Legal Information

Data Processing Agreement

Effective Date: July 8, 2026

This Data Processing Agreement is a template that Utari, LLC executes with a business customer that requires one. The customer and signatory fields below are completed at the time of signing. To request an executed copy, contact hey@utari.ai.

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Utari Terms of Service and any applicable order or subscription agreement (together, the "Agreement") between Utari, LLC ("Utari") and the customer identified in the Agreement or in Annex 1 ("Customer"). This DPA applies where Utari processes Personal Data on behalf of Customer in the course of providing the Services. If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA governs.

Customer uses the Services provided by Utari and, in doing so, may submit or make available Personal Data that Utari processes on Customer's behalf.

The parties enter into this DPA to reflect their agreement regarding the processing of such Personal Data in accordance with applicable Data Protection Laws.

1. Definitions

"Applicable Data Protection Laws" means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and U.S. state privacy laws such as the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").

"Controller" means the entity that determines the purposes and means of the processing of Personal Data; with respect to Customer Personal Data, Customer is the Controller (or acts on behalf of a Controller).

"Processor" means the entity that processes Personal Data on behalf of the Controller; with respect to Customer Personal Data, Utari is the Processor.

"Customer Personal Data" means Personal Data that Utari processes on behalf of Customer in connection with the Services, as described in Annex 1.

"Personal Data" means any information relating to an identified or identifiable natural person, and includes "personal information" as defined under U.S. state privacy laws.

"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, and deletion.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, and includes a "consumer" under U.S. state privacy laws.

"Subprocessor" means any third party engaged by Utari to process Customer Personal Data.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Utari.

"Standard Contractual Clauses" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, and, for the United Kingdom, the UK International Data Transfer Addendum.

2. Roles and Scope of Processing

Roles of the Parties. As between the parties, Customer is the Controller (or processes on behalf of a Controller) and Utari is the Processor of Customer Personal Data. For Personal Data of Community Members, the parties acknowledge that Customer, as Instance Owner, and Utari may act as joint controllers as described in the Utari Privacy Policy; this DPA governs the portion of processing Utari performs on Customer's behalf.

Subject Matter and Details. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

Compliance. Each party will comply with its obligations under Applicable Data Protection Laws. Customer is responsible for the accuracy and legality of Customer Personal Data and for having an appropriate legal basis and any required consents to provide it to Utari and to instruct the processing described in this DPA.

3. Processing Instructions

Documented Instructions. Utari will process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services, unless required to process by law, in which case Utari will inform Customer of that legal requirement unless prohibited from doing so.

Unlawful Instructions. Utari will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws, without obligation to conduct a legal review of the lawfulness of instructions.

4. Confidentiality and Personnel

Confidentiality. Utari will treat Customer Personal Data as confidential and will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

Access Limits. Utari will limit access to Customer Personal Data to personnel who need access to provide the Services and will maintain appropriate access controls and audit logging, including for any administrative or support access.

5. Security Measures

Technical and Organizational Measures. Utari will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against a Security Incident, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A summary of current measures is set out in Annex 2.

Updates. Utari may update its security measures from time to time, provided the updates do not materially reduce the overall level of protection.

6. Subprocessors

Authorization. Customer provides general authorization for Utari to engage Subprocessors to process Customer Personal Data. A list of current Subprocessors is available as described in Annex 3.

Subprocessor Terms. Utari will impose data protection obligations on each Subprocessor that are substantially similar to those in this DPA and will remain responsible for each Subprocessor's performance of its obligations.

Changes. Utari will provide a mechanism for Customer to be notified of new Subprocessors and, where required by Applicable Data Protection Laws, an opportunity to object on reasonable data-protection grounds.

7. Data Subject Requests

Assistance. Taking into account the nature of the processing, Utari will provide reasonable assistance, including appropriate technical and organizational measures and the self-service functionality of the Services, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws.

Forwarding. If Utari receives a request from a Data Subject relating to Customer Personal Data, Utari will, where legally permitted, direct the Data Subject to Customer or forward the request to Customer rather than responding directly, unless otherwise required by law.

8. Assistance to Customer

Compliance Support. Taking into account the nature of processing and the information available to Utari, Utari will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer's obligations regarding the security of processing and Security Incident notification.

9. Security Incident Notification

Notice. Utari will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data.

Information. The notice will include, to the extent known and permitted, the nature of the incident, the categories and approximate number of affected Data Subjects and records, likely consequences, and the measures taken or proposed to address the incident.

