Data Processing Agreement

Last updated:

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms & Conditions or other written or electronic agreement between you (“Customer”) and K3X Inc. (“K3X”, “we”, “us”) governing your access to and use of the K3X platform, website, APIs, and related services (collectively, the “Services”). This DPA reflects the parties’ agreement on the processing of personal data in connection with the Services.

K3X provides an AI-native CRM that ingests, organizes, and acts on customer interactions across email, SMS, voice, and AI-driven outreach. In doing so, K3X processes personal data on behalf of, and under the instructions of, the Customer. This DPA describes how that processing is governed under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss FADP, and US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA (“CCPA”).

If there is any conflict between this DPA and the rest of the agreement, this DPA controls with respect to the processing of personal data. Capitalized terms not defined here have the meaning given in the Terms & Conditions and the Privacy Policy.

1. Definitions

“Controller”, “processor”, “data subject”, “personal data”, “processing”, “personal data breach”, “special categories of data”, and “supervisory authority” have the meanings given under applicable data protection law. For US state laws, “controller” and “processor” should be read to include “business” and “service provider” (or “contractor”) respectively. In this DPA:

  • “Customer Personal Data” means personal data that K3X processes on behalf of the Customer in providing the Services, including CRM records, contacts, leads, communications content, and related metadata.

  • “Authorized Users” means the individuals the Customer permits to access and use the Services under its account.

  • “Subprocessor” means a third party engaged by K3X to process Customer Personal Data in connection with the Services.

  • “Data Subject Request” means a request from a data subject to exercise rights under applicable data protection law (e.g., access, correction, deletion, portability, restriction, objection, or opt-out).

  • “Standard Contractual Clauses” or “SCCs” means the clauses approved by the European Commission for the transfer of personal data to third countries, together with the UK International Data Transfer Addendum and the Swiss addendum where applicable.

2. Roles of the Parties

As between the parties, the Customer is the controller (or business) and K3X is the processor (or service provider) with respect to Customer Personal Data. Where the Customer is itself acting as a processor on behalf of a third-party controller, K3X acts as a subprocessor, and the Customer is responsible for ensuring that the relevant controller has authorized this arrangement.

K3X may also act as an independent controller for limited operational data it generates in running the Services — such as account administration, billing, security logs, and aggregated, de-identified analytics used to improve the Services. That processing is governed by the K3X Privacy Policy rather than this DPA.

The Customer is responsible for establishing a lawful basis for the processing of Customer Personal Data, providing all required notices to data subjects, obtaining any necessary consents (including for marketing, SMS, voice, and AI-driven outreach), and ensuring the accuracy of the data it submits to the Services.

3. Scope and Documented Instructions

K3X will process Customer Personal Data only on the Customer’s documented instructions, including with respect to international transfers, unless required to do otherwise by applicable law (in which case K3X will inform the Customer of that legal requirement before processing, unless the law prohibits such notice). The agreement, this DPA, and the Customer’s configuration and use of the Services constitute the Customer’s complete and final documented instructions.

K3X will notify the Customer if, in its opinion, an instruction infringes applicable data protection law, unless legally prohibited from doing so. K3X will not sell Customer Personal Data and will not “share” it for cross-context behavioral advertising, and will not retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by the CCPA.

4. Details of Processing

Subject matter and duration. The subject matter is the provision of the K3X Services. Processing continues for the term of the Customer’s use of the Services and for any limited retention period described in Section 13.

Nature and purpose. K3X processes Customer Personal Data to host and operate the CRM; capture and structure interactions across email, SMS, and voice; enrich and de-duplicate records; run AI agents that draft messages, qualify leads, schedule, and route work; deliver outreach the Customer initiates; provide support; and secure the Services.

Categories of data subjects may include:

  • the Customer’s Authorized Users, employees, and contractors;

  • the Customer’s leads, prospects, customers, and other contacts;

  • recipients of communications sent through the Services; and

  • any other individuals whose personal data is contained in Customer Personal Data.

Categories of personal data may include:

  • identifiers and contact details (name, email, phone number, company, role, account IDs);

  • communications content and metadata (emails, SMS, call transcripts and recordings, timestamps, delivery and engagement data);

  • CRM records such as pipeline stage, notes, tasks, and AI-generated summaries; and

  • any other personal data the Customer or its users choose to submit.

Special categories of data and other sensitive data should not be submitted to the Services unless the parties have agreed in writing and appropriate safeguards are in place. The Customer must not upload protected health information subject to HIPAA, and K3X will not act as a Business Associate absent a separate written agreement.

5. Confidentiality

K3X ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory), access data only on a need-to-know basis, and receive appropriate data protection and security training.

6. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, K3X implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. These measures currently include, as appropriate:

  • encryption of data in transit (TLS) and at rest;

  • role-based access controls, least-privilege policies, and multi-factor authentication for administrative access;

  • network segmentation, logging, and continuous monitoring of systems;

  • vulnerability management, secure development practices, and timely patching;

  • regular backups, resilience, and disaster-recovery procedures; and

  • periodic testing, assessment, and evaluation of the effectiveness of these measures.

K3X may update its security measures from time to time provided that the updates do not materially reduce the overall level of protection. No method of transmission or storage is completely secure, and the Customer is responsible for securely configuring its account, managing its users, and protecting its credentials.

7. Subprocessors

The Customer provides a general authorization for K3X to engage subprocessors to process Customer Personal Data in connection with the Services. K3X’s subprocessors currently include cloud hosting and infrastructure providers, communications providers (including Twilio for SMS and voice and SendGrid for email), AI model and inference providers used to power K3X’s agents, analytics and error-monitoring tools, support tooling, and payment processors.

