Colla Data Processing Agreement

1. Parties to the Agreement

2. Scope of Data Processing

2.1 Data That Is Processed

• Your conversation text content
• Your website building requirement descriptions
• Images, files, and other materials you upload (if any)
• Conversation history (to maintain context continuity)

2.2 Data That Is NOT Processed

The following data will not be sent to third-party AI services:

• User account passwords
• Phone numbers or email addresses
• Payment information and transaction records
• Device identifiers (IMEI, MAC addresses, etc.)
• Precise geolocation information

3. Obligations and Commitments of the Data Processor

3.1 Processing Restrictions

AWS and Anthropic commit to:

• Purpose Limitation: Process data only within the scope necessary to provide AI services
• No Training Use: Your data will not be shared with the model provider (Anthropic) and will not be used to improve foundational models
• No Commercial Use: User data will not be used for advertising, marketing, or other commercial purposes
• No Secondary Sharing: Data will not be shared with other third parties without authorization
• AWS Data Isolation: AWS commits not to access your content unless with your consent or as required by law

3.2 Security Measures

Security measures implemented by AWS Bedrock include:

• Encryption: Data encrypted in transit and at rest
• Key Management: Encryption keys managed via AWS Key Management Service (KMS)
• Private Connection: AWS PrivateLink support for private VPC connections
• Access Control: Strict authentication and authorization via IAM and AWS Organizations
• Security Auditing: Monitoring via AWS CloudTrail and Amazon CloudWatch
• Automated Abuse Detection: Built-in automated abuse detection mechanisms

3.3 Compliance Certifications

AWS Bedrock has obtained the following certifications: ISO, SOC, CSA STAR Level 2, HIPAA, GDPR, FedRAMP High

3.4 Compliance Commitments

AWS as data processor commits to comply with: GDPR, PDPA, CCPA, and other applicable international data protection laws and regulations.

3.5 AWS Data Processing Agreement

4. Responsibilities of the Data Controller

As the data controller, Colla (Subvetron) commits to:

• Data Minimization: Send only the minimum data necessary for AI services
• Transparency: Clearly inform users about data processing in the privacy policy
• Oversight: Regularly review third-party service providers' data processing compliance
• Timely Response: Promptly handle user data rights requests

5. Rights of Data Subjects

As a data subject, you have the following rights:

• Right to Information: The right to know how your data is processed
• Right of Access: The right to access copies of your personal data we hold
• Right to Rectification: The right to request correction of inaccurate or incomplete data
• Right to Erasure: The right to request deletion of your data
• Right to Restrict Processing: The right to request limitation of data processing
• Right to Data Portability: The right to obtain your data in a structured, commonly used format
• Right to Object: The right to object to data processing based on legitimate interests

6. Data Security Incident Handling

6.1 Incident Notification

• Third-party service providers must notify Colla within 24 hours of discovery
• Colla will notify affected users within 72 hours of confirmation
• Notification includes: nature of the incident, data involved, potential impact, remedial measures

6.2 Emergency Response

• Activate emergency plans and contain the incident scope
• Investigate the cause and assess data breach risks
• Implement remedial measures to prevent escalation
• Report to regulatory authorities (if required by law)

7. Data Transfer and Storage

Data Storage Location: Colla's primary servers are located in Singapore. AI data may be processed on AWS's global infrastructure, including the Asia-Pacific region (Singapore, Tokyo, Seoul, etc.).

Data Transfer Safeguards:

• Standard Contractual Clauses (SCCs): Compliant with EU Decision 2021/914
• GDPR Compliance: AWS has obtained GDPR compliance certification
• PDPA Compliance: Compliant with Singapore's Personal Data Protection Act
• Encrypted transmission and storage: All data transfers use TLS/SSL encryption, storage encrypted via AWS KMS

Related Documentation:

• AWS Data Privacy FAQ
• AWS Global Infrastructure
• AWS GDPR Center

8. Amendment and Termination

8.1 Amendments

Any amendments to this Agreement will be communicated to users 30 days in advance via in-app notifications or email, and will be publicly posted on the Colla official website.

8.2 Termination

This Agreement will terminate when: the user deletes their account, stops using AI website building features, Colla ceases using AWS Bedrock, or the service relationship with AWS is terminated. Upon termination, AWS will delete or return all user data.

8.3 Applicability of AWS Service Terms

This Agreement is subject to the AWS Service Terms and Data Processing Addendum. In case of conflict between this Agreement and AWS Service Terms, the AWS Service Terms shall prevail.

9. Dispute Resolution

If you have any disputes regarding this Agreement or data processing, please first contact us through the contact information provided. If the dispute cannot be resolved through negotiation, you may file a complaint with the relevant regulatory authority or bring a legal action in court.

10. Contact Information

If you have any questions about this Data Processing Agreement or need to exercise your data rights, please contact us: