Keldr logo Keldr

Data Processing Agreement

How Keldr processes Customer Personal Data when you use our local-first transcription, optional cloud transcription, AI scheduling, workflow automation, and integrations.

Last Updated: [Insert date]

This Data Processing Agreement ("DPA") describes how the provider trading as Keldr ("Keldr," "we," "us," or "our") processes Customer Personal Data when customers use Keldr's local-first AI transcription, optional cloud transcription, AI scheduling, workflow automation, integrations, support, and related services.

This DPA forms part of the Services Agreement between Keldr and the customer using Keldr's services ("Customer," "you," or "your"). Customer agrees to this DPA by entering into the Services Agreement, signing an order form that incorporates this DPA, or using the Services where Keldr processes personal data on Customer's behalf. This DPA applies to Keldr's website, applications, local-first software, hosted services, cloud services, transcription services, AI scheduling features, workflow automation, integrations, APIs, support, and related services (collectively, the "Services").

This DPA is designed to meet processor contract requirements under applicable Data Protection Laws, including Article 28 of the GDPR, the UK GDPR, Australian privacy law where applicable, and similar privacy and data protection laws. If Customer has a separate signed data processing agreement with Keldr, that signed agreement controls to the extent of any conflict.

1. Definitions

"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Customer Content" means audio, video, recordings, meeting content, transcripts, captions, speaker labels, titles, summaries, notes, action items, tasks, calendar information, workflow inputs and outputs, files, metadata, integrations data, prompts, comments, configuration data, and other content submitted to, generated through, or processed by the Services by or for Customer.

"Customer Personal Data" means personal data, personal information, or personally identifiable information contained in Customer Content or otherwise processed by Keldr on Customer's behalf as a processor, service provider, contractor, or subprocessor under the Services Agreement.

"Data Protection Laws" means all privacy, data protection, data security, breach notification, and similar laws applicable to Keldr's processing of Customer Personal Data under the Services Agreement, which may include Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and other applicable U.S. state privacy laws.

"DPA" means this Data Processing Agreement, including its annexes.

"Local-First Processing" means processing performed on Customer-controlled devices, Customer-controlled infrastructure, or other environments where Customer retains primary control over storage and processing location, subject to the product configuration selected by Customer.

"Security Incident" means a confirmed breach of security of Keldr's systems that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attempts, or similar events.

"Services Agreement" means Keldr's Terms of Service, order form, subscription agreement, master services agreement, statement of work, or other written agreement governing Customer's use of the Services.

"Subprocessor" means a third party engaged by Keldr to process Customer Personal Data on Keldr's behalf. Subprocessors do not include providers selected, contracted, deployed, or configured directly by Customer.

2. Roles of the Parties

2.1 Customer as controller. For Customer Personal Data, Customer is the controller and Keldr is the processor, except where applicable law uses equivalent terms such as business/service provider, controller/processor, or principal/agent.

2.2 Customer as processor. If Customer acts as a processor for another controller, Keldr acts as Customer's subprocessor. Customer is responsible for ensuring that its instructions to Keldr are authorized by the relevant controller.

2.3 Keldr as independent controller. Keldr acts as an independent controller for personal data that Keldr processes for its own business purposes rather than on Customer's behalf, including account administration, billing, sales, marketing, website analytics, security, fraud prevention, product analytics, service communications, legal compliance, and business operations. Keldr's Privacy Policy governs that processing.

2.4 Customer control over content. Customer decides what to record, upload, transcribe, summarize, schedule, automate, integrate, store, delete, or otherwise process through the Services. Keldr does not determine the purposes for which Customer records, transcribes, or automates workflows, and does not decide what personal data Customer includes in Customer Content.

3. Customer Instructions

3.1 Documented instructions. Keldr will process Customer Personal Data only on Customer's documented instructions, including the Services Agreement, this DPA, Customer's product settings, Customer's use of the Services, and written instructions submitted through support or other agreed channels.

3.2 Scope of instructions. Customer instructs Keldr to process Customer Personal Data to provide, secure, maintain, support, troubleshoot, and improve the Services for Customer, including local transcription features, optional cloud transcription features, AI scheduling, workflow automation, integrations, synchronization, identity and access management, billing, abuse prevention, compliance, reliability, and performance.

3.3 Illegal instructions. Keldr will notify Customer if Keldr believes an instruction violates Data Protection Laws, unless legally prohibited from doing so.

