Casola
Home Products Pricing Enterprise Docs
Dashboard
Home Products Pricing Enterprise Docs Dashboard

Data Processing Addendum

Last updated: June 18, 2026

1. Roles and Scope

For End-User personal data processed through the Service, the Customer is the controller (or business) and Casola is the processor (or service provider). The Customer determines the purposes and means of processing within its product; Casola processes only to provide the Service and on the Customer’s documented instructions, which include these Terms and the API calls the Customer makes. This DPA does not apply to data for which Casola is an independent controller (Section 9).

2. Subject Matter and Details

The subject matter, duration, nature and purpose of processing, categories of data subjects (End Users), and types of personal data are set out in Annex A. The processing lasts for the term of the Terms plus the deletion period in Section 8.

3. Processor Obligations

Casola will: (a) process End-User personal data only on the Customer’s documented instructions; (b) ensure persons authorized to process it are bound by confidentiality; (c) implement the technical and organizational measures in Annex B; (d) assist the Customer, as reasonable, with data-subject requests and with the Customer’s security, breach-notification, and impact-assessment obligations; (e) not engage sub-processors except per Section 4; and (f) make available information reasonably necessary to demonstrate compliance and allow audits per Section 7. If Casola believes an instruction violates applicable law, it will inform the Customer.

4. Sub-processors

The Customer provides general authorization for Casola to engage sub-processors (e.g., hosting and model-inference compute) listed at Annex C. Casola will impose data-protection terms substantially as protective as this DPA, remain liable for its sub-processors, and give the Customer at least 30 days’ notice of additions or replacements, during which the Customer may object on reasonable data-protection grounds.

5. Data-Subject Requests

Casola will, taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures to respond to End-User requests to exercise their rights. End Users should direct requests to the Customer; if an End User contacts Casola directly, Casola will refer them to the Customer (except where Casola acts as controller under Section 9).

6. Personal Data Breach

Casola will notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal-data breach affecting End-User data, with the information reasonably available to help the Customer meet its notification duties.

7. Audit

Casola will make available compliance information and allow audits: typically by providing third-party reports/certifications, and otherwise via reasonable, confidential audits on advance notice not more than once per year absent a regulator requirement or a known incident.

8. Return and Deletion

On termination, Casola will, at the Customer’s choice, delete or return End-User personal data and delete existing copies within 30 days, except to the extent retention is required by law or relates to the safety/legal-compliance records described in Section 9.

9. Casola as Independent Controller (Safety and Legal Compliance)

The Customer acknowledges that, because Casola generates and transmits content, Casola acts as an independent controller for the limited processing necessary to: scan Inputs and Outputs for child sexual abuse material and other prohibited content; preserve and report suspected CSAM to NCMEC and/or authorities (e.g., under 18 U.S.C. §2258A); prevent fraud, abuse, and security incidents; and comply with Casola’s own legal obligations. For this processing Casola acts on its own legal duties, not the Customer’s instructions, and these activities (including retention and reporting) are not subject to the Customer’s deletion instructions or to Sections 3–8 where they would conflict.

10. International Transfers

Where processing involves a restricted transfer, the parties will rely on an appropriate transfer mechanism (e.g., the EU Standard Contractual Clauses / UK Addendum), completed at Annex D and incorporated by reference.

11. CCPA/CPRA

To the extent US state privacy law applies, Casola acts as a service provider (or contractor): it will not sell or share End-User personal data, will not retain, use, or disclose it except to perform the Service or as permitted by law, and will not combine it with data from other sources except as permitted. The safety/legal-compliance processing in Section 9 is a permitted business purpose.

12. Liability and Conflicts

Liability under this DPA is subject to the limitations in the Terms. If this DPA conflicts with the Terms on the processing of End-User personal data, this DPA controls.


Annex A: Details of Processing

Subject matter: provision of avatar/companion generation via the API. Duration: the term of the Terms plus the deletion period (Section 8). Nature/purpose: generation, transmission, and safety screening. Data subjects: Customer’s End Users. Personal data: prompts and messages, any voice or images uploaded to condition an avatar, and technical identifiers. Special categories (Art. 9 GDPR): possible incidentally. Lawful basis: Art. 9(2)(a) explicit consent, obtained by the Customer from End Users prior to use. The Customer is responsible for documenting and maintaining that consent and for conducting a DPIA where required.

