Legal

Data Processing Agreement

We try to keep these short, plain, and free of dark patterns. If anything's unclear, email legal@praatbox.com — a human reads them.

Last updated: April 2026

Roles

You are the data controller. Kaya Core, Inc. (operating the Praatbox product) is the data processor. We process personal data on your behalf, under your instructions, for the purposes described in the main service agreement.

Sub-processors

We use a small, vetted list of sub-processors. Changes are announced 30 days in advance and you can object.

  • Cloudflare, Inc. — application hosting (Workers, Pages), database (D1), object storage (R2), CDN, EU region
  • Stripe Payments Europe, Ltd. — billing only
  • Resend, Inc. — transactional email
  • Manus AI (Forge) — LLM inference for AI replies
  • Google Firebase Authentication — dashboard sign-in identity

Security measures

Encryption in transit (TLS 1.3) and at rest (AES-256). Least-privilege access controls, reviewed periodically.

Sub-processor access

No sub-processor has standing access to your conversation data. Conversation content is sent to our LLM provider only in-flight to generate a single reply, and is not retained by the provider beyond what their terms specify.

Incident response

We notify you within 72 hours of any confirmed personal data breach affecting your data, with a written report covering scope, cause, and remediation.