Get started today
Ready to put your
phones on autopilot?
See how Elba handles calls, WhatsApp, and SMS for regulated teams. Book a 30-minute walkthrough — no commitment required.
Get started today
See how Elba handles calls, WhatsApp, and SMS for regulated teams. Book a 30-minute walkthrough — no commitment required.
Valid from: 11. March 2026
This Data Processing Agreement ("DPA") is concluded between Kolsetu GmbH ("Processor") and the Customer ("Controller") pursuant to Art. 28 GDPR and forms an integral part of the Contract for the provision of the Elba AI platform and related services ("Agreement"). This DPA applies to both enterprise and self-serve customers of the Elba platform.
Note on scope: This DPA governs Kolsetu's processing of Customer Personal Data in its capacity as Processor. Kolsetu also processes personal data of platform users (administrators and operators) in its capacity as Controller; that processing is described in the Kolsetu Product Privacy Policy available on the homepage (www.kolsetu.com).
The Controller determines the purposes and means of processing described herein. The Processor processes personal data solely on the Controller's documented instructions and for no other purpose.
Capitalised terms used but not defined in this DPA have the meanings given in the General Terms and Conditions, the applicable Elba Service Terms (Enterprise Service Terms or Self-Serve Terms, as applicable), and, where an Order Form has been executed, the Order Form.
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in Art. 4 GDPR or the Agreement.
Term | Definition |
Agreement | The Contract between the parties for the provision of the Services, comprising the T&C, Elba Enterprise Service Terms, and Order Form. |
Customer Personal Data | Any personal data that the Processor processes on behalf of the Controller pursuant to the Agreement. |
Data Protection Laws | GDPR; the German Federal Data Protection Act (BDSG); UK GDPR and the Data Protection Act 2018; the Australian Privacy Act 1988; and applicable US state and federal privacy laws (including CCPA), each as amended from time to time and only to the extent applicable. |
GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed by the Processor, as defined in Art. 4(12) GDPR. |
Services | The Elba AI platform and all associated services provided by the Processor under the Agreement. |
Sub-processor | Any data processor engaged by the Processor to process Customer Personal Data. |
TOMs | The technical and organisational measures described in Annex 2. |
Data Privacy Framework | The EU–U.S. Data Privacy Framework established by Commission Decision (EU) 2023/1795. |
2.1 Roles. The parties acknowledge that the Controller acts as a data controller and the Processor acts as a data processor within the meaning of applicable Data Protection Laws. The Processor processes Customer Personal Data solely on the Controller's behalf.
2.2 Instructions. The Controller instructs the Processor to process Customer Personal Data to the extent necessary for the provision of the Services and the performance of its rights and obligations under the Agreement. Instructions are initially set out in this DPA and may subsequently be amended by the Controller in writing.
2.3 CCPA. With respect to Customer Personal Data that constitutes "personal information" for purposes of the California Consumer Privacy Act ("CCPA"), the Processor shall not: (a) sell or share the personal information; (b) retain, use, or disclose the personal information for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by the CCPA; (c) retain, use, or disclose the personal information outside the direct business relationship between the Processor and the Controller; or (d) combine the personal information received from the Controller with personal information received from or collected from other sources, except as permitted by the CCPA. The Processor certifies that it understands and will comply with these restrictions.
The Processor processes Customer Personal Data for the duration of the Agreement, or until the Controller instructs otherwise, solely for the purpose of providing the Services.
The Processor processes Customer Personal Data in connection with:
Providing and operating the Elba AI voice automation platform
Processing voice interactions, generating transcripts, and delivering conversation analytics
Omnichannel orchestration (voice, chat, email, SMS, WhatsApp) on behalf of the Controller
Integrations with the Controller's enterprise systems including CRM, ERP, telephony, and communication platforms, via native connectors, REST API, and webhook framework, as configured by the Controller
User account management, access control, and authentication
Security monitoring, fraud prevention, and incident management
Customer support and technical troubleshooting
Depending on the Controller's use case and configuration, the Processor may process:
Contact information (name, phone number, email address)
Voice recordings and derived audio data
Conversation transcripts and interaction logs
Customer service records and case data
Account credentials and authentication data
Usage data, session logs, and activity metadata
Data from integrated enterprise systems as configured by the Controller
Data subjects may include:
End customers of the Controller who interact with the Elba platform
The Controller's employees and authorised users of the platform
Other individuals whose data is processed through integrations configured by the Controller
The Processor processes special categories of personal data (Art. 9 GDPR) solely on the documented instructions of the Controller. The Controller is solely responsible for ensuring that any submission of special category data to the platform is supported by a valid legal basis under Art. 9 GDPR, that all required conditions are satisfied, and that appropriate safeguards are in place prior to submission. The Processor applies the same technical and organisational measures to special category data as to all other Customer Personal Data.
