Data processing agreement (DPA)
Data Processing Agreement (DPA)
- Version:
- 2026.04
- Effective from:
- April 01, 2026
This Data Processing Addendum (“DPA”) forms an integral and inseparable part of the Master Service Agreement (“MSA”) entered into between Glivo LLC (“Glivo”) and the Customer identified in the Order Form. The DPA governs the processing of personal data carried out by Glivo on behalf of the Customer in connection with the provision of the Services, in compliance with Article 28 of Regulation (EU) 2016/679 (GDPR) and applicable national implementing laws.
In the event of conflict between this DPA and the MSA in matters of personal data processing, the provisions of this DPA shall prevail.
1. Subject and roles of the Parties
1.1 Scope
Glivo may process personal data (“Customer Data”) on behalf of the Customer as part of the provision of the Services. This DPA governs such processing, in compliance with Regulation (EU) 2016/679 (“GDPR”), national laws implementing the GDPR (such as the Spanish LOPDGDD or the Portuguese Law No. 58/2019) and other applicable data protection legislation (collectively, “Data Protection Laws”).
1.2 Roles
a. The Customer acts as Controller of the Customer Data, being responsible for decisions on the purposes and essential means of processing (Art. 4(7) GDPR);
b. Glivo acts as Processor (Art. 4(8) GDPR), processing the Customer Data exclusively in accordance with the documented instructions of the Customer, as set out in this DPA, in the MSA and in the configurations made available in the Services;
c. For the registration data of Administrators and managers directly collected by Glivo (name, login email, authentication data), Glivo acts as Controller, in accordance with its Privacy Policy.
1.3 Details of processing
Details of the nature, purpose, duration, categories of data and data subjects are described in Annex I of this DPA, in compliance with Art. 28(3) GDPR.
2. Glivo’s obligations (as Processor)
2.1 Processing per instructions
Glivo processes the Customer Data only on the basis of documented instructions from the Customer (including with regard to international transfers), unless required to do otherwise by law, in which case Glivo will inform the Customer in advance, unless such notification is prohibited by law on important grounds of public interest.
The Customer’s documented instructions are:
a. The terms of the MSA, this DPA and the Order Form; b. The configurations made by the Customer in the administrative tools of the Services (roles, permissions, retention, metrics); c. Specific requests formalized in writing by the Customer.
2.2 Notice to the Customer
Glivo notifies the Customer without delay, to the extent permitted by law, where:
a. It considers that an instruction from the Customer infringes a Data Protection Law; b. It receives a legally binding request to disclose Customer Data from a public authority.
2.3 Confidentiality
Glivo ensures that any person authorized to process Customer Data is bound by an appropriate contractual or legal obligation of confidentiality (Art. 28(3)(b) GDPR), and has received appropriate training on data protection.
2.4 Security (Art. 32 GDPR)
Glivo implements and maintains the appropriate technical and organizational measures described in Annex II of this DPA, calibrated to ensure a level of security appropriate to the risk, in particular to protect Customer Data against unauthorized access, loss, alteration, destruction or accidental or unlawful disclosure.
Glivo may update such measures to reflect technological evolution and best practice, provided that the overall level of protection is not materially reduced.
2.5 Automatic PII anonymization
As an additional security and privacy measure, Glivo applies, before transcripts are made available to the Customer’s managers, automatic anonymization of:
- Proper names (of natural persons and third-party companies);
- National identification numbers (NIF, NIPC, DNI, NIE, CIF, NIN, etc.);
- Phone numbers and emails;
- Postal addresses and locations.
Anonymization combines regular-expression algorithms and language models. Glivo uses reasonable efforts to ensure that anonymization is effective, without absolute guarantee of removal in all cases, given the probabilistic nature of the process.
2.6 Data subject requests
Glivo, to the extent permitted by law, notifies the Customer if it directly receives a data subject request relating to Customer Data.
Glivo does not respond to such requests without prior authorization from the Customer, except where the Customer has authorized, in the configuration of the Services, automatic redirection.
Glivo, taking into account the nature of the processing and to the extent technically feasible, assists the Customer with appropriate technical and organizational measures so that the Customer can respond to data subject requests within the legal time frame of one month (Art. 12(3) GDPR).