Annex B: Technical and Organizational Measures

Encryption in transit and at rest; role-based access controls and scoped, short-lived credentials; network controls and logging (Cloudflare edge); restricted access to moderation data; documented incident-response procedures; and personnel confidentiality obligations and security training.

Annex C: Approved Sub-processors

Cloudflare, Inc.: hosting, edge, and CDN (US). Third-party GPU compute provider: model-inference infrastructure (Casola runs its own models on this rented compute). Hive AI: content moderation and CSAM detection (US). Stripe, Inc.: B2B payment processing, Customer billing only (US).

Casola will provide the current named list of sub-processors (including the specific GPU/model-inference provider) to Customers on request.

Annex D: Transfer Mechanism

This Annex applies only where a Customer routes EU/UK End-User personal data through the Service (Casola is US-established; the transfer therefore requires a lawful mechanism under GDPR Art. 46 / UK GDPR Art. 46).

Transfer mechanism: EU Standard Contractual Clauses pursuant to Regulation (EU) 2016/679 (Commission Decision 2021/914), Module 2: Controller-to-Processor, incorporated into this DPA by reference and completed by the schedules below. For UK transfers: the EU SCCs as supplemented by the UK Addendum to the EU SCCs (ICO template, in force 21 March 2022), with the UK Addendum tables completed at signing.

Optional clause elections (Module 2):

  • Clause 7 (docking clause): not included.
  • Clause 9(a) (sub-processor authorisation): Option 2 — general written authorisation; Casola gives the Customer at least 30 days’ notice of sub-processor additions or replacements (DPA Section 4).
  • Clause 11 (redress): optional language not included.
  • Clause 17 (governing law): the law of the EU member state in which the Customer is established.
  • Clause 18 (choice of forum): the courts of the EU member state in which the Customer is established.

Schedule 1 — Annex I to the SCCs

I.A — List of Parties

Data exporter (Controller)Data importer (Processor)
Name[Customer legal entity — completed at signing]Casola
Address[Customer address — completed at signing]2261 Market Street STE 18830, San Francisco, CA 94114
Contact[Customer privacy contact — completed at signing]privacy@casola.ai
Activities relevant to the transferOperates a product that uses the Casola API to generate avatar/companion content for End Users.Provides avatar/companion generation, transmission, and safety-screening via API.
RoleControllerProcessor
Signature and date[Completed at signing][Completed at signing]

I.B — Description of the Transfer

Categories of data subjects: End Users of the Customer’s product who interact with, or whose data is submitted to, the Service.

Categories of personal data: prompts and messages; voice recordings and images uploaded to condition an avatar; technical identifiers (session IDs, IP addresses, user-agent strings).

Special-category data (Art. 9 GDPR): possible incidentally. Lawful basis and Customer obligations: see DPA Annex A.

Nature and purpose of processing: generation, real-time transmission, and safety screening of AI avatar and companion content on the Customer’s behalf; ancillary logging for security, rate-limiting, and abuse prevention.

Duration: for the term of the Terms plus the deletion period in DPA Section 8; safety and legal-compliance records per DPA Section 9.

For onward transfers to sub-processors: as set out in Schedule 3 below.

I.C — Competent Supervisory Authority

The supervisory authority of the EU member state in which the Customer is established, or (where the Customer is not EU-established) the supervisory authority of the EU member state in which the Customer’s End Users are primarily located. Customer to confirm at signing.


Schedule 2 — Annex II to the SCCs: Technical and Organisational Measures

The technical and organisational measures set out in DPA Annex B are incorporated here by reference and constitute Annex II to the SCCs.


Schedule 3 — Annex III to the SCCs: List of Sub-Processors

The sub-processors set out in DPA Annex C are incorporated here by reference and constitute Annex III to the SCCs. General authorisation for those sub-processors is granted; Casola will notify the Customer of additions or replacements with at least 30 days’ notice per DPA Section 4.

We use analytics cookies to improve casola.ai. Cookie Policy

Casola

© Casola. Real-time avatar and video APIs.

DocsPrivacyTermsDPAAcceptable UseCookiesContact