K3X will:

  • impose data protection obligations on each subprocessor that are no less protective than those in this DPA;

  • remain responsible for each subprocessor’s performance of its obligations; and

  • make an up-to-date list of subprocessors available on request and provide a mechanism to receive notice of intended changes.

The Customer may object on reasonable data protection grounds to a new subprocessor by notifying K3X before the change takes effect. If the parties cannot resolve the objection, the Customer may, as its sole remedy, terminate the affected Services.

8. AI Agents and Automated Processing

K3X’s AI agents process Customer Personal Data to draft and send communications, qualify and route leads, summarize interactions, and perform related tasks at the Customer’s direction. K3X does not use Customer Personal Data to train foundation models for the benefit of other customers, and does not permit its AI subprocessors to use Customer Personal Data submitted through the Services to train their general-purpose models.

The Customer is responsible for human oversight of AI outputs and for ensuring that its use of automated processing and outreach complies with applicable law, including consent, anti-spam, AI-disclosure, and anti-discrimination requirements as described in the Acceptable Use Policy. K3X does not use the Services to make decisions producing legal or similarly significant effects about data subjects without the Customer’s involvement.

9. International Data Transfers

K3X operates primarily in the United States and may process Customer Personal Data in the US and in other countries where it or its subprocessors operate. Where K3X transfers personal data originating in the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree that the applicable Standard Contractual Clauses are incorporated into this DPA by reference and completed as follows:

  • the Customer acts as “data exporter” and K3X as “data importer”;

  • Module Two (controller-to-processor) or Module Three (processor-to-processor) applies as appropriate;

  • the optional docking clause applies, and the data-protection-laws option governs supervision; and

  • the UK International Data Transfer Addendum and Swiss amendments apply to UK and Swiss transfers respectively.

The details of processing in Section 4, the subprocessor information in Section 7, and the security measures in Section 6 populate the relevant annexes of the SCCs. K3X will assist with transfer impact assessments and apply supplementary measures where reasonably required.

10. Assistance with Data Subject Requests

Taking into account the nature of the processing, K3X will provide reasonable assistance — through appropriate technical and organizational measures, and the self-service tools available in the Services — to help the Customer respond to Data Subject Requests, to the extent the Customer cannot address them itself.

If K3X receives a Data Subject Request directly relating to Customer Personal Data, it will not respond to the request itself (except to confirm that the request relates to the Customer) and will, without undue delay, direct the data subject to the Customer, unless legally required to act otherwise.

11. Personal Data Breach Notification

K3X will notify the Customer without undue delay, and in any event consistent with applicable law, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information reasonably available to K3X, including the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

K3X will take reasonable steps to mitigate and remediate the breach. The Customer is responsible for determining whether to notify supervisory authorities and affected data subjects and for making any such notifications. A notification of a breach is not an acknowledgment of fault or liability.

12. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to K3X, K3X will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where the Customer is required to carry these out under applicable data protection law. Assistance may be provided through documentation, security reports, and support responses.

13. Return and Deletion of Data

During the term, the Customer may access, export, and delete Customer Personal Data using the features of the Services. Following expiration or termination, K3X will delete or return Customer Personal Data within a reasonable period (currently targeted at 30 days), unless applicable law requires continued storage.

K3X may retain limited Customer Personal Data where required by law or for legitimate purposes such as enforcing agreements, resolving disputes, billing, and maintaining security and backup records, in which case the data remains protected under this DPA and is deleted on the expiry of the applicable retention period.

14. Audits and Compliance Verification

K3X will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor it mandates, in each case to the extent required by applicable data protection law.

Audit obligations may be satisfied through up-to-date certifications, third-party audit reports (such as SOC 2 or ISO 27001 where available), and security documentation. On-site audits must be requested with reasonable prior notice, occur during business hours, be limited in scope, be subject to confidentiality, and not unreasonably interfere with K3X’s operations. K3X may charge a reasonable fee for extensive or on-site audits where permitted by law.

15. US State Privacy Laws (Service Provider Terms)

With respect to personal information subject to the CCPA and similar US state laws, K3X acts as a “service provider” (or “processor”) and processes such information solely to perform the Services under the agreement. K3X will not sell or share that information, will not retain, use, or disclose it outside the direct business relationship or for any purpose other than the specified services, and will not combine it with personal information from other sources except as permitted by the CCPA. K3X certifies that it understands and will comply with these restrictions.

16. Liability

Each party’s liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the agreement, and any reference in the agreement to the liability of a party means the aggregate liability of that party under the agreement and this DPA together, except to the extent applicable law requires otherwise.

17. Term, Conflict, and Governing Law

This DPA takes effect when the Customer accepts the agreement or first uses the Services and remains in effect for as long as K3X processes Customer Personal Data. If there is a conflict between this DPA and the agreement regarding the processing of personal data, this DPA prevails. The SCCs prevail over the rest of this DPA to the extent of any conflict in respect of transfers they govern. Except as required by data protection law, this DPA is governed by the law and venue specified in the agreement.

18. Changes and Contact

We may update this DPA from time to time to reflect changes in our practices, our subprocessors, or applicable law. The “Last updated” date above reflects the most recent revision, and material changes will be communicated through the Services or by email to your account’s billing contact.

Questions about this DPA, or requests to execute a countersigned copy, can be sent to hey@k3x.ai (Attn: Data Protection).

K3X Inc. 1111B S Governors Ave., Dover, DE 19904, United States · Phone: (844) 553-9462

On this page

No headings found on page

Looking for more information?

Visit the Help Center for in-depth resources or connect with our support team.