2.7 Assistance to the Customer
Glivo provides reasonable assistance to the Customer, taking into account the nature of the processing and the information available, so that the Customer can comply with its obligations under Data Protection Laws (Art. 28(3)(e) and (f) GDPR), including:
a. Carrying out Data Protection Impact Assessments (DPIAs) involving processing by Glivo (Art. 35 GDPR); b. Prior consultations with the supervisory authority (Art. 36 GDPR); c. Responding to investigations or requests from authorities.
2.8 Data breach notification (Art. 33 GDPR)
Glivo notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data. The initial notification is sent within 48 hours of confirmation of the incident and includes, to the extent of the available knowledge:
a. The nature of the incident, categories and approximate number of data subjects and records affected; b. Likely consequences; c. Measures taken or proposed to contain and mitigate the incident; d. A point of contact for additional information.
Glivo keeps the Customer up to date on the development of investigations and provides reasonable assistance to enable the Customer to comply with its obligations:
- To notify the competent supervisory authority within the maximum period of 72 hours of becoming aware of the breach (Art. 33 GDPR);
- To communicate to affected data subjects where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
2.9 Compliance assessment and audit (Art. 28(3)(h) GDPR)
Upon reasonable written request from the Customer, and to the extent required by Data Protection Laws, Glivo:
a. Makes available, no more than once per year, its privacy and security policies and other information necessary to demonstrate compliance with this DPA;
b. Allows inspections and audits carried out by the Customer or by an independent third party designated for that purpose, subject to a prior confidentiality agreement, in compliance with the following:
- The audit is carried out in a manner that causes minimal disruption to Glivo’s operations;
- It is limited to the scope necessary to verify compliance with this DPA;
- It is carried out no more than once per year, except in the event of a serious incident or a request by the supervisory authority;
- The cost of the audit is borne by the Customer, except where a material non-conformity by Glivo is identified.
Glivo may alternatively make available independent audit reports (e.g., SOC 2, ISO 27001) to fulfill this obligation. Such reports are considered Glivo’s Confidential Information.
2.10 Return or deletion of data (Art. 28(3)(g) GDPR)
Upon termination or expiry of the MSA, Glivo, upon the Customer’s instruction given within 30 days of termination:
a. Returns the Customer Data in a structured and commonly used format; or b. Carries out the definitive deletion of the Customer Data and its copies.
Once 60 days have elapsed after termination without instructions to the contrary, Glivo proceeds with automatic deletion, except for retention required by law (financial records, court orders, defense in proceedings), in which case the data will be isolated and protected against any other processing.
3. Customer’s obligations (as Controller)
3.1 Notices and authorizations
The Customer represents, warrants and maintains, throughout the Term, that it:
a. Has an adequate legal basis under the GDPR for the processing of personal data input into the Services (in particular, legitimate interest for recording commercial interactions under Art. 6(1)(f), having performed and documented the corresponding Legitimate Interest Assessment (LIA));
b. Has provided all required information to data subjects under Arts. 13 and 14 GDPR, in particular through:
- Visible recording signage at points of customer interaction;
- Accessible privacy policy;
- Seller Agreement signed by sellers before first use;
c. Has carried out a Data Protection Impact Assessment (DPIA) where applicable (Art. 35 GDPR), in particular due to the use of innovative technology or the systematic processing of workers’ data;
d. Has complied with applicable national labor law on workplace monitoring and digital rights at work (e.g., Spanish ET Arts. 20.3 and 20 bis and LOPDGDD Arts. 87 to 91; Portuguese Código do Trabalho Arts. 20-21; or analogous rules of other Member States), including, where required, informing workers and consulting workers’ representatives;
e. Has all rights, consents and authorizations necessary to provide the Customer Data to Glivo and to authorize processing under this DPA.
3.2 Cooperation
The Customer cooperates reasonably with Glivo so that Glivo can comply with its obligations under Data Protection Laws, in particular in handling data subject requests and authority requests.
3.3 Configurations and decisions
The Customer acknowledges and agrees that it is responsible for certain configuration and design decisions of the Services and their implementation in compliance with Data Protection Laws, including:
a. Retention periods (configurable in the Services); b. Assignment of roles and permissions to End Users; c. Definition of metrics and prompts that guide the AI’s analysis; d. Decisions to delete specific recordings; e. Choice on data export outside the platform.
