Data Processing Agreement

Effective date: 4 May 2026

This Data Processing Agreement (the “DPA”) forms part of the Terms of Servicebetween the Customer (the “Controller”) and Aleix Morte Sánchez (the “Processor”) governing the processing of personal data by the Processor on behalf of the Controller in connection with the Lokuta service. It is published in compliance with article 28 of the EU General Data Protection Regulation (“GDPR”).

1. Definitions

Capitalised terms not defined here have the meaning given to them in the Terms of Service or in the GDPR. “Customer Personal Data” means personal data within the meaning of article 4(1) GDPR processed by the Processor on behalf of the Controller in the course of providing the Service. “Sub-processor” means a third party engaged by the Processor to process Customer Personal Data on its behalf. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914 of 4 June 2021.

2. Scope and roles

With respect to Customer Personal Data, the Controller acts as controller (or as processor of its own customers, in which case the Processor acts as a sub-processor) and the Processor acts as processor. The subject matter, duration, nature, purpose, types of Customer Personal Data and categories of data subjects are described in Annex I.

3. Processor obligations

3.1 Documented instructions

The Processor will process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which the Processor is subject (in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits it on important grounds of public interest). The Terms of Service, this DPA and the Controller’s configuration of the Service constitute the Controller’s documented instructions. Any additional instructions must be agreed between the parties in writing.

The Processor will inform the Controller without delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

3.2 Confidentiality

The Processor ensures that any persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security of processing

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex II. The Processor may update those measures over time provided the level of protection is not reduced.

3.4 Sub-processors

The Controller grants the Processor a general written authorisation to engage Sub-processors to process Customer Personal Data, subject to the conditions set out below.

• The current list of Sub-processors is set out in Annex III.
• The Processor will impose data protection obligations on each Sub-processor by way of a written contract that is, in substance, no less protective than this DPA, and remains liable to the Controller for the performance of each Sub-processor’s obligations.
• The Processor will inform the Controller of any intended addition or replacement of Sub-processors at least 30 days before the change takes effect, by email or via an in-product notice. The Controller may object on reasonable data-protection grounds within 15 days of the notice; if the parties cannot agree on a remediation, the Controller may terminate the Service for the affected portion of processing without penalty.

3.5 Assistance with data-subject rights

Taking into account the nature of the processing, the Processor will assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests for the exercise of data subject rights under chapter III GDPR. Where a data subject contacts the Processor directly, the Processor will refer the request to the Controller without undue delay.

3.6 Assistance with security, breach notification and DPIAs

Taking into account the nature of processing and the information available to the Processor, the Processor will assist the Controller in ensuring compliance with the obligations under articles 32 to 36 GDPR. The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data, providing the information reasonably necessary for the Controller to meet its own notification obligations.

3.7 Audit

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in article 28 GDPR and will allow for and contribute to audits, including inspections. To minimise disruption, the parties agree that:

• the Controller may exercise audit rights no more than once per year (except in the case of a data breach or a regulator request, in which case the audit may be carried out promptly);
• audits must be conducted on at least 30 days’ written notice, during business hours, in a manner that does not unreasonably interfere with the Processor’s operations, and subject to reasonable confidentiality undertakings;
• the Processor may satisfy audit requests by providing copies of relevant certifications, security documentation and Sub-processor attestations.

3.8 Return or deletion

At the choice of the Controller, the Processor will delete or return all Customer Personal Data to the Controller after the end of the provision of the Service relating to processing, and will delete existing copies, unless EU or Member State law requires storage of the personal data. By default, the Processor deletes Customer Personal Data in accordance with the retention periods set out in the Privacy Policy.

4. Controller obligations

The Controller represents and warrants that it has all necessary rights, consents and lawful bases for the Processor to process Customer Personal Data as instructed, including any consents required before recording, transcribing or syncing personal data through the Service. The Controller will provide its end users with all required privacy notices.

5. International transfers

Where Customer Personal Data is transferred outside the European Economic Area to a country that has not been deemed adequate by the European Commission, the parties enter into the SCCs (Module 2 controller-to-processor or, where applicable, Module 3 processor-to-processor), which are deemed incorporated by reference into this DPA. The optional clauses are excluded; Clause 9(a) Option 2 (general written authorisation, 30 days’ notice) applies; Clause 11(a) optional language is excluded; the governing law for Clause 17 is the law of Spain; the competent forum for Clause 18 is the courts of Spain. Annex I, Annex II and Annex III of this DPA also serve as the corresponding annexes of the SCCs.

6. Liability

Each party’s liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits or restricts a data subject’s rights under the GDPR.

7. Term and termination

This DPA enters into force on the date the Controller accepts the Terms of Service and remains in force for as long as the Processor processes Customer Personal Data on behalf of the Controller. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Customer Personal Data.

8. Governing law and jurisdiction

This DPA is governed by the laws of Spain, without prejudice to the application of mandatory provisions of EU data protection law. Disputes will be subject to the exclusive jurisdiction of the courts of the city of Barcelona (Spain).

Annex I — Description of processing

A. Subject matter and duration

Subject matter: provision of the Lokuta service as described in the Terms of Service. Duration: for as long as the Controller maintains an active subscription or free Workspace, plus the retention periods set out in the Privacy Policy.

B. Nature and purpose of processing

Hosting, transmitting, transcribing, summarising and structuring Customer Content; routing data to and from HubSpot at the Controller’s instruction; managing accounts, Workspaces and billing; providing customer support and security operations.

C. Types of personal data

• identification and contact data of users;
• authentication tokens and session data;
• Customer Content (transient audio, transcripts, summaries, action items, notes, and any personal data the Controller chooses to include in them);
• data exchanged with HubSpot at the Controller’s instruction (e.g. contact, deal and engagement data);
• billing and tax-related data;
• technical and usage data (logs, IP, device).

D. Categories of data subjects

• employees, contractors and other authorised users of the Controller;
• contacts, leads, customers and other individuals about whom the Controller chooses to record notes or sync data through the Service.

E. Frequency of transfer

Continuous, for the duration of the Service.

F. Retention period

As described in the Privacy Policy, summarised in section 6 of that document.

Annex II — Technical and organisational measures

The Processor implements at least the following measures, as further described in the Privacy Policy:

• Access control. Role-based access on the principle of least privilege; multi-factor authentication for administrative access; revocation procedures upon role changes.
• Encryption. TLS 1.2 or higher for data in transit; encryption at rest for the production database and backups.
• Network security. Use of managed cloud infrastructure with defence-in-depth, web application firewall and DDoS protections at the edge.
• Application security.Code review, dependency monitoring, secret management via the platform’s secrets store, and routine security updates.
• Logging and monitoring. Centralised application and access logs; alerting on anomalies; audit trail for administrative actions.
• Backups and resilience. Encrypted backups on a rolling 30-day basis; tested restore procedures.
• Incident response. Documented breach-handling procedure with a 72-hour controller notification objective.
• Data minimisation. Audio is processed transiently and not persisted; only the resulting transcripts and notes are stored.
• Sub-processor governance. Written DPAs with each Sub-processor; review of their security posture before onboarding.
• Personnel. Confidentiality obligations and security awareness for personnel (including the sole proprietor and any contractors).

Annex III — Sub-processors

The list above is current as of the effective date of this DPA. The Processor will keep an up-to-date list and will notify the Controller of any changes as described in section 3.4.