preloader
CalliopeAI
See It in Action
About
About Calliope Developer Resources Team Careers
Pricing Blog Contact Log In Download

Data Processing Agreement

Last Edited : Jan 19, 2026

This Data Processing Agreement governs the processing of personal data by Calliope AI on behalf of customers. This DPA forms part of our Terms of Service and is designed to meet GDPR and other data protection requirements.

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Calliope Labs Inc, operating under the product name “Calliope AI” (“Calliope AI,” “Processor,” “we,” or “us”), and the entity agreeing to these terms (“Customer,” “Controller,” “you,” or “your”).

This DPA applies where Calliope AI processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

“Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, and other applicable laws.

“Controller” means the entity that determines the purposes and means of processing Personal Data.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Calliope AI in connection with the Services.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

“Processor” means an entity that processes Personal Data on behalf of a Controller.

“Services” means the services provided by Calliope AI to Customer under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

“Sub-processor” means any third party engaged by Calliope AI to process Personal Data on behalf of Customer.

“UK GDPR” means the GDPR as incorporated into UK law by the Data Protection Act 2018 and the UK European Union (Withdrawal) Act 2018.

2. Scope and Roles

2.1 Scope

This DPA applies to all Processing of Personal Data by Calliope AI in connection with Customer’s use of the Services.

2.2 Roles of the Parties

  • Customer as Controller: Customer is the Controller of Personal Data submitted to or processed through the Services.
  • Calliope AI as Processor: Calliope AI is the Processor of Personal Data on behalf of Customer.

2.3 Customer’s Processing Activities

Customer may process Personal Data through the Services, including but not limited to:

  • Code and content containing Personal Data
  • Prompts submitted to AI models that may contain Personal Data
  • User data from applications built using the Services

2.4 Compliance

Each party shall comply with its obligations under Applicable Data Protection Law.

3. Processing Details

3.1 Subject Matter

Processing of Personal Data in connection with Customer’s use of the Services.

3.2 Duration

Processing will continue for the duration of the Agreement and any applicable data retention period.

3.3 Nature and Purpose

Calliope AI processes Personal Data to:

  • Provide and maintain the Services
  • Process requests and transactions
  • Provide customer support
  • Comply with legal obligations
  • Improve and develop the Services

3.4 Types of Personal Data

The types of Personal Data processed may include:

  • Identifiers (names, email addresses, usernames)
  • Contact information
  • Account credentials
  • Usage data
  • Content data (code, files, prompts)
  • Payment information
  • Communications

3.5 Categories of Data Subjects

Data Subjects may include:

  • Customer’s employees and contractors
  • Customer’s end users
  • Individuals whose data is included in content processed through the Services

4. Calliope AI’s Obligations

4.1 Processing Instructions

Calliope AI shall:

  • Process Personal Data only on documented instructions from Customer, unless required by law
  • Inform Customer if legal requirements prevent compliance with instructions
  • Process Personal Data only as necessary to provide the Services

4.2 Confidentiality

Calliope AI shall:

  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Limit access to Personal Data to personnel who need access to perform the Services

4.3 Security Measures

Calliope AI shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including those described in Annex I (Security Measures).

4.4 Sub-processor Management

Calliope AI shall:

  • Not engage a Sub-processor without Customer’s prior authorization (general authorization is given for Sub-processors listed at calliope.ai/subprocessors )
  • Notify Customer of any intended changes to Sub-processors
  • Impose data protection obligations on Sub-processors that are no less protective than this DPA
  • Remain liable for the acts and omissions of its Sub-processors

4.5 Data Subject Rights

Calliope AI shall:

  • Assist Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
  • Notify Customer promptly of any Data Subject requests received directly
  • Not respond to Data Subject requests without Customer’s authorization, unless legally required

4.6 Data Protection Impact Assessments

Calliope AI shall assist Customer with:

  • Data protection impact assessments (DPIAs)
  • Prior consultations with supervisory authorities
  • Information necessary to demonstrate compliance

4.7 Deletion and Return

Upon termination of the Agreement, Calliope AI shall, at Customer’s choice:

  • Return all Personal Data to Customer in a commonly used format
  • Delete all Personal Data (and existing copies) unless retention is required by law

Customer has 30 days following termination to request data export. After this period, Calliope AI may delete Personal Data.

