Data Processing Agreement - Pulso
Last updated on May 1, 2026
Introduction
This Data Processing Agreement ("Agreement" or "DPA") is entered into between the subscriber of Pulso's services ("Client", "You") and woku SpA ("woku", "Data Processor"), operator of Pulso, and governs the processing of personal data that Pulso performs on behalf of the Client in the context of the contracted services.
This Agreement complies with Law No. 19,628 of Chile, Regulation (EU) 2016/679 (GDPR), and other applicable data protection regulations. In the event of a conflict between this Agreement and the main services contract (including Pulso's Terms and Conditions), the provisions of this DPA shall prevail on matters of data protection.
1. Definitions
"Personal Data": any information that identifies or allows the identification of a natural person.
"Processing": any operation performed on Personal Data (collection, storage, use, transmission, deletion, among others).
"Data Controller": the Client, who determines the purposes and means of the processing of Personal Data.
"Data Processor": woku, who processes Personal Data on behalf of the Client through Pulso.
"Sub-processor": a third party engaged by woku to carry out processing activities on behalf of the Client.
"Security Breach": incident causing unauthorized access, loss, alteration, or destruction of Personal Data.
"Plan" and "Conversation": shall have the meaning assigned in Pulso's Terms and Conditions.
2. Subject Matter and Scope of Processing
woku will process the Personal Data that the Client makes available through Pulso exclusively to provide the contracted services. The processing will include:
- Categories of data: names, email addresses, phone numbers, transcripts and recordings of Conversations with the Pulso Agent, ratings, detected sentiment, identified risk signals, generated alerts, and any other personal data that the Client uploads or generates through the Platform.
- Categories of data subjects: the Client's end customers who interact with the Pulso Agent, employees, or collaborators of the Client designated as Users of the Platform.
- Processing purposes: provision of the Pulso service (AI agent conversations, signal detection, alert generation, and integrations), as well as sending notifications and communications enabled by the Client, according to the contracted Plan.
- Duration: during the Validity of the contracted Plan and while the Client maintains an active account, or according to the Client's documented instructions.
woku will not process Personal Data for any purpose other than the Client's documented instructions, except when required by law.
3. Obligations of woku as Data Processor
woku commits to:
a) Process Personal Data solely according to the Client's documented instructions.
b) Inform the Client if it considers that any instruction violates applicable regulations.
c) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
d) Implement the security measures described in Section 6.
e) Assist the Client in fulfilling their obligations to data subjects (access, rectification, deletion, portability, restriction, and objection).
f) Assist the Client in carrying out Data Protection Impact Assessments (DPIA) when applicable.
g) Notify the Client of any Security Breach within the timeframes established in Section 7.
h) At the Client's choice, delete or return all Personal Data at the end of the contract, in accordance with Section 11.
i) Contractually ensure that providers of language models and voice services do not use the Personal Data processed through Pulso to train publicly available models.
4. Client Instructions
The Client is the Data Controller and determines the purposes and means of the processing of Personal Data. This Agreement, together with the services contract and the configurations applied on Pulso (enabled channels, alert rules, integrations), constitute the Client's documented instructions. Any additional instructions must be provided in writing; email is accepted as a valid medium.
5. Sub-processors
5.1 General authorization
The Client authorizes woku to engage Sub-processors to provide Pulso's services, subject to the conditions of this Agreement.
5.2 List of current Sub-processors
woku maintains an up-to-date list of Sub-processors available upon request at pau@woku.app. Current Sub-processors for Pulso include, among others:
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | U.S. / multiple regions |
| Google Cloud Platform | Complementary services | U.S. / multiple regions |
| Paddle (Paddle.com Market Limited) | Payment processing (Merchant of Record) | United Kingdom |
| Language model (LLM) provider | Pulso Agent response generation | U.S. / multiple regions |
| Speech-to-text and text-to-speech provider | Voice transcription and synthesis | U.S. / EU |
| WhatsApp Business API provider | Conversations via WhatsApp | U.S. / EU |
| Telephony provider | Conversations via call | Multiple regions |
| Amazon SES | Transactional email delivery | U.S. / multiple regions |
5.3 Changes to Sub-processors
woku will notify the Client at least 30 days in advance of any addition or replacement of Sub-processors. The Client will have the right to reasonably object to such change within 15 days of the notification. If the objection cannot be resolved by mutual agreement, the Client may terminate the contract without penalty, in accordance with Section 6 of Pulso's Terms and Conditions.
