GDPR Compliance
The General Data Protection Regulation (GDPR, EU Regulation 2016/679) governs personal data processing in Europe. This page details Katalyz's concrete commitments regarding data protection, complementing our Privacy Policy.
1. Our role: processor under Article 28 GDPR
Within the Katalyz Service, the Customer is the data controller for its Debtors' data. Katalyz acts as a processor under Article 28 GDPR. This relationship is governed by a Data Processing Agreement (DPA), integrated into our Terms of Service or signed separately upon Customer request.
2. Data processed on behalf of the Customer
Katalyz processes, on behalf of its Customers:
- Debtor identification data (company name, contact, email, phone).
- Invoice data (amount, due date, payment status, references).
- Interaction history (emails sent, AI call transcripts, payment agreements, promises, Debtor replies).
Katalyz only processes such data for purposes documented by the Customer: commercial debt collection, Debtor relationship management, Customer reporting.
3. Sub-processors
Katalyz relies on sub-processors to deliver the Service. The up-to-date list is available to Customers and indicatively includes:
- Hosting: Hetzner Online GmbH (Germany, EU).
- AI / LLM models: [Anthropic — United States; OpenAI — United States — to be confirmed].
- Voice synthesis and calls: [ElevenLabs, Vapi, Twilio — to be confirmed].
- Transactional email: [Postmark / SendGrid — to be confirmed].
- SMS / WhatsApp: [Twilio — to be confirmed].
- Internal tools: monitoring, logging, backups.
Any change to the sub-processor list is notified to the Customer at least 30 days before implementation, with the right to object.
4. International transfers
Some sub-processors (notably AI providers) are based outside the EU, primarily in the United States. Such transfers are governed by Article 46 GDPR safeguards:
- Standard Contractual Clauses (SCC) adopted by the European Commission;
- Data Privacy Framework (DPF) adherence where the sub-processor is eligible;
- Additional technical measures (encryption, pseudonymization where feasible).
5. Security measures
Katalyz implements technical and organizational measures appropriate to the risk (Article 32 GDPR):
- TLS 1.2+ encryption for all communications.
- Encryption at rest (AES-256).
- Least-privilege access control, multi-factor authentication for administrators.
- Encrypted backups with periodically tested restoration.
- Audit logs, 24/7 security monitoring.
- Code review, dependency monitoring, security updates.
- Penetration testing and periodic security reviews [frequency to be confirmed].
- Business continuity and disaster recovery plans (BCP/DRP).
6. Retention
Data processed on behalf of the Customer is retained for the duration of the contract, then for the period required to comply with legal obligations (accounting, civil and tax limitation). Beyond that, data is deleted or anonymized. The Customer may request earlier deletion at any time, subject to overriding legal obligations.
7. Data subject rights (Debtors)
Debtors have all the rights granted by the GDPR (access, rectification, erasure, objection, restriction, portability). Such requests should in principle be addressed to the Customer, the data controller. Katalyz, as processor, assists the Customer in handling such requests within statutory deadlines.
When a Debtor contacts Katalyz directly, the request is forwarded to the Customer without delay.
8. Data breach notification
In the event of a personal data breach (Article 33 GDPR), Katalyz notifies the Customer without undue delay and at the latest within 72 hours of detection, providing all useful information to enable the Customer to notify the supervisory authority and, where applicable, the affected data subjects.
9. Data Protection Officer
For any data protection question, contact our data protection lead at [dpo@katalyz.ai — to be confirmed] or, failing that, contact@katalyz.ai.
10. Supervisory authority
If you believe your rights are not being respected, you may lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority:
Commission Nationale de l'Informatique et des Libertés
3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — France
www.cnil.fr