KAMBA PRIVACY POLICY
Effective Date: May 24, 2021
Last Updated: January 1, 2025
1. Overview
Kamba Group LLC (“Kamba,” “we,” or “us”) is committed to protecting your privacy and the confidentiality of the information you entrust to us.
This Privacy Policy explains how we collect, use, share, and safeguard information in connection with our AI-native data-workflow platform — including Kamba AI Data Analyst, Kamba Smart Search, and related products (collectively, the “Platform”) — whether accessed via Symphony, other enterprise interfaces, APIs, or on-premise and private-cloud deployments.
We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act/Privacy Rights Act (CCPA/CPRA), and the EU–U.S. Data Privacy Framework (DPF).
Depending on the deployment, Kamba may act as a data processor on behalf of its enterprise customers or as a data controller for information it collects directly (such as account, telemetry, or billing data).
Definition. “Customer Data” means any data, content, or information uploaded, submitted, or otherwise made available to the Platform by a customer or its authorized users.
2. Scope
This Policy applies to:
All Kamba Platform services, AI agents, APIs, and integrations;
Any third-party interface or connector through which Kamba Services operate (e.g., Symphony, Slack, Bloomberg);
Our corporate websites (e.g., kambagroup.com); and
All data processed to deliver, maintain, or improve our products and support.
This Policy does not apply to:
Customer Data fully managed in on-premise or private-cloud environments where Kamba has no access; or
Data governed solely by a host platform’s privacy framework (e.g., Symphony’s encryption and retention policies).
It also extends to customer-authorized integrations (e.g., Snowflake, S3, or internal data lakes) where Kamba processes data on the customer’s behalf.
3. Information We Collect
A. Information You Provide
We may collect:
Professional or contact details (name, email, organization, title);
Configuration and onboarding preferences;
Support inquiries, demo logs, or feedback forms;
Billing, subscription, and credit-usage details for paid Services; and
Limited commercial information (e.g., department, purchase history) for account management.
B. Automatically Collected Information
Depending on deployment:
Integrated Environments — anonymized usage metrics (e.g., query volume, response time, feature usage);
Web/API Environments — limited telemetry (e.g., IP address, device type, session ID) for security and performance;
Private Deployments — telemetry collection is optional and governed by customer policy.
Kamba does not use cookies or web trackers within enterprise deployments.
C. AI Processing Data (“Interaction Content”)
Our AI agents may temporarily process:
User queries or prompts;
Contextual data from connected sources (structured or unstructured); and
Generated outputs and summaries.
Strict Rule — No Use of Interaction Content. Kamba does not use, review, mine, sell, rent, share, or otherwise leverage user interaction content (prompts, files, context, outputs) for model training, tuning, product improvement, analytics, advertising, or any secondary purpose — ever. Interaction content is processed only to fulfill the user’s request and (if the customer enables history) to display within that user’s profile/tenant. Access by Kamba personnel is technically restricted and only possible with prior, explicit, time-bound customer authorization for support, with full logging.
4. How We Use Information
We use information to:
Provide, operate, and improve the Platform (excluding any use of interaction content for improvement);
Personalize and optimize runtime execution for the requesting user/tenant without persisting or reusing interaction content outside that tenant;
Authenticate users and manage subscriptions and credit balances;
Calculate and process usage-based billing events;
Ensure security, compliance, and fraud prevention; and
Comply with legal and contractual obligations.
When used for analytics or research, we rely on aggregated and anonymized telemetry (not interaction content) to prevent individual identification.
5. Data Sharing and Third-Party Processors
Kamba does not sell or “share” (as defined under CCPA/CPRA) personal information and does not use data for cross-context behavioral advertising. We share limited data only as necessary to operate the Platform:
Purpose
Recipient Type
Safeguards
Hosting and infrastructure
Cloud providers (e.g., AWS, Azure)
Encryption and Data Processing Agreements
Integrations and connectors
Symphony and other approved partners
Contractual controls, secure APIs
Optional LLM inference
Third-party AI providers (e.g., OpenAI, Anthropic)
“No-training/no-retention” instructions where available, prompt redaction, model isolation
Compliance and law enforcement
Authorized authorities
Only where legally required
Corporate transactions
Auditors, investors, acquirers
Confidentiality agreements
All subprocessors operate under written agreements containing data-processing and confidentiality obligations consistent with this Policy and applicable law. Customers may request the latest sub-processor list at privacy@kambagroup.com.