4.8 Audit Rights

Calliope AI shall:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits and inspections conducted by Customer or a third-party auditor
  • Provide audit reports, certifications, or compliance documentation upon reasonable request

Audit requests must be submitted in writing with at least 30 days’ notice. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Calliope AI’s operations.

5. Customer’s Obligations

5.1 Lawful Processing

Customer represents and warrants that:

  • Customer has a lawful basis for processing Personal Data
  • Customer has provided appropriate notices to Data Subjects
  • Customer’s instructions comply with Applicable Data Protection Law

5.2 Data Subject Notices

Customer is responsible for:

  • Providing privacy notices to Data Subjects
  • Obtaining necessary consents for processing
  • Responding to Data Subject requests (with Calliope AI’s assistance as needed)

5.3 Accurate Instructions

Customer shall provide accurate and lawful instructions regarding the processing of Personal Data.

5.4 Security Cooperation

Customer shall:

  • Implement appropriate security measures for data in Customer’s control
  • Promptly notify Calliope AI of any security incidents affecting the Services
  • Cooperate with Calliope AI’s security measures and policies

6. Sub-processors

6.1 Authorized Sub-processors

Customer grants general authorization for Calliope AI to engage Sub-processors listed at calliope.ai/subprocessors .

6.2 Notification of Changes

Calliope AI shall:

  • Maintain an up-to-date list of Sub-processors at calliope.ai/subprocessors
  • Notify Customer at least 30 days before adding or replacing a Sub-processor
  • Provide notification via email to the address associated with Customer’s account

6.3 Objection Process

If Customer has a legitimate objection to a new Sub-processor:

  1. Customer must notify Calliope AI in writing within 30 days of receiving notice
  2. Customer must provide specific, documented reasons for the objection
  3. Calliope AI and Customer shall work in good faith to resolve the objection
  4. If the objection cannot be resolved, Customer may terminate the affected Services without penalty

6.4 Sub-processor Agreements

Calliope AI shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

6.5 Liability

Calliope AI remains liable to Customer for the performance of its Sub-processors’ obligations.

7. International Transfers

7.1 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, Calliope AI relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement or Addendum (for UK transfers)
  • Swiss-approved SCCs (for Swiss transfers)

7.2 SCCs Incorporated

The SCCs are incorporated into this DPA by reference. For the purposes of the SCCs:

  • Module Two (Controller to Processor) applies
  • Customer is the “data exporter”
  • Calliope AI is the “data importer”
  • The competent supervisory authority is determined by Customer’s establishment

7.3 Supplementary Measures

Calliope AI implements supplementary measures to protect Personal Data during international transfers, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Security monitoring and incident response
  • Contractual commitments from Sub-processors

7.4 Transfer Impact Assessments

Upon request, Calliope AI shall assist Customer with transfer impact assessments by providing:

  • Information about data processing locations
  • Security measures implemented
  • Legal framework assessments
  • Government access request history (to the extent permitted by law)

8. Security Measures

8.1 Technical Measures

Calliope AI implements the following technical security measures:

Access Control

  • Multi-factor authentication for administrative access
  • Role-based access controls
  • Unique user identification
  • Session management and timeout controls

Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Secure key management practices

Network Security

  • Firewalls and intrusion detection systems
  • Network segmentation
  • DDoS protection
  • Vulnerability scanning

Data Protection

  • Secure data deletion procedures
  • Backup and recovery systems
  • Data integrity checks