Customer Personal Data is transferred to the Processor periodically throughout the term of the Agreement, depending on how the Controller uses the Services.
4.1.1 Process Customer Personal Data only on the Controller's documented instructions, unless required to do so under applicable law. In such cases, the Processor shall inform the Controller before processing, unless doing so is prohibited by law.
4.1.2 If the Processor considers that an instruction infringes Data Protection Laws, it shall immediately inform the Controller of its legal concerns and may suspend the instruction pending resolution.
4.2.1 Ensure that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and receive relevant data protection training.
4.3.1 Implement and maintain appropriate technical and organisational measures (TOMs) as set out in Annex 2 to ensure a level of security appropriate to the risk, including as required by Art. 32 GDPR. The Processor may update TOMs from time to time provided that such updates do not result in a degradation of the overall security level.
4.4.1 Not engage a new sub-processor or materially change the role of an existing sub-processor without providing prior written notice (minimum 30 business days) to the Controller. The sub-processor list in Section 6 of this DPA constitutes the authoritative and current record of approved sub-processors.
4.4.2 Ensure that any sub-processor engaged is bound by data protection obligations no less protective than those in this DPA, by contract or other legal act. The Processor remains fully responsible for the performance of its sub-processors' data protection obligations.
4.5.1 AI training exclusion. Neither the Processor nor any of its sub-processors shall use Customer Personal Data - including voice recordings, transcripts, conversation data, or any data derived therefrom - to train, fine-tune, or improve any general-purpose AI or machine learning model. This restriction applies regardless of whether the data has been pseudonymised. The Processor shall ensure that equivalent restrictions are contractually imposed on all AI sub-processors.
4.5.2 Data minimisation for AI inference. Where Customer Personal Data is transmitted to AI sub-processors for inference processing, the Processor shall ensure that only the minimum data necessary for the specific inference request is transmitted. AI sub-processors shall not retain Customer Personal Data beyond the duration of the inference session, except as required by applicable law.
4.5.3 Biometric data. The Processor does not derive biometric identifiers or voiceprints from voice recordings processed through the Elba platform and does not process voice recordings as biometric data within the meaning of Art. 9 GDPR or equivalent provisions under applicable Data Protection Laws. Voice recordings are processed solely for the purposes of transcription, intent analysis, and conversation analytics as described in Annex I-B.
4.6.1 Assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III GDPR (rights of access, rectification, erasure, restriction, portability, and objection). Requests received directly by the Processor from Data Subjects shall be forwarded to the Controller without undue delay and in any event within five (5) business days. The Processor shall not respond to Data Subject requests directly without the Controller's prior authorisation, unless legally compelled to do so.
4.7.1 Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIAs, and prior consultation with supervisory authorities), taking into account the nature of processing and information available to the Processor.
4.7.2 Where the Controller is required to provide information to a competent supervisory authority, provide reasonable assistance to the Controller, at the Controller's cost, by providing such information to the extent it is in the Processor's possession.
4.8.1 At the Controller's choice, delete or return all Customer Personal Data upon termination of the Services and delete existing copies, unless Union or Member State law requires retention. Deletion shall be completed within 30 days of termination or Controller instruction. Written confirmation of deletion is available on request.
4.9.1 Make available to the Controller all information reasonably necessary to demonstrate compliance with Art. 28 GDPR. The Controller shall provide reasonable advance written notice of any requested audit (no less than 30 business days, except in the event of a suspected breach). Audits shall occur no more than once per year and by one of the following means: (a) the Processor supplying a copy of its current audit reports prepared by independent third-party auditors (e.g. ISO 27001 certification, SOC 2 Type II); (b) the Processor providing written responses to information security questionnaires; or (c) the Controller instructing a directed inspection of agreed TOMs, the results of which the Processor shall share in summary format.
5.1 Comply with all applicable Data Protection Laws with respect to Customer Personal Data. The Controller shall not use the Services in a manner that violates Data Protection Laws.
5.2 Represent and warrant that it has a valid legal basis under Art. 6 GDPR (and Art. 9 where applicable) for all personal data submitted to the Processor, and for any transfer of Customer Personal Data to the Processor. The Controller shall immediately notify the Processor if any change occurs in the legal bases for processing.