6. Interfaces and Data Residency
When accessed through Symphony or other enterprise platforms, communications, telemetry, and metadata remain governed by that platform’s encryption and compliance rules. Kamba only receives the information necessary to fulfill user requests.
Customers may select preferred data-residency regions (U.S., U.K., EU, or other supported jurisdictions). Kamba will not relocate Customer Data between regions without notice, except where required to maintain continuity of service.
All cross-border transfers comply with the DPF and/or Standard Contractual Clauses (SCCs).
6A. Client-Managed Environments (Private Cloud / On-Premise)
For deployments in a customer’s private cloud or on-premise environment (“Client-Managed Environments”):
Zero Kamba Access / Zero Egress. All processing occurs entirely within the customer’s controlled infrastructure. Kamba does not receive, store, log, or replicate interaction content or Customer Data. No data egress to Kamba-controlled systems.
Keys and Identity. Customer controls encryption keys (CMEK/BYOK/HYOK) and identity (SSO/IdP).
No Subprocessors by Default. Unless the customer explicitly enables them, third-party subprocessors are not engaged for runtime processing.
Telemetry. By default, no interaction-content telemetry is collected. Optional high-level health signals (e.g., service up/down, error codes) can be enabled by the customer and remain non-content.
Support Access. Kamba support cannot access the environment or data without a customer-approved, time-bound access grant using least-privilege controls, with all access logged by the customer.
Retention and Audit. Retention, audit, and deletion are governed by the customer’s policies and tooling; Kamba neither dictates nor changes these settings.
7. AI Transparency and Data Handling
Model Transparency. Kamba’s AI systems are model-agnostic and may run on Kamba-hosted or customer-hosted models.
Data Confidentiality. Inputs and outputs are never shared with third parties without authorization.
Data Minimization. Only the context required to process a query is used.
Logging & Auditing. Customers may access usage logs, API call summaries, and audit reports (content-free).
Credit Usage Tracking. Transactional records of credit consumption are maintained for billing and audit (content-free).
AI Governance. Kamba operates under documented governance and audit procedures to ensure transparency, traceability, and explainability of automated outputs.
Customer Accountability. Customers remain responsible for evaluating the accuracy and appropriateness of AI-generated outputs before using them for decision-making.
All data in transit and at rest is encrypted.
8. Security Measures
Kamba applies industry-standard safeguards:
TLS 1.3 encryption for communications;
AES-256 encryption at rest;
Role-based access and least-privilege controls;
SOC 2 and ISO 27001 alignment;
Regular penetration testing and continuous monitoring.
If Kamba confirms a security incident involving Customer Data, it will notify affected customers without undue delay and within 72 hours, cooperating fully on remediation. Private deployments follow the customer’s internal security policy with optional Kamba validation.
9. User Rights
Depending on jurisdiction, you may have rights to:
Access, rectify, or delete your personal data;
Restrict or object to processing;
Export data in machine-readable format;
Withdraw consent;
Lodge a complaint with your data-protection authority; and
(California) designate an authorized agent to submit requests on your behalf.
To exercise these rights, contact privacy@kambagroup.com or your enterprise administrator.
10. Data Retention
Operational Telemetry. Retained up to 12 months (unless a shorter period is requested). Telemetry excludes interaction content.
Billing Records. Billing, credit-usage, and financial transaction records are retained for the legally required accounting period.
Interaction Content. Kamba does not retain or reuse interaction content for optimization or product improvement.
SaaS. If a customer enables chat history, interaction content is stored only within that customer’s tenant for end-user convenience and governed by tenant-defined retention; it is not accessible to Kamba personnel without explicit, time-bound approval and is never used for training or analytics.