3.4 Product configuration as instruction. Customer's configuration choices are documented instructions. These may include whether to use Local-First Processing, optional cloud services, customer-managed storage, third-party transcription providers, AI model providers, calendar integrations, workflow integrations, retention settings, sharing settings, access controls, or other available controls.

4. Local-First Services, Optional Cloud Services, and AI Features

4.1 Local-first design. Keldr is designed to support local-first transcription and workflow use cases. Depending on Customer's product configuration, certain Customer Content may be processed or stored locally on Customer-controlled devices or infrastructure rather than being sent to Keldr-hosted cloud infrastructure.

4.2 Optional cloud usage. Customer may choose to enable optional cloud features, which may include hosted transcription, storage, synchronization, backup, remote access, AI summarization, AI scheduling, workflow automation, integrations, or managed support. When Customer enables these features, Customer instructs Keldr to process the relevant Customer Personal Data through Keldr systems and applicable Subprocessors.

4.3 Cloud transcription and human transcription. If Customer purchases or enables paid cloud transcription or transcription services, Keldr may process audio, video, recordings, transcripts, metadata, and related Customer Content to provide those services. Where human review or manual transcription is offered, Keldr will only use authorized personnel or approved service providers subject to confidentiality and appropriate data protection obligations.

4.4 AI scheduling and workflows. Keldr's AI scheduling and workflow features may process meeting content, transcripts, calendars, contacts, availability information, tasks, action items, emails, messaging metadata, CRM data, project management data, prompts, and integration outputs, depending on Customer's configuration. Customer is responsible for confirming that each integration, automation, and workflow is appropriate for Customer's legal, employment, confidentiality, and regulatory obligations.

4.5 No training of general-purpose models using Customer Content. Keldr will not use Customer Content in identifiable form to train general-purpose AI models or third-party AI models unless Customer expressly enables a feature that permits that training, provides documented instructions to do so, or the data has been aggregated or de-identified so that it is no longer Customer Personal Data.

4.6 Improvement of the Services. Keldr may use telemetry, metadata, usage information, diagnostics, performance information, and aggregated or de-identified information to operate, secure, analyze, maintain, and improve the Services. Keldr will not use Customer Content in identifiable form to train generalized models except as described in Section 4.5.

4.7 AI outputs. Customer is responsible for reviewing AI-generated outputs before relying on them, including transcripts, summaries, speaker labels, action items, scheduling recommendations, workflow results, and integration actions. Keldr does not guarantee that AI-generated outputs will be complete, accurate, or suitable for any legal, medical, financial, employment, or other regulated purpose.

5. Customer Responsibilities

5.1 Compliance. Customer is responsible for complying with Data Protection Laws in its use of the Services, including providing required notices, obtaining required consents, choosing an appropriate legal basis, respecting recording and wiretapping laws, complying with workplace surveillance and employment laws, honoring data subject rights, and ensuring that Customer Content is lawful.

5.2 Recording and meeting notice. Customer is responsible for notifying participants and obtaining any required consents before recording, transcribing, summarizing, monitoring, or analyzing meetings, calls, conversations, or other communications.

5.3 Configuration. Customer is responsible for configuring the Services for Customer's compliance needs, including whether to use local-only processing, optional cloud processing, customer-managed storage, Keldr-managed storage, retention controls, access permissions, sharing controls, AI features, calendar integrations, workflow integrations, or other available controls.

5.4 Regulated data. Customer will not submit special categories of personal data, sensitive information, criminal conviction data, protected health information, children's data, financial account data, government identifiers, or other regulated data unless Customer has determined that its use of the Services is lawful and appropriate for that data and has implemented all required safeguards.

5.5 Customer systems. For Local-First Processing, self-hosted deployments, customer-managed storage, customer-managed identity providers, customer-managed cloud accounts, or Customer-selected integrations, Customer is responsible for the security, configuration, backups, deletion, access controls, and legal compliance of systems and providers under Customer's control.

5.6 Integration permissions. Customer is responsible for ensuring that any third-party application, calendar, communication platform, CRM, helpdesk, project management tool, storage system, or workflow tool connected to Keldr is authorized and configured appropriately.

6. U.S. State Privacy Terms

6.1 To the extent Customer Personal Data is personal information governed by U.S. state privacy laws and Customer is a business or controller under those laws, Keldr will process that information as a service provider, contractor, or processor for the limited and specified business purposes described in this DPA and the Services Agreement.

6.2 Keldr will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the business purposes described in this DPA and the Services Agreement, or combine Customer Personal Data with personal information from other sources, except as permitted by applicable U.S. state privacy laws.