5.3 Ensure that all required notices have been given to, and where necessary all required consents obtained from, Data Subjects in connection with the processing performed under this DPA.
5.4 Have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Controller acquires it.
5.5 Promptly inform the Processor of any inquiry or complaint received from a Data Subject or supervisory authority relating to the processing of Customer Personal Data under this DPA.
5.6 General sub-processor consent. The Controller provides general written authorisation for the Processor to engage sub-processors and Processor affiliates in the processing of Customer Personal Data, subject to the notification and objection procedure in Section 6.
6.1 The authoritative list of sub-processors engaged by the Processor as at the effective date of this DPA is set out in Annex I-C. Any changes to sub-processors are subject to the notification and objection procedure in clauses 6.2 and 6.3, and result in a new version of Annex I-C being issued to the Controller.
6.2 The Processor will provide at least 30 business days' advance written notice of any intended addition to or replacement of sub-processors. The Controller may, within 10 business days of receiving such notice, object to a new or replacement sub-processor on substantiated data protection grounds ("Legitimate Reasons"). If the Controller does not notify the Processor of an objection within this period, the Controller is deemed to have accepted the new sub-processor.
6.3 If the Controller raises an objection, the Processor shall work with the Controller in good faith to address the Legitimate Reasons. If the parties cannot agree within 20 business days of the Processor's receipt of the objection, the Controller may by written notice terminate the service components that require the use of the proposed sub-processor.
6.4 The Processor remains fully responsible to the Controller for the data protection performance of all sub-processors.
6.5 Customer-supplied AI providers. Where the Controller configures the Services to use third-party AI model providers under the Controller's own accounts and agreements (including but not limited to self-supplied LLM API keys), the Controller is solely responsible for compliance with applicable Data Protection Laws in respect of those providers, including the conclusion of any required data processing agreements. Such providers are not sub-processors of the Processor and are not covered by this DPA.
7.1 All AI inference processing of Customer Personal Data takes place exclusively through Azure OpenAI Service within the Azure EU region. The Processor shall ensure that any transfer of Customer Personal Data to third countries (outside the EEA) complies with Chapter V GDPR by relying on: (a) an EU Commission adequacy decision; (b) EU Standard Contractual Clauses (Commission Decision 2021/914); or (c) in respect of US providers self-certified under the Data Privacy Framework, the Data Privacy Framework as defined by Commission Decision (EU) 2023/1795.
7.2 Transfer mechanism precedence. Where more than one transfer mechanism is applicable, transfers will be subject to mechanisms in the following order of precedence: (a) the Data Privacy Framework; (b) EU Standard Contractual Clauses; (c) other alternative transfer mechanisms permitted under applicable law.
7.3 Transfer impact assessments (TIAs) are conducted by the Processor for all transfers to third-country sub-processors. TIA documentation is available to the Controller on written request.
The Processor implements and maintains appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Full details are set out in Annex 2. Key measures include:
Encryption of Customer Personal Data in transit and at rest using industry-standard algorithms
Role-based access controls and multi-factor authentication for all privileged access
Logical tenant isolation - each customer's data is processed in a dedicated, logically isolated environment
Regular penetration testing and continuous vulnerability management by qualified providers
Documented incident detection, response, and escalation procedures
Personnel data protection training and appropriate background screening
Business continuity and disaster recovery provisions, tested at least annually
Sub-processor oversight ensuring equivalent data protection standards throughout the supply chain
9.1 In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware.
9.2 The notification shall include, to the extent known: the nature of the breach; the categories and approximate number of Data Subjects affected; the categories and approximate number of records affected; likely consequences; and measures taken or proposed. Where complete information is not available in the initial notification, it shall be provided in phases without undue delay.
9.3 The Processor shall document all breaches and remediation measures in accordance with Art. 33(5) GDPR.
10.1 The Processor has implemented measures to regulate the disclosure of Customer Personal Data to government entities. These measures require the Processor to consider its obligations to comply with any governmental order or demand and its legal obligations to protect Customer Personal Data.
10.2 To the extent permitted by law, the Processor shall promptly notify the Controller of any legally binding request for disclosure of Customer Personal Data by a law enforcement or government authority before responding to such a request. If the Processor is not permitted to provide notification to the Controller, it will seek permission to do so or ask the issuing authority to seek the information directly from the Controller.
10.3 The Processor shall challenge a governmental order or demand when appropriate and valid legal grounds exist. If production is required to comply with a valid court order or demand, the Processor shall disclose the minimum amount of Customer Personal Data necessary to comply.
10.4 With regard to personal data of EEA residents, the Processor abides by the obligations set forth in the EU SCCs in respect of government access requests.
