Data Processing Agreement

1. Subject matter and duration

Kolega processes personal data to provide the Service described in the Terms — operating an AI agent on the Customer's website, ingesting the Customer's content, and storing and reviewing the resulting conversations. Processing lasts for the duration of the Customer's subscription and the deletion window set out in §9.

2. Nature and purpose of processing

The purpose is the operation of the Service on the Customer's behalf: answering visitor questions grounded in the Customer's catalog and policies, escalating to the Customer's team when the agent is not confident, and producing aggregated quality and insight reporting for the Customer. Kolega does not use visitor conversations to train general-purpose AI models.

3. Categories of data subjects

• Visitors to the Customer's website who interact with the agent.
• Individuals whose contact details a visitor chooses to share during an escalation or appointment request.

4. Categories of personal data

• Conversation content — the messages a visitor sends to the agent and the agent's replies, and the conversation title and session identifier.
• Escalation and appointment details — the visitor's question, a name, email, or phone number where the visitor provides one, and free-text notes.
• Widget interaction events — session identifier, page URL, referrer, and event metadata. Kolega does not collect or store visitor IP addresses in this data.

The Service is not designed to process special-category data (Article 9). The Customer must not configure the agent to solicit it.

5. Obligations of the Processor

Kolega will:

• Process personal data only on the Customer's documented instructions, including the configuration the Customer sets in the dashboard, unless required to act by EU or member-state law (in which case it will inform the Customer where the law permits).
• Ensure that persons authorised to process the data are bound by an obligation of confidentiality.
• Implement the technical and organisational measures set out in §10 (Article 32).
• Assist the Customer, taking into account the nature of the processing, in responding to data-subject rights requests (§7) and in meeting its obligations under Articles 32 to 36.
• Make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits as set out in §8.

6. Sub-processing

The Customer gives general authorisation for Kolega to engage the sub-processors listed at kolega.hr/subprocessors. Kolega imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for a sub-processor's performance. Kolega notifies the Customer of any intended addition or replacement of a sub-processor at least fourteen days in advance through the dashboard, during which the Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the affected part of the Service.

7. Data-subject rights

Kolega provides tooling in the Service to help the Customer meet visitor rights requests directly: a workspace owner or admin can export a visitor's personal data and can erase it. Erasure redacts the visitor's words and contact details in the conversation record with a redaction marker, and deletes the records that cannot be meaningfully anonymised — appointment requests and widget interaction events — while preserving the privacy-free aggregates the Customer relies on for reporting. Where the Customer needs assistance beyond this self-serve tooling, Kolega will provide reasonable support on request.

8. Audit

Kolega makes available, on the Customer's written request and no more than once per year (or after a personal-data breach affecting the Customer), the information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation. Where the Customer reasonably requires an on-site audit, the parties agree the scope and timing in advance so as not to disrupt the Service or other customers.

9. Return and deletion

On request, Kolega exports the Customer's workspace data in a machine-readable format within thirty days. On termination of the Service, Kolega deletes or anonymises personal data from production systems within ninety days, subject to any legal retention obligation. Independently of termination, Kolega runs a scheduled retention process that anonymises raw conversation personal data older than the window the Customer configures (default twelve months), preserving only privacy-free aggregates.

10. Security measures (Article 32)

Kolega maintains technical and organisational measures appropriate to the risk, including:

• Encryption of personal data in transit (TLS).
• Application-layer tenant isolation: every customer-owned record is scoped to a workspace and queries are constrained to the authenticated workspace.
• Authentication on signed, HttpOnly session tokens; passwords stored only as bcrypt hashes; least-privilege access to production systems.
• Widget API keys bound to the Customer's allowed origins, so a leaked key cannot be used from another site.
• Audit logging of administrative actions, regular dependency updates, and segregation of production from development environments.

11. Personal-data breach

Kolega notifies the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data, and provides the information the Customer needs to meet its own notification obligations under Articles 33 and 34.

12. International transfers

Where a sub-processor processes personal data outside the European Economic Area, the transfer relies on the European Commission's Standard Contractual Clauses or another valid transfer mechanism, as indicated for each sub-processor at kolega.hr/subprocessors.

13. Contact

To request a countersigned copy of this DPA, raise a data-subject matter, or ask a data-protection question, contact pozdrav@kolega.hr.