6.3 Keldr will provide the level of privacy protection required of service providers, contractors, or processors under applicable U.S. state privacy laws and will notify Customer if Keldr determines it can no longer meet those obligations.

7. Confidentiality

7.1 Keldr will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.

7.2 Keldr will limit access to Customer Personal Data to personnel who need access to provide, secure, support, maintain, troubleshoot, or improve the Services for Customer, or to comply with law.

8. Security Measures

8.1 Keldr will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex II.

8.2 Customer acknowledges that security measures may evolve over time, provided that Keldr does not materially decrease the overall security of the Services during the applicable subscription term.

8.3 Security responsibilities may differ depending on whether Customer uses Local-First Processing, Keldr-managed cloud services, customer-managed infrastructure, or third-party integrations. Customer remains responsible for the systems, devices, accounts, credentials, storage locations, and integrations under Customer's control.

9. Subprocessors

9.1 Customer grants Keldr general written authorization to engage Subprocessors to process Customer Personal Data.

9.2 Keldr will require each Subprocessor to protect Customer Personal Data under written terms that are at least as protective as the applicable data-processing obligations in this DPA.

9.3 Keldr remains responsible for each Subprocessor's performance of its data-processing obligations, except to the extent an issue is caused by Customer's instructions, Customer-selected providers, Customer-controlled infrastructure, or Customer's breach of the Services Agreement.

9.4 Keldr maintains its current Subprocessor list through Keldr's trust, security, legal, or Subprocessor documentation, which may be made available publicly, through a trust portal, through account access, or on request. That list is the source of truth for Keldr Subprocessor names, service categories, processing purposes, processing locations where provided, and related transfer information where applicable.

9.5 Keldr will provide notice of new or replacement Subprocessors by updating its trust, security, legal, or Subprocessor documentation, through trust portal notifications where available, by account or email notice, or through another reasonable notice mechanism.

9.6 Customer may object to a new or replacement Subprocessor within 30 days after notice if Customer has reasonable data protection grounds for the objection. Keldr will use reasonable efforts to address the objection. If Keldr cannot reasonably address the objection, Customer's sole remedy is to stop using the affected Service feature or terminate the affected portion of the Services before the new or replacement Subprocessor is used for Customer Personal Data.

9.7 Providers selected, contracted, deployed, or configured directly by Customer, including Customer's own cloud provider, storage bucket, identity provider, calendar provider, email provider, CRM, workflow tool, self-hosted infrastructure, device, local model, or customer-managed AI provider, are not Keldr Subprocessors.

10. International Transfers

10.1 Customer authorizes Keldr and its Subprocessors to process Customer Personal Data in the locations where Keldr, its Affiliates, and its Subprocessors maintain operations, subject to this DPA and Data Protection Laws.

10.2 Where Data Protection Laws require a transfer mechanism for a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been found to provide an adequate level of protection, the parties agree to use the applicable Standard Contractual Clauses, the UK International Data Transfer Addendum, a valid adequacy mechanism, a recognized data privacy framework to the extent applicable, or another valid transfer mechanism.

10.3 For EEA transfers, the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 apply as follows: Module Two applies where Customer is a controller and Keldr is a processor; Module Three applies where Customer is a processor and Keldr is a subprocessor; Clause 7 is deemed omitted unless the parties agree otherwise; Clause 9 uses general written authorization with the notice period in Section 9; Clause 11 optional language is omitted; and the annexes are completed by Annexes I, II, and III of this DPA.

10.4 For the Standard Contractual Clauses, Customer is the data exporter and Keldr is the data importer, unless the parties agree otherwise for a specific transfer. The parties' contact details are the contact details in the Services Agreement, applicable account, or order document. The competent supervisory authority, governing law, and competent courts are determined under the applicable Standard Contractual Clauses.

10.5 For UK transfers, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses applies as required by UK Data Protection Laws, with its tables completed by the Services Agreement, this DPA, and Keldr's trust, security, legal, or Subprocessor documentation where applicable.

10.6 For Swiss transfers, references to the GDPR are deemed to include the Swiss Federal Act on Data Protection, references to EU supervisory authorities are deemed to include the Swiss Federal Data Protection and Information Commissioner, and data subjects in Switzerland may exercise and enforce their rights as required by Swiss law.

10.7 Keldr will provide reasonable information available to it to help Customer assess transfer risks and safeguards. Customer remains responsible for determining whether its use of the Services satisfies Customer's transfer obligations. Keldr will notify Customer if Keldr determines it can no longer comply with an applicable transfer mechanism.