Where a processing activity is likely to result in a high risk to the rights and freedoms of Data Subjects, the Processor shall provide reasonable assistance to the Controller in conducting a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR, including by providing information about its processing activities and security measures.
12.1 Each party's liability under this DPA is subject to the limitations set out in the T&C. Claims brought under this DPA shall be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth therein; provided that neither party has limited liability under the Agreement with respect to any Data Subject's rights under Data Protection Laws where such limitation is prohibited by applicable law.
12.2 In the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall prevail.
This DPA enters into force upon signature (or, where the Agreement is executed via an Order Form, upon execution of the Order Form) and remains in force for the duration of the Agreement. Upon termination of the Agreement, this DPA terminates automatically. The obligations in Sections 4.2 (confidentiality), 4.8 (data return and deletion), and 9 (breach notification) shall survive termination.
14.1 Governing law. This DPA is governed by the laws of the Federal Republic of Germany. Disputes are subject to the dispute resolution provisions of the T&C.
14.2 Amendments. Amendments to this DPA require written form. In the event of conflict, this DPA takes precedence over the Agreement.
14.3 Notices. All notices under this DPA shall be sent to the addresses provided in the Agreement.
14.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
14.5 SCCs. To the extent the EU SCCs conflict with any provision of this DPA, the SCCs shall prevail to the extent of such conflict. It is not the intention of the parties to contradict or restrict any provision of the SCCs.
14.6 Language and translations. This DPA is made available in English and German, both of which have been reviewed for legal accuracy. The English text is the authoritative version for all purposes, including interpretation, dispute resolution, and enforcement. Translations into other languages may be published for ease of reference only and have no legal effect. In the event of any inconsistency between the English text and any translation, the English text prevails.
Privacy Contact: privacy@kolsetu.com
Address: Kolsetu GmbH, Gaensemarkt 33, 20354 Hamburg, Germany
Name: Customer as defined in the Order Form or during account registration (Elba Self-Serve)
Address: As defined in the Order Form or during account registration (Elba Self-Serve)
Contact: As defined in the Order Form or during account registration (Elba Self-Serve)
Signature: Enterprise customers accept this DPA by signing the Order Form. Self-serve customers accept this DPA by completing account registration and accepting the Elba Self-Serve Terms. In both cases, acceptance of this DPA includes, where applicable, acceptance of the EU Standard Contractual Clauses.
Role: Controller
Name: Kolsetu GmbH
Address: Gaensemarkt 33, 20354 Hamburg, Germany (HRB 191266)
Privacy Contact: privacy@kolsetu.com
Role: Processor
Note: As Kolsetu GmbH is established in Germany (EEA), the primary controller–processor relationship does not require EU Standard Contractual Clauses. SCCs apply only to onward transfers to third-country sub-processors as set out in the sub-processor table in Section 6 and Annex I-B.
Item | Detail |
Subject matter | Processing of personal data in connection with the provision of the Elba AI platform and Services. |
Duration | For the term of the Agreement, unless the Controller instructs earlier deletion or return. |
Nature of processing | Collection, storage, use, transfer, and deletion of Customer Personal Data by automated means, including real-time AI processing of voice interactions and conversation data. |
Purposes | Provision and operation of the Elba platform; AI voice automation and omnichannel orchestration; enterprise integrations; analytics and reporting; security and support. |
Categories of data | As listed in Section 3.3 of this DPA. |
Categories of subjects | As listed in Section 3.4 of this DPA. |
Sensitive data (Art. 9 GDPR) | The Processor processes special categories of personal data solely on the documented instructions of the Controller. The Controller is solely responsible for ensuring that any submission of special category data to the platform is supported by a valid legal basis under Art. 9 GDPR (or equivalent provision under applicable Data Protection Laws), that all required consents or other conditions are met, and that appropriate safeguards are in place prior to submission. The Processor applies the same technical and organisational measures to special category data as to all other Customer Personal Data under this DPA. |
Sub-processors | As listed in Annex I-C of this DPA. |
Transfer frequency | Periodically throughout the term of the Agreement, depending on the Controller's usage of the Services. |
Retention | Voice recordings: as configured by the Controller (default maximum 90 days). All other data: for the term of the Agreement unless earlier deletion is instructed. |
The competent supervisory authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), in accordance with Clause 13 of the SCCs, as Kolsetu GmbH is established in Hamburg, Germany.