No Admission. Utari's notification of or response to a Security Incident is not an acknowledgment of fault or liability.

10. International Data Transfers

Transfer Mechanism. To the extent Utari processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference and apply to such transfers, with Customer as data exporter and Utari as data importer, and with the annexes populated by Annex 1, Annex 2, and Annex 3 of this DPA.

Conflict. In the event of a conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses prevail with respect to the transfers they govern.

11. Return and Deletion of Personal Data

On Termination. Upon termination of the Services or Customer's written request, Utari will, at Customer's option, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law or permitted under the Utari Privacy Policy retention schedule for backups, billing, security, or dispute-resolution purposes.

Timing. Deletion will occur within a commercially reasonable period, subject to the backup retention windows described in the Utari Privacy Policy.

12. Audits and Records

Information. Utari will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, which may include third-party audit reports, security summaries, or questionnaire responses.

Audits. Where required by Applicable Data Protection Laws, and no more than once per year absent a Security Incident or regulatory requirement, Utari will allow for and contribute to audits conducted by Customer or an independent auditor, subject to reasonable confidentiality, scheduling, scope, and security conditions.

13. U.S. State Privacy Law Terms

Service Provider Status. To the extent Utari processes personal information subject to the CCPA on behalf of Customer, Utari acts as a "service provider" (or "processor" under other state laws). Utari will process such personal information only for the business purposes of providing the Services and as permitted for a service provider.

Restrictions. Utari will not sell or share Customer Personal Data; will not retain, use, or disclose it for any purpose other than providing the Services or as otherwise permitted by law; will not retain, use, or disclose it outside the direct business relationship between the parties; and will not combine it with personal information from other sources except as permitted for a service provider.

Certification. Utari certifies that it understands and will comply with these restrictions.

14. Liability

Limitation. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to a party's aggregate liability applies to the combined liability under the Agreement and this DPA.

15. Term and Termination

Term. This DPA takes effect on the Effective Date and remains in effect for as long as Utari processes Customer Personal Data under the Agreement.

Survival. Provisions that by their nature should survive termination, including those regarding deletion, confidentiality, and liability, will survive.

16. General Provisions

Governing Law. This DPA is governed by the laws of the State of Florida, except to the extent Applicable Data Protection Laws or the Standard Contractual Clauses require otherwise.

Order of Precedence. This DPA supplements the Agreement. Except as expressly modified here, the Agreement remains in full force and effect.

Entire Agreement. This DPA, together with its Annexes and the Agreement, constitutes the entire agreement of the parties regarding the processing of Customer Personal Data.


The parties have executed this Data Processing Agreement as of the Effective Date.

Utari, LLC By: _______________________________ Name: [Utari Authorized Signatory] Title: Authorized Signatory

[Customer Legal Name] By: _______________________________ Name: [Customer Signatory] Title: Authorized Signatory

Annex 1 — Details of Processing

ItemDescription
Data exporter / Controller[Customer Legal Name and Contact]
Data importer / ProcessorUtari, LLC, contact: hey@utari.ai
Subject matterProvision of the Utari Services, including operation of AI Instances and related features
DurationFor the term of the Agreement and until deletion or return of Customer Personal Data
Nature and purposeHosting, storage, processing, retrieval, and generation of AI outputs to provide the Services
Categories of Data SubjectsCustomer's authorized users, Source Individuals, and Community Members
Categories of Personal DataIdentifiers, account and profile data, User Content, voice and audio data (which may include biometric information), usage and device data, and communications
Sensitive dataVoice biometric data, where the voice feature is used, subject to the consent and retention terms of the Utari Privacy Policy
Frequency of transferContinuous, for the duration of the Services
RetentionAs set out in the Utari Privacy Policy retention schedule

Annex 2 — Technical and Organizational Security Measures

Utari maintains measures that may include: encryption of data in transit (TLS) and at rest; encrypted storage of connected-application credentials and OAuth tokens; logical separation of customer data enforced through database row-level security; access controls and role-based permissions; authentication controls; centralized secrets management; audit logging of administrative and support access, including privileged support-impersonation actions; network and application security controls; segregation of production environments; vendor and subprocessor due diligence; backup and recovery procedures; and incident response procedures.

Annex 3 — Subprocessors

The current list of Subprocessors is maintained by Utari and corresponds to the service providers identified in the Utari Privacy Policy, including hosting, database, AI and model, voice and transcription, payment, analytics, and support providers. A current list is available on request at hey@utari.ai.