Client-Managed Environments. Kamba never receives interaction content; retention/deletion are managed solely by the customer.
Marketplace. Private-deployment retention is governed by customer policy; Kamba-hosted marketplace metadata remains content-free.
11. Children’s Data
Kamba’s services are intended for authorized enterprise users aged 18 or older. We do not knowingly collect data from minors. Any such data discovered will be promptly deleted.
12. International Data Transfers
Kamba complies with:
The EU–U.S. Data Privacy Framework (DPF);
The UK Extension and Swiss–U.S. DPF; and
Standard Contractual Clauses (SCCs) for other jurisdictions.
If any framework is invalidated or replaced, Kamba will adopt a lawful alternative mechanism to ensure ongoing protection. Questions may be sent to legal@kambagroup.com.
13. Commercial and Marketplace Data
Subscription & Credit Data. We collect and store account, usage, and credit-consumption information for billing, support, and audit purposes (content-free).
Marketplace Data Exchange. The Kamba Marketplace enables data transactions between vendors and buyers. Kamba does not charge any fees or commissions on these transactions (0% exchange cost) and does not monetize user data.
Aggregate Analytics. Kamba may collect anonymized marketplace statistics (e.g., number of listings, usage volume) solely to improve service performance. No personal or transactional data is shared or sold.
Transactional Security. All Marketplace interactions are logged and encrypted; participants are responsible for their own contractual and compliance obligations.
14. Updates to This Policy
We may revise this Policy to reflect technological, regulatory, or commercial developments. Material updates will be communicated at least 15 days prior to taking effect, unless required sooner by law. Previous versions of this Policy will be archived and made available upon request. Continued use of the Platform after such updates constitutes acceptance.
15. Governing Law
This Privacy Policy and any disputes arising from it shall be governed by the laws of the State of New York, USA, without regard to its conflict-of-law principles.
16. Contact Information
For privacy questions, rights requests, or sub-processor information:
📧 privacy@kambagroup.com
For legal or compliance inquiries:
📧 legal@kambagroup.com
Kamba Group LLC
227 East 59th Street
New York, NY 10022, USA
KAMBA TERMS & CONDITIONS
Effective Date: May 24, 2021 Last Updated: January 1, 2025
1. Acceptance of Terms
Kamba Group LLC (“Kamba,” “we,” or “us”) provides AI-driven software and related services enabling enterprise users to streamline data discovery, analysis, and collaboration (the “Platform”). By accessing or using the Platform—whether via the Kamba website, APIs, approved enterprise interfaces (including Symphony or others), private-cloud deployments, or on-premise instances—you (“Customer” or “User”) agree to these Terms & Conditions (the “Terms”). If you represent a company or other legal entity, you confirm you have authority to bind that entity.
Service Agreement. Each executed Service Order referencing these Terms, together with these Terms and any applicable Data Processing Addendum (“DPA”), constitutes the complete Service Agreement between Kamba and Customer. Any signed Master Agreement, Order, or Statement of Work (“Separate Agreement”) prevails in case of conflict with these Terms.
2. Modifications
Kamba may update these Terms periodically to reflect product, regulatory, or operational changes. Updated Terms will appear at www.kambagroup.com. Material updates will be communicated by email or in-Platform notice. Continued use constitutes acceptance.
3. Description of Services
Kamba delivers an AI-native data-workflow platform supporting multi-agent analytics, Smart Search, collaboration tools, and data-management modules (collectively, the “Services”).
Deployment options include:
Cloud (SaaS) – hosted by Kamba or authorized partners;
Private Cloud / On-Premise – hosted in Customer-controlled environments;
API / Integration – embedded within approved third-party systems.
4. Accounts and Access
Access is provided through enterprise SSO (e.g., Okta, Azure AD), Kamba-issued credentials, or approved third-party interfaces. Customer is responsible for user provisioning, credential security, multi-factor enforcement (where applicable), and activity within its environment. Unauthorized access or credential sharing is prohibited.
