Data Processing Agreement
Data Processing Agreement (DPA)
This DPA is an addendum to the Terms of Service โ automatically effective when Customer subscribes to a CAIKU paid plan. This document enables Customer and CAIKU to comply with PDPA Section 40 (Data Controller-Processor relationship).
This English version is provided for convenience. In case of conflict between Thai and English versions, the Thai version shall prevail for matters governed by Thai law.
1. Parties & Purpose
This DPA is an addendum to the Terms of Service. The parties are:
- Data Controller: Customer (the company subscribed to CAIKU)
- Data Processor: CAIKU
This DPA sets out the terms under which CAIKU processes personal data on behalf of Customer, in compliance with PDPA Section 40.
2. Scope of Processing
| Element | Details |
|---|---|
| Data Type | End-user data: name, phone number, email, conversation logs, voice recordings |
| Data Subjects | End-users that Customer interacts with via CAIKU (Customer's customers) |
| Purpose | Providing the AI Agent service as configured by Customer |
| Duration | Throughout subscription + retention period (per Privacy Policy) |
| Sub-processors | OpenAI, Anthropic, Google, Twilio, Supabase (full list in Section 5) |
3. CAIKU's Obligations (Data Processor)
- Process data only on Customer's instructions
- Maintain confidentiality โ not disclose Customer data to third parties
- Apply appropriate security measures (encryption, access control, audit logs)
- Assist Customer in responding to DSR requests within 14 days
- Notify Customer of any data breach within 72 hours
- Delete data when Customer cancels service (within 30 days of request)
- Permit audit upon Customer's request (1 per year โ Customer's expense)
- Sign DPAs with all sub-processors
4. Customer's Obligations (Data Controller)
- Obtain consent from Customer's end-users as required by PDPA
- Provide Customer's own Privacy Notice
- Verify legal basis for each processing purpose
- Respond to DSR requests from Customer's end-users
- Maintain confidentiality of access credentials
- Not upload sensitive data under PDPA Section 26 without explicit consent
5. Sub-Processors
Customer pre-authorizes CAIKU to use the sub-processors listed in Annex A below. CAIKU will provide 30 days' advance notice when adding a new sub-processor โ Customer has the right to object and terminate the service.
5.1 Annex A โ Current Sub-Processors
| Vendor | Service | Location | DPA Status |
|---|---|---|---|
| OpenAI, L.L.C. | GPT API + Realtime API + Whisper | USA | โ Signed |
| Anthropic PBC | Claude API | USA | โ Signed |
| Google LLC | Gemini + Cloud | USA / Asia | โ Signed |
| Twilio Inc. | Voice telephony | USA | โ Signed |
| Retell AI / Vapi | Voice agent infrastructure | USA | โ Signed |
| Supabase Inc. | Database + Auth | USA / EU | โ Signed |
| Railway Corp. | App hosting | USA | โ Signed |
| Cloudflare Inc. | CDN + security | Global | โ Signed |
6. Security
CAIKU applies the security measures specified in Privacy Policy Section 7. Additional details:
- Encryption in transit: TLS 1.3+
- Encryption at rest: AES-256
- Access control: Role-based + MFA + IP whitelist option
- Audit logs: 5-year retention
- Backup: Daily + 30-day rolling retention
- Incident response: 24/7 on-call team
- Penetration testing: Annual third-party
- Vulnerability scanning: Continuous (automated)
7. International Transfer
Data may be transferred internationally (primarily to USA) via sub-processors. CAIKU uses Standard Contractual Clauses (SCCs) in DPAs with all sub-processors. Customer acknowledges and consents to these transfers.
8. Data Subject Rights
If Customer's end-user submits a DSR directly to CAIKU:
- CAIKU will forward the request to Customer within 5 business days
- Customer is responsible for responding to the end-user (Customer is Data Controller)
- CAIKU will assist in execution (delete, export, correct) per Customer's instructions
9. Audit Rights
- Customer may audit CAIKU once per year
- 30 days' advance notice required
- Customer bears the audit cost
- CAIKU may require an NDA prior to audit
- Alternative โ Customer may accept CAIKU's SOC 2 / ISO 27001 reports in lieu
10. Termination
- This DPA terminates when the Terms of Service terminate
- CAIKU deletes data within 90 days of termination
- Customer may export data within the first 30 days
- A deletion certificate is issued upon request