Calibana
Legal document

Data Processing Agreement

DPA · Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)

Version: 1.0 Publication date: June 11, 2025 Next review: January 2026 Contact: legal@calibana.com
Data Controller
The Customer
The natural or legal person identified in the Calibana account at the time of acceptance of this Agreement.
Data Processor
Sergio Sáez de Ibarra González
Getxo, Bizkaia, España
Tax ID available upon request at legal@calibana.com
Trading under the brand Calibana
This Agreement enters into force upon electronic acceptance during the registration process or from account settings at app.calibana.com.

Contents

  1. Subject matter and nature of processing
  2. Description of processing activities
  3. Controller instructions
  4. Processor obligations
  5. Controller obligations
  6. Data retention and erasure
  7. Sub-processors
  8. International transfers
  9. Audits and verification
  10. Artificial intelligence and transparency
  11. Liability
  12. Governing law and jurisdiction
  13. Amendments
Clause 1

Subject matter and nature of processing

This Data Processing Agreement (hereinafter "the Agreement") sets out the terms and conditions under which the Data Processor (Calibana) will process personal data on behalf of the Data Controller (the Customer), in connection with the provision of the services described below, pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

1.1 Description of the service

Calibana is a B2B meeting intelligence platform that provides the following services:

  • Automated transcription of video calls conducted via Google Meet, by capturing captions generated by Google's own service, without audio recording.
  • Generation of summaries and extraction of action items from transcripts using artificial intelligence models (Google Gemini).
  • Task management via Kanban board and commitment tracking.
  • Extraction of action items from Gmail email threads.
  • Generation of pre-meeting briefings based on client history.
  • Sending of notifications and summaries by email.

1.2 Purpose of processing

Personal data will be processed solely for the purpose of providing the services described in clause 1.1 and never for the Processor's own purposes, including but not limited to: advertising, commercial profiling, training proprietary artificial intelligence models, or transfer to unauthorised third parties.

1.3 Duration

This Agreement shall enter into force on the date of electronic acceptance by the Controller and shall remain in force for as long as the contractual relationship between the parties arising from the Calibana Terms and Conditions subsists.

Clause 2

Description of processing activities

2.1 Categories of personal data

Category of dataDescription and examples
Identification dataFull name and email address of meeting participants and email correspondents.
Communications dataContent of video call transcripts (caption text), content of processed email threads.
Professional dataJob title, company, project role, commitments and professional tasks.
Meeting metadataDate, time, duration, meeting name, participants, room code.
Service usage dataAccess logs, configuration preferences, meeting history.
Calibana does not intentionally process special categories of data (Art. 9 GDPR), such as health data, ethnic origin, political opinions, trade union membership, or genetic or biometric data. The Controller is solely responsible for ensuring that data processed through the service does not include special categories without the appropriate legal basis.

2.2 Categories of data subjects

  • Employees, collaborators or contractors of the Data Controller.
  • Clients, suppliers, partners or any third party participating in meetings or email exchanges managed by the Controller.
  • Any person whose voice or text is captured in a transcript processed through the service.

2.3 Processing operations

  • Collection and storage of transcripts in plain text in an encrypted database.
  • AI processing for generation of summaries, extraction of action items and meeting metrics.
  • Encrypted transmission to sub-processors listed in clause 7.
  • Automated deletion in accordance with the retention periods set out in clause 6.
Clause 3

Controller instructions

The Processor shall process personal data only in accordance with the documented instructions of the Controller, as established by:

  • This Agreement and any duly notified amendments thereto.
  • The Calibana Terms and Conditions.
  • Instructions communicated by the Controller through the service settings (account settings, projects, data retention).

If the Processor considers that a Controller instruction infringes the GDPR or other applicable data protection law, it shall notify the Controller immediately in writing to the email address registered in the account. In such case, the Processor may suspend execution of that instruction until it receives confirmation or an alternative instruction.

The Processor shall not process data for any purpose other than those set out in this Agreement, unless required to do so by European Union or Member State law, in which case it shall inform the Controller prior to such processing, unless the law prohibits this on grounds of public interest.

Clause 4

Processor obligations

4.1 Confidentiality

The Processor guarantees that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive termination of this Agreement.

4.2 Security of processing (Art. 32 GDPR)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, the Processor implements the following technical and organisational measures:

  • Encryption of data in transit using TLS 1.2 or higher across all communications.
  • Encryption of data at rest in the database (PostgreSQL with AES-256 encryption).
  • Role-based access control (Row Level Security) ensuring each user can only access their own data.
  • JWT-based authentication with token expiry and secure renewal.
  • Session isolation between the browser extension and the web application.
  • Error monitoring and security alerting.
  • Automated backups managed by the database provider.
  • Access to production data restricted to the service owner.

