Data Processing Addendum (DPA)

Last Updated: December 5, 2025

This Data Processing Addendum ("DPA") forms part of any agreement between Lokos AI LLC ("Processor") and any business customer ("Controller") who submits personal data to Lokos AI.

This DPA reflects the requirements of GDPR, CPRA, and other global privacy laws.

1. Definitions

Controller means the entity determining the purposes and means of processing personal data.

Processor means Lokos AI, which processes data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable natural person.

Subprocessors means third parties engaged by Lokos AI to process Personal Data.

2. Roles and Responsibilities

Controller is responsible for providing a lawful basis for collecting Personal Data.

Lokos AI processes Personal Data solely to provide, maintain, improve, and support its Services.

Lokos AI does not "sell" or "share" Personal Data as defined under CPRA.

3. Scope of Processing

Lokos AI may process:

  • User account information
  • Voice or audio interactions
  • Text messages and transcripts
  • Metadata such as analytics, logs, and quality signals

Purposes include:

  • Operating conversational AI systems
  • Generating aggregated insights
  • Model improvement using anonymized or aggregated data
  • Security, fraud prevention, and compliance

4. Subprocessors

Lokos AI uses subprocessors such as:

  • Google Cloud Platform (hosting, storage, security)
  • Twilio (telephony and voice routing)
  • OpenAI (AI model inference)
  • AstraDB or DataStax (vector storage)

Lokos AI ensures subprocessors are bound to privacy and security obligations at least as protective as those in this DPA.

5. Security Measures

Lokos AI maintains:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Network isolation
  • Monitoring and intrusion detection
  • Regular risk assessments

Documentation can be provided upon request.

6. Data Subject Requests

Lokos AI shall assist the Controller in fulfilling:

  • Access requests
  • Correction and deletion requests
  • Objection or restriction requests
  • Export or portability requests

Lokos AI will not respond to individuals directly unless required by law.

7. International Transfers

Where applicable, Lokos AI uses:

  • Standard Contractual Clauses (SCCs)
  • Vendor specific transfer frameworks

All transfers occur with adequate safeguards.

8. Data Retention and Deletion

Upon termination:

Lokos AI will delete or return Personal Data within 60 days, except where obligated to retain it by law.

Aggregated or anonymized data may be retained.

9. Confidentiality

All personnel or subprocessors handling Personal Data are bound by confidentiality obligations.

10. Breach Notification

If Lokos AI becomes aware of a Personal Data Breach, Lokos AI shall notify the Controller without undue delay, providing:

  • The nature of the breach
  • Likely consequences
  • Mitigation measures

11. Audits

Controller may request a summary of Lokos AI security policies.

Third party audits must be reasonable in scope, infrequent, and at the Controller's expense.

12. Liability

Liability under this DPA aligns with the limitation of liability in the main agreement unless explicitly expanded.

13. Term

This DPA remains in effect as long as Lokos AI processes Personal Data on behalf of the Controller.

14. Contact

For privacy or data protection matters, contact:

Data Protection Officer Lokos AI LLC Email: info@lokos.ai

Data Processing Addendum | Lokos AI