11. Data Subject Requests

11.1 Keldr will, taking into account the nature of the processing, provide reasonable assistance to help Customer respond to requests from data subjects exercising rights under Data Protection Laws.

11.2 If Keldr receives a request directly from a data subject regarding Customer Personal Data, Keldr will either direct the data subject to Customer or notify Customer, unless legally prohibited from doing so.

11.3 Customer is responsible for responding to data subject requests. Keldr will not independently respond to a request for Customer Personal Data except to confirm that the request relates to Customer, to direct the requester to Customer, or as legally required.

12. Assistance With Compliance

12.1 Keldr will provide reasonable assistance, taking into account the nature of the processing and the information available to Keldr, to help Customer meet Customer's obligations relating to security, personal data breach notification, data protection impact assessments, transfer assessments, and prior consultation with supervisory authorities.

12.2 Keldr may charge a reasonable fee for assistance that requires material effort beyond standard product functionality or support, unless prohibited by Data Protection Laws or the Services Agreement.

13. Security Incident Notification

13.1 Keldr will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and, where feasible, within 72 hours after becoming aware of the Security Incident.

13.2 Keldr's notification will include information reasonably available to Keldr, which may include the nature of the incident, affected data categories, affected data subjects, likely consequences, measures taken or proposed, and a contact point for follow-up.

13.3 Keldr will take reasonable steps to contain, investigate, remediate, and mitigate the effects of a Security Incident.

13.4 Keldr's notification of or response to a Security Incident is not an admission of fault or liability.

13.5 Security incidents affecting Customer-controlled devices, Customer-managed storage, Customer-managed infrastructure, Customer-selected providers, or Customer-configured integrations are Customer's responsibility unless caused by Keldr's breach of this DPA.

14. Return and Deletion

14.1 During the term of the Services Agreement, Customer may access, export, or delete Customer Personal Data using the functionality made available in the Services.

14.2 After termination or expiration of the Services Agreement, Keldr will delete or return Customer Personal Data in accordance with the Services Agreement and Customer's documented instructions, unless retention is required by law.

14.3 Deleted Customer Personal Data may remain in backups, logs, or archives for a limited period until overwritten or deleted through Keldr's normal retention cycles. During that period, Keldr will protect the retained data under this DPA and use it only for backup, recovery, security, legal compliance, or as otherwise required by law.

14.4 For Local-First Processing, self-hosted deployments, customer-managed storage, customer-managed devices, or Customer-selected providers, Customer is responsible for deleting Customer Personal Data from infrastructure, backups, logs, caches, devices, and providers under Customer's control.

15. Audits and Information

15.1 Keldr will make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation, product information, Subprocessor information, transfer information, and other materials available through Keldr's trust, security, legal, or product documentation, support channels, account notices, or other reasonable mechanisms.

15.2 If that information is not enough to demonstrate compliance with this DPA, Customer may request an audit no more than once per calendar year, unless Data Protection Laws require more frequent access or the request follows a Security Incident.

15.3 Keldr may require the audit to begin as a remote documentation-based review. Any audit must be conducted during normal business hours, with reasonable advance notice, by Customer or an independent auditor bound by confidentiality, and in a way that does not compromise the security, availability, confidentiality, or privacy of Keldr, the Services, or any other customer.

15.4 Customer will bear its audit costs unless the audit reveals a material breach of this DPA by Keldr. Customer may not conduct penetration tests, vulnerability scans, social engineering, or physical security reviews without Keldr's prior written approval.

16. Government and Third-Party Requests

16.1 If Keldr receives a legally binding request from a government, regulator, court, law enforcement authority, or third party for Customer Personal Data, Keldr will notify Customer before disclosure unless legally prohibited or unless notice would create a risk of harm.

16.2 Keldr will review the request and, where appropriate, seek to limit or challenge it.

16.3 Keldr will not voluntarily disclose Customer Personal Data to a government authority except as required by law or with Customer's documented instructions.

17. Records

17.1 Keldr will maintain records of processing activities as required by Data Protection Laws.

17.2 Customer is responsible for maintaining its own records of processing, including its purposes, legal bases, categories of data subjects, categories of personal data, retention periods, recipients, and transfer mechanisms.

18. Order of Precedence

18.1 If there is a conflict between this DPA and the Services Agreement, this DPA controls for the processing of Customer Personal Data.