Monitoring

  • Security event logging
  • Anomaly detection
  • Real-time alerting

8.2 Organizational Measures

Personnel

  • Background checks for employees with data access
  • Security awareness training
  • Confidentiality agreements
  • Access termination procedures

Vendor Management

  • Security assessments for Sub-processors
  • Contractual security requirements
  • Ongoing monitoring

Incident Response

  • Documented incident response procedures
  • Incident response team
  • Regular testing and updates

Business Continuity

  • Disaster recovery planning
  • Regular backup testing
  • Redundant infrastructure

8.3 Certifications and Compliance

Calliope AI maintains the following (or equivalent) certifications and compliance:

  • SOC 2 Type II (in progress)
  • Regular third-party security assessments
  • Compliance with industry security standards

9. Personal Data Breach

9.1 Notification Timeline

Calliope AI shall notify Customer of a Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

9.2 Notification Content

Breach notifications shall include, to the extent known:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Contact information for further inquiries
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9.3 Cooperation

Calliope AI shall:

  • Investigate the cause and impact of the breach
  • Take reasonable steps to mitigate harm
  • Cooperate with Customer’s breach response efforts
  • Assist Customer with notifications to supervisory authorities and Data Subjects

9.4 Documentation

Calliope AI shall document all Personal Data Breaches, including:

  • Facts relating to the breach
  • Effects of the breach
  • Remedial actions taken

9.5 Communication

Calliope AI shall not notify any supervisory authority or Data Subject directly without Customer’s prior approval, unless legally required to do so.

10. Term and Termination

10.1 Term

This DPA is effective as of the date Customer agrees to the Terms of Service and continues until the Agreement terminates or expires.

10.2 Survival

Sections 4.7 (Deletion and Return), 4.8 (Audit Rights), 7 (International Transfers), and 9 (Personal Data Breach) survive termination of this DPA.

10.3 Data Handling Post-Termination

Upon termination:

  1. Customer has 30 days to export Personal Data
  2. After the export period, Calliope AI shall delete or anonymize Personal Data
  3. Calliope AI may retain data as required by law, with continued DPA protections

Annex I: Security Measures

A. Physical Security

Measure Description
Data center security Cloud infrastructure providers (AWS, GCP, Azure) maintain SOC 2 certified facilities
Physical access controls Data centers have 24/7 security, biometric access, video surveillance
Environmental controls Fire suppression, climate control, redundant power

B. Technical Security

Measure Description
Encryption in transit TLS 1.3 for all communications
Encryption at rest AES-256 for stored data
Access authentication Multi-factor authentication, SSO support
Network security Firewalls, IDS/IPS, DDoS protection
Vulnerability management Regular scanning, penetration testing
Logging and monitoring Centralized logging, real-time alerting

C. Organizational Security

Measure Description
Personnel security Background checks, security training, NDAs
Access management Role-based access, principle of least privilege
Incident response Documented procedures, trained response team
Business continuity Disaster recovery, regular backup testing
Vendor management Security assessments, contractual requirements

Annex II: Sub-processors

The current list of Sub-processors is maintained at calliope.ai/subprocessors .

Annex III: Standard Contractual Clauses

For transfers of Personal Data from the EEA to the United States or other third countries without an adequacy decision, the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by European Commission Decision 2021/914 are incorporated by reference.

The SCCs are available at: EUR-Lex SCC Decision

Completed as follows:

  • Clause 7 (Docking clause): Optional docking clause is included
  • Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies
  • Clause 11 (Redress): Optional clause is not included
  • Clause 17 (Governing law): Laws of Ireland
  • Clause 18 (Forum): Courts of Ireland

Contact

For questions about this DPA or to exercise rights under this agreement:

Data Protection Contact Email: dpo@calliope.ai

Legal Contact Email: legal@calliope.ai

© 2026 Calliope Labs Inc. All rights reserved.

This Data Processing Agreement was last updated on May 23, 2026.

Calliope Labs Inc (c) 2026 All Rights Reserved. Powered by CONFLICT