Last Updated: June 2026
This Data Processing Addendum (the "Addendum") forms part of, and is subject to, the Terms of Service or other written or electronic agreement between Frontier Interactions Ltd ("Kulu") and the customer entity that has agreed to those terms ("Customer", and together with Kulu, the "Parties").
This Addendum shall be effective on the effective date of the applicable agreement (the "Addendum Effective Date").
1. Introduction
The Customer acts as a Controller under applicable data protection laws. The Customer uses Kulu's platform and related services, which involve Kulu processing personal data on the Customer's behalf. The Parties wish to ensure that such processing complies with the UK GDPR, EU GDPR (as applicable), and the UK Data Protection Act 2018. This Addendum sets out their respective rights and obligations.
2. Definitions
Unless otherwise defined herein, the following terms have the meanings set out in the UK GDPR:
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Supervisory Authority", and other related terms shall have the meanings assigned in the UK GDPR.
"Controller Personal Data" means any Personal Data processed by Kulu on behalf of the Customer.
"Sub-processor" means any person or entity appointed by Kulu to process Personal Data on behalf of the Customer.
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable privacy laws.
"Services" means the services provided by Kulu under the Agreement.
"Privacy Policy" means Kulu's privacy policy applicable to the Services, as updated from time to time.
"Confidential Information" means all non-public information disclosed by one Party to the other in connection with this Addendum, whether or not marked as confidential.
3. Processing of Data
Kulu shall:
- process Controller Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do so by applicable law, in which case Kulu shall, where legally permitted, inform the Customer before processing;
- comply with all applicable Data Protection Laws;
- ensure all persons authorised to process Personal Data are bound by confidentiality obligations.
The Customer instructs Kulu to process Personal Data as necessary for providing the Services, including meeting initialization, workflow tracking, and onboarding analytics. No special-category data (Article 9, UK GDPR) is intended to be processed. Where Kulu considers that an instruction infringes Data Protection Laws, it shall promptly inform the Customer.
Kulu shall not use Controller Personal Data to train, retrain, fine-tune, or improve any artificial intelligence or machine learning model, whether or not such data is anonymised or de-identified. Kulu shall only engage Sub-processors that are contractually committed to the same restriction.
4. Security Measures
Kulu shall implement technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access control, and regular review of access privileges.
5. Subprocessing
The Customer authorises the use of Sub-processors as reasonably necessary for the Services.
The current list of Sub-processors is set out in Annex 2 (Sub-processors). Kulu may update such list from time to time in accordance with this Section.
Kulu shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this Addendum, including the restriction on using Personal Data to train, retrain, fine-tune, or improve any AI or machine learning model set out in Section 3. Kulu shall give the Customer at least seven (7) days' prior notice of any intended addition or replacement of a Sub-processor, during which the Customer may object on reasonable data-protection grounds. Kulu shall remain fully liable for the acts and omissions of its Sub-processors.
6. Data Subject Rights
Kulu shall assist the Customer, taking into account the nature of the Processing and by appropriate technical and organisational measures insofar as possible, in responding to requests to exercise Data Subject rights, including access, rectification, restriction, erasure, objection, and portability.
7. Personal Data Breach Notification
Kulu shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a Personal Data Breach, and shall provide the Customer with sufficient information to enable it to meet its own notification obligations under Data Protection Laws.
8. Data Protection Impact Assessments
Kulu shall assist the Customer with DPIAs and supervisory-authority consultations where required (Articles 35–36, UK/EU GDPR), limited to Kulu's processing activities and available information.
9. Return or Deletion of Data
Upon termination of the Agreement or upon the Customer's written request, Kulu shall, within thirty (30) days, delete or return all Controller Personal Data (and all copies) unless retention is required by law. Session Recordings and related session content shall in any event be retained and deleted in accordance with the retention periods set out in the Agreement and the Privacy Policy. Kulu shall, at the Customer's written request, certify in writing that it has complied with this Section.
10. Audit and Compliance
Kulu shall, upon the Customer's reasonable written request (no more than once in any twelve (12)-month period, save where required by a Supervisory Authority or following a Personal Data Breach), make available such information in its possession as is reasonably necessary to demonstrate compliance with this Addendum. This obligation may be satisfied by providing relevant third-party certifications, audit reports, or security documentation to the extent available. Where any such certification or audit is in progress, Kulu shall inform the Customer of its status and provide the relevant certification or report promptly once it is issued.
Where the Customer reasonably demonstrates that the information made available is insufficient to demonstrate compliance, Kulu shall allow for and contribute to an audit by the Customer (or an independent auditor it mandates, who shall not be a competitor of Kulu) on reasonable prior written notice, during normal business hours, no more than once per year, in a manner that does not disrupt Kulu's operations, and subject to the confidentiality obligations under this Addendum. Any information made available or obtained under this Section shall be treated as Kulu's Confidential Information.
