compliant?

Accepted Answer

Yes. It covers the full Article 28 checklist: subject matter, duration, nature and purpose, types of personal data, categories of data subjects, controller and processor obligations, sub-processor list, security measures, breach notification, audit rights, data return/deletion. Read the published version at [/legal/dpa](https://keloa.ai/legal/dpa).

Question 3

Where can I see the sub-processor list?

Accepted Answer

At [/legal/sub-processors](https://keloa.ai/legal/sub-processors). The list includes name, purpose, location, and scope of access for each sub-processor. The DPA references this URL directly.

Question 4

How do I get a countersigned DPA?

Accepted Answer

Email **legal@keloa.ai** with your legal entity name, registration number, and signing party. We return a countersigned PDF, typically within one business day.

Question 5

Do I have to sign the DPA before signup?

Accepted Answer

No, but you can request it before signup if procurement asks. Most customers read the published DPA at [/legal/dpa](https://keloa.ai/legal/dpa) before they sign up, and request the countersigned PDF in parallel with their first invoice.

Question 6

Can my legal team redline the DPA?

Accepted Answer

The standard form is what every customer signs, so the price stays low. Material redlines are reviewed on a case-by-case basis for Business and Scale plans. For Starter and Growth, please accept the standard form or escalate to a higher plan.

Question 7

Who is the controller and who is the processor?

Accepted Answer

**You** (the customer) are the controller, you decide why and how personal data is collected and what happens to it. **Keloa B.V.** is the processor, we only act on your documented instructions. For data we collect about marketing-site visitors (not Customer Data), Keloa is itself the controller; that's covered by the [Privacy Policy](https://keloa.ai/legal/privacy), not the DPA.

Question 8

How long does Keloa take to notify me about a sub-processor change?

Accepted Answer

At least **30 days in advance**. Email notification plus update to [/legal/sub-processors](https://keloa.ai/legal/sub-processors).

Question 9

Can I object to a new sub-processor?

Accepted Answer

Yes, in writing within 30 days of the notice. Reasonable objections are addressed by limiting the change, swapping the sub-processor, or, as a last resort, terminating the affected service with a pro-rata refund.

Question 10

What is the breach notification deadline?

Accepted Answer

Without undue delay and in any event within **72 hours** of Keloa becoming aware. The notice goes to the workspace owner and any contact you've registered for security incidents.

Question 11

Where is my data physically stored?

Accepted Answer

In the EU. Primary: Amsterdam. Backups: Dublin. No transatlantic transfers of Customer Data without an applicable safeguard such as SCCs.

Question 12

Does my customer data get sent to US AI providers?

Accepted Answer

PII (emails, phone numbers, IBANs, card numbers) is **redacted before any LLM call leaves the platform** by `App\Services\Ai\PiiRedactor`. EU endpoints are preferred where the provider offers them. Where a non-EEA endpoint is used, SCCs apply and the redaction layer means full PII is never sent.

Question 13

Are my customer conversations used to train AI models?

Accepted Answer

No. Customer Conversations are not used to train shared models. The DPA prohibits this and the contracts with our LLM sub-processors enforce zero-retention or equivalent terms.

Question 14

How do I delete my data on termination?

Accepted Answer

One-click workspace delete wipes the primary store immediately. Backups purge on the standard 30-day cycle. The DPA requires return or deletion within 90 days of termination at your choice.

Question 15

How does Keloa support data subject access requests (DSARs)?

Accepted Answer

Self-service tools in the admin panel let you export, redact, or delete a specific contact's data. Keloa support assists if you need help locating data across conversations and the knowledge base.

Question 16

Where do I lodge a complaint if I'm unhappy with how Keloa handled personal data?

Accepted Answer

With your supervisory authority. In the Netherlands that's the **Autoriteit Persoonsgegevens** (autoriteitpersoonsgegevens.nl). You can also email **privacy@keloa.ai** first, most issues resolve faster directly.

Data Processing Agreement

Purpose

Subject matter and duration

Categories of data

Sub-processors

Security measures

International transfers

Data subject requests

Termination