This Annex lists all sub-processors engaged by Kolsetu GmbH as at the effective date of this DPA. Changes to this list are subject to the notification and objection procedure in Section 6. A new version of this Annex will be issued to the Controller when sub-processor arrangements change.
Subprocessor | Country | Service | Data location | Transfer basis |
Amazon Web Services EMEA SARL | 38 Avenue John F. Kennedy, L-1855 Luxembourg | Cloud infrastructure (compute, storage, network); EU data centres (Frankfurt) | EEA | No transfer required |
Microsoft Ireland Operations Ltd. (Azure) | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland | Cloud hosting and infrastructure; EU data centres (Frankfurt / West Europe) | EEA | No transfer required |
Microsoft Ireland Operations Ltd. (Azure OpenAI) | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland | AI inference (voice, NLP, LLM) via Azure OpenAI Service; processed exclusively within Azure EU region | EEA | No transfer required |
Anthropic (Claude) | Anthropic Ireland Ltd., 77 Sir John Rogerson's Quay, Dublin 2, Ireland | AI language model for internal security, compliance, and operational use cases; EU region | EEA | No transfer required |
Google Ireland Limited | Gordon House, Barrow Street, Dublin 4, Ireland | Google Workspace — internal collaboration, email, calendar, and document management; may incidentally contain customer support and operational data | EEA | No transfer required |
LiveKit Inc. | 4285 Payne Avenue, Suite 9154, San Jose, CA 95157, United States | Real-time audio/WebRTC for live AI interactions; data processed in EU data centres (Germany) | EEA (EU endpoint) | EU SCCs (Commission Decision 2021/914) |
Meta Platforms Ireland Limited | Merrion Road, Ballsbridge, Dublin 4, Ireland | WhatsApp Business API - omnichannel customer communication via WhatsApp; EU region | EEA | No transfer required |
Twilio Ireland Limited | 25–28 North Wall Quay, Dublin 1, Ireland | Cloud communication APIs (SMS, VoIP, WebRTC, two-factor authentication) | EEA | No transfer required |
Soniox | Cesta v Gorice 34B, 1000 Ljubljana, Slovenia | speech-to-text service | EEA | No transfer required |
Slack Technologies Limited | One Park Place, Hatch Street Upper, Dublin 2, Ireland | Internal communication and real-time customer support routing; may incidentally contain customer interaction data shared in support workflows | EEA | No transfer required |
Zoho Corporation GmbH | Trinkausstraße 7, 40213 Düsseldorf, Germany | CRM: customer acquisition, account management, and support | EEA | No transfer required |
Stripe Payments Europe Ltd. | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland | Payment processing (enterprise invoicing) | EEA | No transfer required |
UAB Revolut Business | Konstitucijos ave. 21B, Vilnius, LT-08130, Lithuania | Payment processing (enterprise invoicing and collections) | EEA | No transfer required |
PayPal (Europe) S.à.r.l. et Cie, S.C.A. | 22–24 Boulevard Royal, L-2449 Luxembourg | Payment processing (card payments and cashless transactions) | EEA | No transfer required |
Kolsetu GmbH maintains an ISMS aligned to ISO 27001 and reviews and updates these measures at least annually. The following measures are in place as of the effective date of this DPA.
Domain | Commitment |
Organisation and Governance | Kolsetu has appointed a CISO/DPO responsible for information security. A documented policy framework covering all material security domains is maintained and reviewed at least annually. |
Risk Management | Formal risk assessments are conducted prior to deploying new processing activities and reviewed at least annually. |
Access Control | Access to systems processing Customer Personal Data is granted on a least-privilege, need-to-know basis. Multi-factor authentication is enforced for privileged access. |
Encryption | Customer Personal Data is encrypted at rest and in transit using industry-standard algorithms. TLS is enforced for all data transmitted over public networks. |
Physical Security | Cloud infrastructure is hosted in ISO 27001-certified data centres. Physical access controls are maintained by the hosting provider (Microsoft Azure). |
Security Testing | Regular penetration testing and vulnerability assessments are conducted. Identified vulnerabilities are remediated according to severity-based timelines. |
Incident Management | A documented incident response plan is maintained. The Controller is notified within 48 hours of the Processor becoming aware of a personal data breach. |
Business Continuity | Backup and recovery procedures are maintained and tested. Redundant infrastructure is designed to support service continuity. |
Vendor Management | Sub-processors are subject to contractual data protection obligations no less protective than this DPA. Due diligence is conducted before onboarding new sub-processors. |
Government Access | Kolsetu implements technical, contractual, and organisational measures to protect Customer Personal Data against unlawful access by foreign authorities, as further described in Section 10. |