3.4 Handling data subjects
The Customer is the primary responsible for receiving and responding to data subject requests (Arts. 12 to 22 GDPR). Glivo acts only as assistant, as set out in section 2.6.
3.5 Special categories and minors’ data
The Customer undertakes not to intentionally enter into the Services data of special categories (Art. 9 GDPR: health, religion, political opinions, sexual orientation, biometric data for identification, genetic data) or data of minors. If such data appears incidentally in recordings, the Customer acknowledges the technical limits of automatic anonymization.
4. Sub-processors (Art. 28(2) GDPR)
4.1 General authorization
The Customer grants Glivo general written authorization to engage sub-processors to assist in the provision of the Services, listed at https://glivo.ai/subprocessors (or equivalent URL), updated from time to time.
4.2 Notification of new sub-processors
Glivo notifies the Customer of new sub-processors or replacement of existing sub-processors with reasonable advance notice (minimum of 15 days), by email to the contacts on file or in-platform notice.
4.3 Right to object
The Customer may object to the engagement of a new sub-processor within 15 days of notification, by reasonable justification based on a risk to data protection. In such case, the Parties shall negotiate in good faith commercially viable alternatives. If no agreement is reached, either Party may terminate the MSA pro rata, with pro rata refund of pre-paid fees.
4.4 Sub-processor obligations
Glivo enters into a written contract with each sub-processor that imposes equivalent obligations to those of this DPA, in particular in terms of confidentiality, security, processing instructions and cooperation (Art. 28(4) GDPR).
4.5 Liability
Glivo remains fully liable for the acts and omissions of its sub-processors to the same extent as if it had carried out such acts directly, subject to the limitations of liability of the MSA (Art. 28(4) GDPR).
5. International data transfers (Chapter V GDPR)
5.1 Multiple jurisdictions
Glivo may process Customer Data in one or more jurisdictions, including those where its sub-processors, providers and cloud suppliers are located. In particular, Glivo LLC is established in the United States of America.
5.2 Safeguards
For international transfers outside the European Economic Area, Glivo adopts one or more of the following safeguards under Articles 44 to 49 GDPR:
a. Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914), including the applicable module (controller-processor or processor-sub-processor); b. Adequacy decisions issued by the European Commission, where applicable (including, with respect to the United States, the EU-U.S. Data Privacy Framework, while in force, with respect to certified entities); c. Transfer Impact Assessment (in light of the Schrems II judgment of the CJEU, Case C-311/18) to evaluate the law of the third country; d. Supplementary measures, technical (additional encryption, prior anonymization) and organizational, in line with EDPB Recommendations 01/2020, where necessary; e. Contractual commitment by sub-processors not to retain data after processing and not to use it to train their own models; f. By Binding Corporate Rules (BCRs), where applicable.
5.3 Transparency
The up-to-date list of sub-processors and their locations is available at https://glivo.ai/subprocessors or may be requested in writing from the Glivo DPO.
6. Additional provisions — other jurisdictions
6.1 Customer subject to specific regulation
Where the Customer is subject to sector-specific regulations beyond the GDPR (e.g., healthcare, financial, public sector regulations), the Parties may enter into specific addenda to address such requirements, with the obligations of this DPA as a baseline.
6.2 No commercialization of data
Glivo expressly declares that it:
a. Does not “sell” Customer Data, in any applicable interpretation; b. Does not share Customer Data for behavioral or cross-context advertising; c. Does not combine Customer Data with personal data from other sources for purposes external to the provision of the Services; d. Does not use Customer Data to train Glivo’s own models, except with the express authorization of the Customer.
7. Definitions
- Supervisory authority: independent public authority competent for the supervision of the application of the GDPR (e.g., AEPD in Spain; CNPD in Portugal; CNIL in France; etc.).
- Customer Data: personal data processed by Glivo on behalf of the Customer for the provision of the Services.
- Personal data: as defined in Art. 4(1) GDPR.
- Special categories: as defined in Art. 9 GDPR.
- Data Protection Laws: the GDPR, national implementing laws and other applicable legislation.