5.4 Obligations with Sub-processors
woku will impose on each Sub-processor, through written contracts, obligations equivalent to those of this Agreement regarding data protection. woku will be liable to the Client for compliance with such obligations.
6. Security Measures
woku implements and maintains technical and organizational measures appropriate to the level of risk, including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Two-factor authentication (2FA) for administrative access.
- Role-based access control and principle of least privilege.
- Regular backups and disaster recovery procedures.
- Penetration testing and periodic security reviews.
- Patch and vulnerability management.
- Logging and monitoring of access to systems containing Personal Data.
- Documented incident response plan.
- Contractual clauses with AI providers prohibiting the use of Personal Data to train publicly available models.
7. Security Breach Notification
In the event of detecting a Security Breach affecting Personal Data processed on behalf of the Client, woku will:
a) Notify the Client within 72 hours of becoming aware of the breach, using the Client's registered email address.
b) Include in the notification: description of the incident, categories and approximate number of affected data subjects, potential consequences, and measures taken or proposed to mitigate the impact.
c) When complete information is not available within 72 hours, send an initial notification with the available data, to be supplemented as soon as reasonably possible.
d) Collaborate with the Client in the investigation, documentation of the incident, and notification to competent authorities when applicable.
8. Data Subject Rights
woku will assist the Client, to the extent technically possible, so that the Client can respond to requests from data subjects exercising their rights (access, rectification, deletion, portability, restriction, objection). This assistance will include:
- Tools on the Platform to export or delete transcripts, recordings, and end-user data.
- Response to ad hoc requests within a maximum period of 10 business days.
When a request is received directly by woku, it will be redirected to the Client for handling, unless expressly instructed otherwise.
9. Audit Rights
The Client will have the right to verify woku's compliance with this Agreement. To this end:
a) woku will provide, upon the Client's request, relevant documentation on its security and data protection practices (policies, certifications, and available audit reports).
b) The Client may request an independent audit with a mutually agreed reputable auditor, with at least 30 days' prior notice and a maximum frequency of once per calendar year, except for justified cause (for example, following a Security Breach).
c) The audit costs will be borne by the Client, unless the results reveal material non-compliance with this Agreement by woku.
d) The auditor must sign a confidentiality agreement before accessing any woku information.
10. International Data Transfers
When processing involves transfers of Personal Data outside of Chile or the European Economic Area (EEA), woku will ensure that such transfers have adequate safeguards in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to countries recognized as having an adequate level of protection.
- Other safeguards permitted by applicable regulations.
woku will inform the Client about international transfers made by its Sub-processors and the safeguards applied.
11. Data Retention and Deletion at End of Contract
Upon termination of the contractual relationship, woku will:
a) At the Client's instruction, securely delete or return all Personal Data within 30 days of the request.
b) Issue a deletion certification upon the Client's request.
c) Retain data for a longer period only when required by law, informing the Client of such circumstance and limiting processing to what is strictly necessary to comply with such obligation.
12. Liability
Each party will be liable to the other for direct damages caused by breach of this Agreement. woku's liability as Data Processor is limited to direct damages caused by actions outside the Client's documented instructions or by breach of the security obligations established herein, without prejudice to the liability limits set forth in Pulso's Terms and Conditions.
13. Modifications to the Agreement
woku may update this Agreement to reflect legal, operational, or processing-practice changes. Substantial modifications will be notified to the Client at least 30 days before they take effect. Continued use of the services after such period will imply acceptance of the modifications.
14. Applicable Law and Jurisdiction
This Agreement is governed by the laws of the Republic of Chile. For Clients established in the European Union, the provisions of the GDPR will also apply. Disputes arising from this Agreement will be submitted to the competent courts of Santiago de Chile, without prejudice to the rights of data subjects to file claims with the data protection authorities of their country of residence.
15. Contact
woku SpA (operator of Pulso)
Calle 120 39 Dp 14 B, Hualpén, Chile 4600150
General email: team@woku.app
Data protection contact: pau@woku.app
Product website: woku.app/pulso