Korala.aiBack to Home

Data Processing Agreement

Last updated: January 28, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Korala LLC ("Processor," "we," "us") and the customer ("Controller," "you") using our document signing services. This DPA governs the processing of personal data by Korala on behalf of the Controller.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope and Purpose

The Processor processes Personal Data solely for the purpose of providing the document signing services as described in the Terms of Service. This includes:

  • Storing and managing documents uploaded by the Controller
  • Processing signer information (names, email addresses)
  • Recording signature events and audit trails
  • Sending transactional emails to signers
  • Generating signed documents with timestamps

4. Controller Obligations

The Controller agrees to:

  • Ensure a lawful basis exists for processing Personal Data through the Service
  • Provide necessary notices to and obtain required consents from Data Subjects
  • Ensure all Personal Data provided to the Processor is accurate and lawfully obtained
  • Not upload documents containing sensitive personal data unless appropriate safeguards are in place

5. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services, at the Controller's choice

6. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Secure backup and recovery procedures
  • Employee security training and access limitations

For more details, see our Security page.

7. Sub-processors

The Controller authorizes the Processor to engage Sub-processors to assist in providing the Service. Current Sub-processors include:

  • Cloud Infrastructure: For hosting and data storage
  • Email Service Provider: For sending transactional emails
  • Payment Processor: For processing payments (Stripe)
  • Timestamp Authority: For RFC 3161 timestamps (DigiCert)

The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller an opportunity to object.

8. International Data Transfers

Personal Data may be transferred to and processed in the United States. The Processor ensures that appropriate safeguards are in place for such transfers, including standard contractual clauses where applicable.

9. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject requests, including rights to:

  • Access their Personal Data
  • Rectify inaccurate data
  • Erase their data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing

10. Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay after becoming aware of the breach. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

11. Audit Rights

The Controller may request information necessary to demonstrate compliance with this DPA. The Processor will make available relevant documentation and, upon reasonable notice, allow for audits or inspections conducted by the Controller or an appointed auditor.

12. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, the Processor will, at the Controller's choice, delete or return all Personal Data within 30 days, unless retention is required by law.

13. Contact Us

For questions about this DPA or to exercise data protection rights, contact us at:

Korala LLC
Email: hello@korala.ai