Effective: May 2026 · Katalyst IO LLC · This DPA is incorporated by reference into the Katalyst IO LLC Terms of Service.
Who this applies to
This Data Processing Agreement ("DPA") applies to all Katalyst clients ("Controller") whose use of the Katalyst platform involves the processing of personal data on their behalf. By executing a service agreement or submitting an audit request that proceeds to onboarding, you agree to this DPA. If you require a custom-executed DPA for enterprise procurement purposes, contact outreach@getkatalyst-io.com.
"Controller" means the Katalyst IO LLC client (the med spa or its operating entity) that determines the purposes and means of processing personal data. "Processor" means Katalyst IO LLC, which processes personal data on the Controller's behalf. "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Katalyst IO LLC service. "Processing" has the meaning given in applicable privacy law. "Sub-processor" means any third party engaged by Katalyst IO LLC to process Personal Data on the Controller's behalf. "PHI" means Protected Health Information as defined under HIPAA, 45 C.F.R. § 160.103.
Katalyst processes Personal Data for the duration of the service agreement (including any renewal or extension) and for such further period as is necessary to comply with legal obligations or as specified in the retention terms of the executed BAA. Upon termination, Katalyst will return or securely destroy all Personal Data within 30 days, unless a longer retention period is required by law.
Katalyst processes Personal Data to: (a) receive, record, and transcribe inbound and outbound telephone calls on behalf of the Controller; (b) generate automated follow-up SMS and email communications to callers and leads; (c) compile and deliver daily operational briefings to the Controller; (d) identify missed appointments, no-shows, and unfollowed leads for recovery workflows; and (e) operate and maintain the platform infrastructure. Processing occurs only on documented instructions from the Controller and for no other purpose.
Categories of Personal Data processed include: caller identification (phone number, name where provided); appointment details; treatment inquiries; call timestamps and durations; SMS message content; email addresses; and any other information contained in the oral content of recorded calls. Where the Controller is a HIPAA-covered entity, this data includes PHI and is governed by the separately-executed Business Associate Agreement.
Data subjects include: (a) callers and prospective patients contacting the Controller's clinic; (b) the Controller's staff whose calls are recorded; and (c) the Controller's own authorized users of the Katalyst platform. Katalyst does not intentionally collect data from individuals under 18 years of age in connection with the service.
The Controller represents and warrants that: (a) it has a lawful basis to collect and process the Personal Data it directs Katalyst to process; (b) it has complied with all applicable call recording consent requirements, including Florida Statutes § 934.03 and any other applicable all-party consent law, and authorizes Katalyst to deploy the required pre-call recording disclosure on its behalf; (c) it has published, or will publish before go-live, a privacy notice or policy that discloses the use of recording services; (d) it will promptly notify Katalyst of any changes to its instructions; and (e) it will indemnify and hold harmless Katalyst for any claims arising from the Controller's failure to comply with (a)–(d).
Katalyst will: (a) process Personal Data only on documented instructions from the Controller and not for any other purpose; (b) ensure that authorized personnel are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organizational security measures described in Section 8; (d) assist the Controller in responding to data subject rights requests to the extent feasible given the nature of the processing; (e) notify the Controller without undue delay (and in any event within 48 hours of discovery) of any confirmed or reasonably suspected Personal Data breach affecting the Controller's data; (f) maintain records of processing activities as required by applicable law; and (g) upon Controller request and at Controller's expense, make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits not more than once per calendar year with 30 days' prior written notice.
Katalyst implements appropriate technical and organizational measures, including: AES-256 encryption of Personal Data at rest; TLS 1.2+ encryption of data in transit; multi-factor authentication for all administrative access; role-based access controls limiting access to authorized personnel only; immutable audit logs of access to Personal Data; regular penetration testing and vulnerability assessments; an incident response and business continuity plan; and annual workforce training on data protection and security. Katalyst will update these measures as the state of the art evolves and as new risks are identified.
The Controller grants Katalyst general authorization to engage sub-processors as necessary to deliver the service, provided that: (a) sub-processors are bound by written data processing terms providing at least equivalent protection to this DPA; (b) Katalyst remains fully liable to the Controller for the sub-processor's performance; and (c) Katalyst maintains a current list of sub-processors available on request at outreach@getkatalyst-io.com and will notify the Controller of any material change to its sub-processor list with reasonable notice (not less than 10 business days) to allow the Controller to object. Current categories of sub-processors: cloud infrastructure (AWS or equivalent HIPAA-eligible provider); telephony (Twilio or equivalent); AI transcription service (HIPAA-eligible tier with executed BAA); payment processor.
Where the Controller is a HIPAA Covered Entity (as defined at 45 C.F.R. § 160.103), the parties must execute a Business Associate Agreement (BAA) before Katalyst processes any PHI. The BAA governs the handling of PHI and takes precedence over this DPA to the extent of any conflict with respect to PHI. If you have not yet executed a BAA with Katalyst and require one, contact outreach@getkatalyst-io.com before activating the service. Katalyst will not process PHI without a signed BAA in place.
All Personal Data is processed and stored within the United States. Katalyst does not transfer Personal Data outside the United States at this time. If this changes, Katalyst will update this DPA and notify affected Controllers with reasonable advance notice.
This DPA is governed by the laws of the State of Florida, without regard to its conflict of law provisions. Disputes arising under this DPA are subject to the dispute resolution provisions in the Katalyst Terms of Service.
DPA enquiries, sub-processor list requests, and BAA execution: outreach@getkatalyst-io.com