Pre-launch draft · Not legal advice

Data Processing Addendum

Last updated: 1 July 2026 · Reviewed by qualified counsel before any live campaign.

Processing terms between Kleos and partners who act as data controllers for their prospect and customer data. This DPA forms part of the Terms of Service.

Roles

For a partner's prospect and customer data, the partner is the controller and Kleos is the processor, processing only on the partner's documented instructions to provide calling, booking, coaching, and reporting. For our own accounts, website, and billing data, Kleos is the controller.

Scope and purpose

Kleos processes personal data solely to deliver the service and to meet legal obligations — research and scoring, compliant outreach, appointment booking, transcript handling, and reporting — and not for any independent purpose.

Subprocessors

The partner authorizes Kleos to engage the subprocessors below, each bound by data-protection terms. We will give notice of material changes so a partner can object.

  • Retell AI — AI voice agent orchestration.
  • Twilio — telephony and (where enabled) SMS notifications.
  • Google (Calendar API) and Microsoft (Graph) — free/busy and booked-event write-back.
  • Stripe — subscription billing and payments.
  • Resend — transactional email delivery.
  • Anthropic — the LLM behind research, scripts, and the Kleos AI coach.
  • Supabase — application database and authentication.
  • Vercel — application hosting.

Security measures

  • Tenant isolation via row-level security so a partner's data is not accessible to another partner.
  • Least-privilege access and service-role separation for privileged operations.
  • Encryption of sensitive tokens at rest and encryption in transit.
  • Audit logging, consent and suppression controls, and safe-by-default gating of external actions.
  • Calendar access limited to free/busy and a single booked event — never event titles or attendees.

International transfers

Where personal data is transferred internationally, Kleos relies on appropriate safeguards (Standard Contractual Clauses and the UK International Data Transfer Addendum) and data minimization.

Data-subject requests, breach, deletion, and audit

Kleos assists the partner in responding to data-subject requests and, taking into account the nature of processing, in meeting security and breach-notification obligations. On termination, Kleos deletes or returns personal data except where retention is legally required (for example telemarketing records and suppression lists). Partners may request information reasonably necessary to demonstrate compliance.

Contact

Data-protection contact: dpo@kleos.click.