18.2 If there is a conflict between this DPA and the applicable Standard Contractual Clauses or another mandatory transfer mechanism, the Standard Contractual Clauses or mandatory transfer mechanism controls for the relevant transfer.

19. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability in the Services Agreement, except to the extent prohibited by Data Protection Laws or the applicable Standard Contractual Clauses.

20. Changes to This DPA

Keldr may update this DPA from time to time, provided that updates do not materially reduce Keldr's obligations for Customer Personal Data during an active subscription term unless required by law or agreed by Customer. Keldr will post the updated DPA and update the "Last Updated" date.

21. Contact

For questions about this DPA, data protection, or Subprocessor information, contact Keldr at:

Email: [insert privacy or support email] Trading name: Keldr

Annex I: Details of Processing

A. Subject Matter

Keldr's provision of the Services under the Services Agreement, including local-first AI transcription, optional cloud transcription, AI scheduling, workflow automation, integrations, support, and related services.

B. Duration

The term of the Services Agreement and any period during which Keldr processes Customer Personal Data under Customer's documented instructions or as required by law.

C. Nature and Purpose

Providing, operating, hosting, storing, synchronizing, transcribing, diarizing, captioning, summarizing, extracting action items, scheduling, automating workflows, integrating with Customer-selected systems, securing, supporting, troubleshooting, maintaining, and improving the functionality, safety, reliability, and performance of the Services.

D. Processing Operations

Collection, receipt, recording, upload, download, local processing, cloud processing, storage, retrieval, access, organization, structuring, hosting, synchronization, transcription, speech-to-text processing, diarization, summarization, classification, scheduling, workflow execution, transmission, disclosure to authorized recipients, restriction, encryption, deletion, and other operations necessary to provide the Services.

E. Categories of Data Subjects

Customer's administrators, employees, contractors, workspace members, meeting participants, call participants, invited users, guests, prospects, customers, clients, patients, suppliers, support contacts, calendar invitees, integration users, and other individuals whose personal data appears in Customer Content.

F. Categories of Personal Data

Names, email addresses, account identifiers, workspace identifiers, user-generated content, audio, video, voices, speech, transcripts, captions, speaker labels, summaries, meeting notes, action items, tasks, calendar events, availability information, contacts, file names, folder names, comments, prompts, workflow inputs and outputs, integration data, device data, IP addresses, approximate location data, timestamps, access logs, diagnostic logs, support content, authentication data, and configuration data.

G. Special Categories or Sensitive Data

Keldr does not intentionally request special categories of personal data or sensitive information. Customer Content may contain special categories of personal data or sensitive information if Customer chooses to record, upload, transcribe, summarize, schedule, automate, integrate, or otherwise process that information through the Services.

Customer Content may contain sensitive or regulated information if Customer chooses to process that information through the Services. Customer is responsible for determining whether the Services are appropriate for such data and for implementing required safeguards.

H. Customer Obligations and Rights

Customer's obligations and rights are described in the Services Agreement, this DPA, and Data Protection Laws.

Annex II: Technical and Organizational Measures

Keldr will maintain technical and organizational measures appropriate to the nature of the Services, the processing activities, and the risks presented by Customer's selected configuration.

1. Access Controls

Keldr uses access controls designed to limit access to Customer Personal Data to authorized personnel, systems, and Subprocessors with a need to access it.

2. Authentication and Authorization

Keldr supports account-based access and authorization controls designed to restrict access to workspaces, recordings, transcripts, settings, integrations, and sharing features. Where available, Customer may configure single sign-on, multi-factor authentication, role-based access, and workspace-level permissions.

3. Local-First Controls

Where Local-First Processing is used, Keldr is designed to allow certain processing or storage to occur on Customer-controlled devices or infrastructure. Customer is responsible for securing those devices and environments, including endpoint security, disk encryption, operating system updates, local backups, device access, local network security, and user permissions.

4. Encryption

Keldr uses encrypted transport for data transmitted to and from Keldr-managed cloud services and uses encryption or equivalent safeguards for managed storage and sensitive configuration values where appropriate. Customer is responsible for encryption settings in Customer-managed environments unless otherwise agreed.

5. Storage Controls

Keldr may support local storage, Keldr-managed cloud storage, customer-managed cloud storage, or self-hosted deployments depending on the plan and configuration. Customer is responsible for selecting and configuring the storage model appropriate to Customer's compliance needs.

6. Sharing Controls

Keldr provides or may provide controls such as workspace access controls, restricted sharing, expiring links, password protection, role-based permissions, integration permissions, and administrative controls where available and configured by Customer.