- Controller: as defined in Art. 4(7) GDPR.
- Processor: as defined in Art. 4(8) GDPR.
- Sub-processor: a provider engaged by Glivo (as Processor) to assist in the processing of Customer Data.
- Data subject: as defined in Art. 4(1) GDPR.
- Processing: as defined in Art. 4(2) GDPR.
- Personal data breach: as defined in Art. 4(12) GDPR.
Annex I — Details of processing (Art. 28(3) GDPR)
1. Nature and purpose
Provision of the Services for recording, automatic transcription, PII anonymization and AI-based analysis of commercial interactions, with the objective of coaching and professional development of the Customer’s sellers.
2. Duration
Duration of the MSA, plus the period necessary for the return or deletion of data, as set out in Clause 2.10.
3. Categories of Customer Data
a. Registration data of End Users (name, email, phone, role, unit); b. Audio of commercial interactions; c. Textual transcripts of interactions (with PII anonymized); d. Analyses and indicators generated by the AI; e. Service usage data (logs, sessions, devices); f. Any personal data of end customers mentioned during the conversation (subject to automatic anonymization).
4. Categories of data subjects
a. End customers served by the Customer’s End Users; b. Sellers using the Services; c. Managers and administrators of the Customer; d. Occasionally, third parties mentioned in conversations.
5. Special categories
There is no intention to process special category data (Art. 9 GDPR). The Customer is instructed to avoid collecting such data during interactions. If they appear incidentally, they are subject to automatic anonymization as an additional layer of protection.
6. Frequency
Continuous processing, in line with the Customer’s use of the Services.
7. Retention periods
| Category | Standard period |
|---|---|
| Raw audio | 90 days (configurable) |
| Anonymized transcripts | Per Customer policy |
| Analysis outputs | Per Customer policy |
| Registration data | Engagement + statutory periods |
| Audit logs | Up to 6 years |
Annex II — Technical and organizational security measures (Art. 32 GDPR)
1. Technical measures
a. Encryption in transit: TLS 1.2 or higher across all connections; b. Encryption at rest: AES-256 or equivalent for audio, transcripts and sensitive data; c. Per-organization data isolation (Row-Level Security at the database layer); d. Automatic PII anonymization in transcripts, before being made available to managers; e. Authentication with strong passwords, hashing with modern algorithms (bcrypt/argon2), tokens with expiration; f. Role-based access control (RBAC), least-privilege principle; g. Audit logs of administrative access and sensitive operations; h. Regular backups with retention policy and periodic restore testing; i. Continuous monitoring of security and anomaly detection.
2. Organizational measures
a. Internal policies on information security and privacy; b. Periodic team training on data protection and security; c. Confidentiality undertakings signed by all employees and providers; d. Periodic review of accesses and permissions; e. Documented and tested incident response plan; f. Business continuity and disaster recovery plan; g. Periodic assessment of suppliers and sub-processors; h. Designated Data Protection Officer (DPO).
3. Certifications
Glivo operates in data centers certified to international information-security standards (ISO 27001, SOC 2 Type II or equivalents). Specific certifications may be requested under NDA.
Annex III — Sub-processors
The up-to-date list of sub-processors is maintained at https://glivo.ai/subprocessors (or equivalent URL).
Current categories include:
| Category | Purpose |
|---|---|
| Cloud provider | Application hosting, database and storage |
| Language models (LLM) | Transcript analysis, insights generation |
| Audio transcription | Audio-to-text conversion |
| Transactional email | Sending notifications and communications |
| Monitoring and logs | Observability, security, uptime |
| Payment processing | Fee collection (where applicable) |
Glivo updates this list with prior notice to the Customer, in accordance with Clause 4.
Acceptance
By accepting the MSA, the Customer accepts this DPA in full, declaring that it has:
- Read and understood all clauses and annexes;
- Legal capacity to enter into this DPA on behalf of the legal person it represents;
- Knowledge of the Customer’s obligations as Controller, in particular with respect to legal basis collection, signage to end customers and handling of data subject requests.
Glivo LLC — Wyoming, USA · Data Protection Officer (DPO): [to be defined] — hello@glivo.ai
EU Representative (Art. 27 GDPR): [to be defined]
Version: April 2026.