5. Data and Privacy
5.1 Customer Data
“Customer Data” means any data, content, or information uploaded, submitted, or otherwise made available to the Platform by Customer or its authorized users. Customer retains ownership of all Customer Data. Kamba processes Customer Data solely to operate the Services and provide support, in accordance with Kamba’s Privacy Policy and any applicable DPA.
5.2 Model Outputs
Insights, reports, or results generated by the Platform (“Model Outputs”) belong to Customer. Kamba may retain aggregated, de-identified telemetry (non-content) to enhance reliability and security.
5.3 Data Training
Kamba does not use Customer Data, model inputs, or Model Outputs to train or fine-tune foundation models unless expressly authorized in writing.
5.4 Security
Kamba employs industry-standard encryption, access controls, monitoring, and vulnerability testing. For private deployments, Customer may apply its own security and compliance framework.
5.5 No Use of Interaction Content
Kamba does not use, review, mine, sell, rent, share, or otherwise leverage user interaction content (prompts, context, files, or outputs) for model training, tuning, analytics, advertising, or any secondary purpose. For SaaS, if Customer enables history, interaction content remains within Customer’s tenant and is not accessible to Kamba personnel without explicit, time-bound authorization by Customer and full logging. See also Section 6 for Client-Managed Environments.
6. Client-Managed Environments (Private Cloud / On-Premise)
For deployments in Customer’s private cloud or on-premise environment (“Client-Managed Environments”):
(a) Zero Kamba Access / Zero Egress. All processing occurs entirely within Customer’s controlled infrastructure. Kamba does not receive, store, log, or replicate interaction content or Customer Data. No data egress to Kamba-controlled systems.
(b) Keys and Identity. Customer controls encryption keys (CMEK/BYOK/HYOK) and identity (SSO/IdP).
(c) No Subprocessors by Default. Unless Customer explicitly enables them, third-party subprocessors are not engaged for runtime processing.
(d) Telemetry. By default, no interaction-content telemetry is collected. Optional high-level health signals (service up/down, error codes) may be enabled by Customer and remain non-content.
(e) Support Access. Kamba support cannot access the environment or data without a Customer-approved, time-bound access grant using least-privilege controls. All access is logged by Customer.
(f) Retention and Audit. Retention, audit, and deletion are governed by Customer’s policies and tooling; Kamba neither dictates nor alters these settings.
7. License and Intellectual Property
7.1 Ownership
Kamba and its licensors retain all rights in the Platform, software, models, documentation, and derivative works.
7.2 License to Customer
Kamba grants Customer a non-exclusive, non-transferable, revocable license to use the Platform during the subscription term for internal business purposes.
7.3 License to Kamba
Customer grants Kamba a limited license to process Customer Data solely to provide and support the Services.
7.4 Feedback
Kamba may use feedback or suggestions provided by Customer without restriction or obligation.
8. Acceptable Use
Customer and its users shall not:
Violate laws or third-party rights;
Upload malicious code;
Attempt to extract or reverse-engineer models or source code;
Benchmark or publish test results without consent;
Use outputs as the sole basis for investment or compliance decisions;
Introduce regulated data (e.g., PHI, PCI) unless expressly permitted by DPA;
Deploy for high-risk use cases (e.g., medical or critical infrastructure) without written authorization.
9. AI and Output Disclaimer
AI-generated outputs are probabilistic and may contain inaccuracies. Outputs are provided “as is.” Kamba disclaims all responsibility for their accuracy, completeness, or fitness for any purpose and provides no investment, legal, or tax advice. Customer remains solely responsible for reviewing, validating, and applying Model Outputs before relying on them for any operational, investment, or compliance use.
10. Third-Party Platforms and Providers
The Platform may interoperate with external systems such as messaging platforms, cloud providers, data vendors, or LLM providers (“Third-Party Services”). Each is governed by its own terms. Kamba is not liable for the availability or actions of such services except as required by applicable law or DPA.