4.3 Assistance to the Controller

The Processor shall assist the Controller in fulfilling its obligations with regard to:

  • The security of processing (Art. 32 GDPR).
  • Notification of personal data breaches to the supervisory authority (Art. 33 GDPR) and to data subjects (Art. 34 GDPR).
  • Carrying out data protection impact assessments (Art. 35 GDPR), where required.
  • Prior consultations with the supervisory authority (Art. 36 GDPR).

4.4 Handling data subject rights

When the Processor receives directly a request from a data subject exercising their rights (access, rectification, erasure, portability, restriction or objection), it shall forward it to the Controller within a maximum of 5 business days, without responding directly to the data subject unless expressly instructed to do so by the Controller. The Controller alone is obliged to respond to data subjects within the statutory deadlines.

4.5 Personal data breach notification

The Processor shall notify the Controller without undue delay and, in any event, within 72 hours of becoming aware of it, of any personal data breach that may pose a risk to the rights and freedoms of data subjects. Notification shall be sent to the email address registered in the account and shall include, to the extent possible:

  • The nature of the personal data breach.
  • The categories and approximate number of data subjects and records affected.
  • The measures taken or proposed to address the breach.
Clause 5

Controller obligations

The Data Controller declares and warrants that:

  • It has a lawful basis for processing the personal data it introduces or processes through the service (consent, legitimate interest, contract performance or other applicable basis under Art. 6 GDPR).
  • It has informed the data subjects whose data will be processed through Calibana, in accordance with Articles 13 and 14 GDPR, including the existence of the transcription service and its purposes.
  • It ensures that participants in transcribed meetings have been informed in advance of the use of the transcription service.
  • It will not introduce special category data (Art. 9 GDPR) into the service without having the explicit legal basis required for that category.
  • It is responsible for the accuracy, currency and legitimacy of the data it introduces into the service.
  • It complies with the obligations arising from the GDPR in its capacity as Data Controller, including the record of processing activities (Art. 30 GDPR) where applicable.
Clause 6

Data retention and erasure

6.1 Retention periods during the term of the contract

PlanTranscript retention period
Free Plan3 months from the date of the meeting.
Pro Plan12 months (1 year) from the date of the meeting.
After account cancellation30 calendar days from the cancellation date, unless immediate erasure is requested.

Account configuration data, projects and Kanban tasks are retained for the duration of the contract. Once the applicable period has elapsed, data is deleted automatically via scheduled processes. AI-generated summaries and reports are deleted following the same retention periods as the source transcripts.

6.2 Erasure upon Controller request

The Controller may request the deletion of specific data (meetings, projects, tasks, full account) at any time through the service interface or by contacting legal@calibana.com. The Processor shall carry out the deletion within a maximum of 10 business days of the request and shall confirm completion in writing.

6.3 End of contract

Upon termination of the contract for any reason, the Processor shall make the Controller's data available in exportable format (JSON or CSV) for a period of 30 calendar days. After that period, if the Controller has not downloaded the data, it shall be permanently deleted. The Processor shall certify deletion upon request.

Clause 7

Sub-processors

Pursuant to Article 28.2 GDPR, the Processor has the Controller's general authorisation to engage the sub-processors listed below. All sub-processors are subject to data protection obligations equivalent to those set out in this Agreement under their respective data processing agreements (DPAs).

Sub-processorPurpose and data processed
Supabase, Inc.
EU infrastructure		 Primary database. Stores transcripts, tasks, configuration and all service data. DPA available at supabase.com/legal/dpa.
Amazon Web Services
AWS SES · eu-west-1, Ireland		 Sending of transactional emails (summaries, notifications). Processes the user's email address. DPA at aws.amazon.com.
Google LLC — Gemini API AI processing of transcripts for summary generation, action item extraction and metrics. Processes transcript content. DPA included in the Google Cloud Terms of Service.
Google LLC — Calendar API Synchronisation of the user's calendar events for pre-meeting briefings. Processes event metadata and attendees. Subject to the same Google Cloud terms.
Sentry
Functional Software, Inc.		 Application error monitoring. May process session data and error context. DPA at sentry.io/legal/dpa.
Stripe, Inc. Payment and subscription management. Processes billing data of the account holder. Calibana does not store credit card data. DPA at stripe.com/legal/dpa.
Hostinger International Ltd. Web application hosting. Accesses server logs and static files. DPA at hostinger.com/legal/gdpr.