7. Data Minimization

Keldr processes Customer Personal Data for the purposes described in this DPA and supports product controls that allow Customer to limit cloud processing, disable optional AI workflows, configure integrations, control sharing, delete content, and export content.

8. Availability and Resilience

For Keldr-managed cloud services, Keldr uses operational safeguards designed to support availability and resilience, including monitoring, backups, recovery processes, and incident response practices appropriate to the nature of the Services. Customer is responsible for availability and resilience of Customer-managed devices, infrastructure, storage, and integrations.

9. Development and Change Management

Keldr uses development practices designed to reduce security and privacy risk, including source control, code review, testing, dependency management, vulnerability management, and deployment controls appropriate to the Services.

10. Logging and Monitoring

Keldr uses logs and monitoring designed to help secure the Services, troubleshoot issues, detect abuse, investigate incidents, and maintain reliability. Logs may include metadata and diagnostic information but should be configured to minimize unnecessary capture of Customer Content where reasonably practicable.

11. Personnel and Vendor Controls

Keldr requires personnel with access to Customer Personal Data to protect it and evaluates Subprocessors before authorizing them to process Customer Personal Data.

12. Incident Response

Keldr maintains incident response processes designed to identify, investigate, contain, remediate, and communicate Security Incidents affecting Keldr-managed systems.

Annex III: Subprocessors

Customer authorizes Keldr to use Subprocessors for the following categories of services where needed to provide the Services:

  • Cloud hosting and infrastructure
  • Database infrastructure
  • Object storage
  • Content delivery
  • Email delivery
  • Authentication and identity services
  • Payment processing
  • Customer support
  • Analytics and product telemetry
  • Error monitoring and logging
  • AI transcription
  • AI summarization
  • AI scheduling and workflow automation
  • Calendar, email, messaging, CRM, and productivity integrations
  • Media processing
  • Security monitoring
  • Other infrastructure or service providers needed to provide the Services

Keldr's current Subprocessor list is maintained through Keldr's trust, security, legal, or Subprocessor documentation, which may be made available publicly, through a trust portal, through account access, or on request. The list is incorporated by reference into this Annex III and is the source of truth for Subprocessor names, purposes, processing locations where provided, service categories, and related transfer information where applicable.

Customer-controlled providers, including Customer's own device, storage provider, cloud account, identity provider, calendar provider, email provider, workflow tool, local model, self-hosted infrastructure, or other Customer-selected integration, are selected by Customer and are not Keldr Subprocessors.

Annex IV: Optional Product-Specific Processing Terms

1. Local-Only Mode

Where Customer configures Keldr to operate in a local-only mode, Keldr will not intentionally transmit Customer Content to Keldr-managed cloud services except as necessary for account administration, licensing, updates, telemetry, support, security, or other features that Customer enables. Customer should review product documentation and settings to confirm what data leaves Customer-controlled environments.

2. Cloud Transcription Mode

Where Customer enables cloud transcription, Customer instructs Keldr to transmit and process relevant audio, video, recordings, metadata, and related Customer Content through Keldr-managed systems and applicable Subprocessors to generate transcripts, captions, speaker labels, summaries, or related outputs.

3. Human-Assisted Transcription

Where Customer purchases human-assisted transcription or review services, Customer instructs Keldr to make relevant Customer Content available to authorized personnel or approved service providers for transcription, correction, quality assurance, or related support. Keldr will apply confidentiality and access restrictions appropriate to that processing.

4. AI Scheduling

Where Customer enables AI scheduling, Customer instructs Keldr to process relevant transcripts, meeting context, participant information, calendar data, availability information, tasks, preferences, and integration data to suggest, create, update, or coordinate scheduling actions. Customer remains responsible for reviewing automated scheduling actions and ensuring they are appropriate.

5. Workflow Automation

Where Customer enables workflow automation, Customer instructs Keldr to process Customer Content and integration data to perform configured actions, such as creating tasks, updating CRM records, generating summaries, sending notifications, creating tickets, drafting messages, or triggering other workflows. Customer is responsible for the destination systems, recipients, permissions, and consequences of configured workflows.

6. Beta Features

Customer may choose to use beta, preview, experimental, or early-access features. Such features may process Customer Personal Data differently from generally available features and may be subject to additional terms, notices, or limitations. Customer should not use beta features with regulated or sensitive data unless Customer has assessed the risks and implemented appropriate safeguards.