11. Commercial Terms and Pricing Policy
11.1 Pricing Structure
Kamba’s commercial model combines subscription, usage, and optional transaction components:
Tier
Description
Pricing / Structure
Enterprise Subscription
Annual SaaS license including AI modules, integrations, governance tools
Starting at US $120,000 per year; scalable with modules/connectors
Team / Individual Seats
Seats for small teams or single users
US $300 per user per month
Credits System
Usage credits that power AI queries, model runs, and API calls
Credits deducted per use; volume discounts available
Marketplace Data Exchange
Data discovery, requests, and transactions among participants
0% transaction cost for buyers and vendors
White-Label / Custom Deployments
Private-cloud or branded versions for large enterprises
Custom-quoted based on scope
11.2 Fees and Payment
All fees are payable in U.S. dollars per the applicable Order or invoice. Fees exclude taxes. Late payments may accrue 1% monthly interest (or the maximum allowed by law).
11.3 Trials and Pilots
Pilot access is time-limited, provided “as is,” and not for production use. Continued use requires a paid subscription.
11.4 Renewals and Adjustments
Subscriptions renew automatically unless canceled 30 days prior to renewal. Pricing may adjust upon renewal with written notice.
11.5 Refunds
Except where required by law, all fees and credit purchases are non-refundable.
12. Confidentiality
Each party shall protect the other’s confidential information using at least the same care used for its own. Upon termination, confidential information must be deleted or returned, subject to legal retention obligations.
13. Service Levels and Support
Kamba provides commercially reasonable uptime, maintenance notifications, and multi-tier support as defined in the applicable SLA. Enterprise customers receive guaranteed response times and escalation paths.
14. Warranties and Disclaimers
The Platform is provided “as is” and “as available.” Kamba disclaims all warranties, express or implied, including merchantability, fitness for purpose, and non-infringement. No guarantee is made that the Platform or outputs will be error-free or uninterrupted.
15. Limitation of Liability
Except for gross negligence, fraud, or payment obligations:
Each party’s aggregate liability is limited to the fees paid or payable in the 12 months preceding the claim; and
Neither party is liable for indirect, incidental, special, or consequential damages.
These limits apply even if a party has been advised of the possibility of such damages.
16. Term and Termination
Either party may terminate for material breach not cured within 30 days of written notice. Upon termination:
Customer access ceases;
A 30-day data-export window is provided;
Kamba then deletes or de-identifies Customer Data per the Privacy Policy.
Survival. Sections 5 (Data & Privacy), 6 (Client-Managed Environments), 7 (Intellectual Property), 9 (AI Disclaimer), 12 (Confidentiality), 14 (Warranties and Disclaimers), 15 (Limitation of Liability), 17 (Compliance), 18 (Governing Law), and 19(d) (Notices) survive termination or expiration.
17. Compliance and Export Controls
Each party shall comply with applicable data-protection, export-control, and anti-corruption laws. Customer confirms it is not a prohibited or sanctioned party and will not use the Platform in violation of applicable regulations.
18. Governing Law and Jurisdiction
These Terms are governed by the laws of the State of New York, excluding conflict-of-law principles. Disputes shall be resolved exclusively in the state or federal courts of New York County, New York.
19. Miscellaneous
(a) Entire Agreement. These Terms and any Separate Agreement constitute the entire agreement between the parties.
(b) Severability. If any provision is found invalid, the remainder remains in effect.
(c) Waiver. A failure to enforce any right is not a waiver of that or any other right.
(d) Notices. Notices must be in writing and sent to the addresses below (or as updated in writing).
(e) Assignment. Neither party may assign rights or obligations without written consent, except to an affiliate or successor entity.
20. Force Majeure
Neither party shall be liable for delays or failure to perform any obligation under these Terms due to causes beyond its reasonable control, including natural disasters, war, terrorism, labor disputes, governmental restrictions, pandemics, or Internet service failures. Obligations affected by such events will resume promptly once performance becomes possible.
21. Contact Information
Kamba Group LLC
227 East 59th Street
New York, NY 10022, USA
📧 legal@kambagroup.com
🌐 www.kambagroup.com