11. International Data Transfers
Personal Data may be transferred outside the UK or EEA under the UK International Data Transfer Addendum (IDTA) or EU Standard Contractual Clauses (SCCs), as applicable. Kulu shall ensure that any such transfer is subject to an appropriate transfer mechanism (the UK IDTA, EU SCCs, or an adequacy decision) before the transfer takes place.
12. Confidentiality
Each Party shall treat as confidential all information received from the other Party in connection with this Addendum, except where disclosure is required by law or where information is already public. Kulu shall ensure that any personnel, agents, or sub-processors are subject to confidentiality obligations no less protective than those set out in this Addendum.
13. Liability
Each Party's liability under or in connection with this Addendum is subject to the exclusions and limitations of liability set out in the Agreement.
14. Order of Precedence
This Addendum forms part of the Agreement. In the event of any conflict or inconsistency between this Addendum and the Agreement in respect of the Processing of Personal Data, this Addendum shall prevail.
15. Contacts
All data protection and security-related communications shall be directed to: support@heykulu.ai
16. Notices
All notices under this Addendum shall be in writing and sent by email to the contact addresses provided by the Parties.
17. Governing Law and Jurisdiction
This Addendum is governed by the laws of England and Wales. Any dispute shall be submitted to the exclusive jurisdiction of the courts of England and Wales.
Annex 1 – Details of Processing
-
Subject matter: Kulu's hosting, processing and transmission of Controller Personal Data in order to provide the Kulu Portal and Kulu Meet under the Agreement.
-
Duration of Processing: For the term of the Agreement and the applicable retention periods set out in the Agreement and the Privacy Policy, after which Controller Personal Data is deleted or returned in accordance with Section 9.
-
Nature and purpose of Processing: Delivery of real-time AI voice onboarding guidance, including meeting initialization, workflow tracking, screen awareness, contextual guidance and onboarding analytics; account authentication and security; billing and subscription management; and service monitoring, debugging, quality assurance and support. Controller Personal Data is not used to train, retrain, fine-tune or improve any AI or machine learning model (Section 3).
-
Categories of Data Subjects:
- (a) the Controller's authorised users who administer or use the Services; and
- (b) end users who participate in onboarding sessions via Kulu Meet.
- Types of Controller Personal Data:
| Category | Description / Examples |
|---|---|
| Account & identification data | Email address, name, organisation name and details, authentication tokens and access tokens. |
| Voice & transcription data | Audio captured from the user's microphone, speech-to-text transcripts, and AI-generated responses. |
| Video recordings | Where enabled by an authorised user (audio-only by default). |
| Screen-sharing data | Visual content of a shared screen, processed in real time and not retained. |
| Knowledge base content | File contents, extracted text, and generated embeddings uploaded by the Controller. |
| Chat & interaction data | User questions, AI responses, timestamps, and interaction metadata. |
| Usage analytics | Page views, UI interactions, session recordings (limited to the Kulu Meet interface; sensitive input fields and any screen-sharing content are fully masked), browser/OS/device information, internal user ID, and email address (where the end user authenticates via email). |
| End-user data | Name, email address, and internal user ID, where provided, together with onboarding funnel events generated through use of the Services (e.g. session opened, join, mute, unmute, screen-share, leave). |
| Technical & operational data | API logs, performance metrics, and error/diagnostic data. |
| Billing data | Subscription plan, payment method type, billing cycle, and charge outcomes/retry attempts. Full card numbers are processed by Stripe and not stored by the Processor. |
-
Special categories of Personal Data: None. No special-category data (Article 9, UK GDPR) is intended to be processed.
-
Frequency of Processing: Continuous, for the duration of the Controller's subscription.
Annex 2 – Sub-processors
The Controller authorises the Sub-processors listed below in accordance with Clause 6 (Subprocessing). The current list may be updated in accordance with Clause 6. Transfers to Sub-processors located outside the UK or EEA are subject to the safeguards set out in Clause 12 (International Data Transfers).
| Sub-processor | Location | Purpose |
|---|---|---|
| OpenAI | USA | AI & ML Services |
| Stripe | USA / EU / UK | Payments |
| Google Workspace | USA / Global | Business Apps & Productivity |
| ElevenLabs | USA | Voice Synthesis |
| Deepgram | USA | Voice Transcription |
| LiveKit | USA / Global | Real-time Communication |
| Auth0 | USA / EU | Identity & Access Management |
| Google Cloud Platform | UK / EU / USA | AI & ML Services |
| Amazon Web Services | UK (eu-west-2, London) | Cloud Infrastructure & Platform Services |
| Datadog | USA / EU | Logging & Observability |
| PostHog | USA / EU | Business Apps & Productivity |
| Slack | USA | Business Apps & Productivity |
| Langfuse | EU | LLM Observability |