The Processor shall notify the Controller of any addition or replacement of sub-processors at least 30 days in advance by email to the address registered in the account. The Controller shall have that period to raise a reasoned objection to the change. If the Controller does not raise an objection within that period, the new sub-processor shall be deemed accepted.

Clause 8

International transfers of data

Personal data is stored and processed primarily in the European Economic Area (EEA). However, some sub-processors listed in clause 7 may transfer data outside the EEA. In all cases, such transfers are covered by one of the following legal mechanisms:

  • European Commission adequacy decision (e.g. EU–US Data Privacy Framework).
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
  • Binding Corporate Rules.

The Processor guarantees that any international transfer carried out by itself or its sub-processors complies with Chapter V of the GDPR and provides appropriate safeguards for the protection of the data transferred.

Clause 9

Audits and verification of compliance

The Controller has the right to verify the Processor's compliance with this Agreement. To that end, the Processor shall:

  • Make available to the Controller, upon written request to legal@calibana.com, all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR.
  • Respond to security and data protection questionnaires within a maximum of 20 business days of receipt.
  • Inform the Controller if, in its opinion, any instruction infringes the GDPR or other applicable law.

Given the size and nature of the service, on-site audits are replaced by the questionnaire mechanism described above, unless both parties expressly agree otherwise. The costs of any audit shall be borne by the Controller unless the audit reveals non-compliance attributable to the Processor.

Clause 10

Artificial intelligence and transparency

The service uses artificial intelligence models (Google Gemini) to process transcripts and generate content (summaries, action items, metrics, briefings). The Controller accepts and declares that it has informed the affected data subjects of:

  • The use of AI systems to analyse the content of meetings and emails.
  • The automated nature of generated summaries, action items and metrics, which may contain errors and should not be relied upon as accurate records without human review.
  • The ability to review, correct or delete AI-generated content through the service interface.

Calibana warrants that Google LLC, as provider of the Gemini API under a paid Google Cloud billing plan, does not use data submitted via the API to train its AI models, in accordance with the Google Cloud Terms of Service.

Clause 11

Liability

The Processor shall be liable for damage caused to the Controller or third parties as a result of failure to comply with the obligations set out in this Agreement or the GDPR, in accordance with Article 82 GDPR.

The Processor shall not be liable for damage arising from:

  • Misuse of the service by the Controller or its users.
  • Introduction of special category data into the service without an adequate legal basis.
  • Failure by the Controller to fulfil its information obligations to data subjects.
  • Service interruptions attributable to the sub-processors listed in clause 7.
  • Controller instructions that the Processor has flagged as potentially infringing.

The Processor's total liability under this Agreement shall in any event be limited to the total amount paid by the Controller during the twelve months preceding the event giving rise to the damage, except in cases of wilful misconduct or gross negligence.

Clause 12

Governing law and jurisdiction

This Agreement shall be governed by and construed in accordance with Spanish law and European data protection legislation, in particular the GDPR and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).

The competent supervisory authority for overseeing compliance with this Agreement is the Spanish Data Protection Agency (AEPD), Calle Jorge Juan 6, 28001 Madrid — www.aepd.es.

For the resolution of any dispute arising from this Agreement, the parties submit, expressly waiving any other jurisdiction that may apply, to the Courts and Tribunals of Bilbao (Bizkaia), Spain.

Clause 13

Amendments

The Processor may amend this Agreement to reflect changes in legislation, rulings by the AEPD or other supervisory authorities, or changes in sub-processors or security measures. Amendments shall be notified to the Controller by email at least 30 days before they take effect.

If the Controller does not raise an objection within that period, it shall be deemed to have accepted the new version of the Agreement. In the event of objection, the Controller may terminate the service contract without penalty, with a pro-rata refund of the unused portion of the subscription period.

Previous versions of the Agreement will be available at calibana.com/dpa/history for a minimum period of 3 years.

Electronic acceptance

This Agreement enters into force upon electronic acceptance. By ticking the box "I have read and accept the Data Processing Agreement" during the registration process or in account settings, the Data Controller expresses its agreement with all the terms of this document.

The date, accepted version and IP address of the Controller are recorded by Calibana as evidence of acceptance. This record has evidentiary value equivalent to a simple electronic signature pursuant to Regulation (EU) 910/2014 (eIDAS).

For questions about this Agreement please contact legal@calibana.com.

Calibana · Sergio Sáez de Ibarra González · Getxo, Bizkaia, España
Tax ID available upon request at legal@calibana.com
Version 1.0 · June 11, 2025
↑ Back to top