Data Processing Addendum

GDPR Art. 28 terms for business customers acting as data controllers

Last updated: 20 June 2026

1. Parties and purpose

This Data Processing Addendum (“DPA”) forms part of the agreement between the business customer (“Controller”) and Kairos Alpha GmbH, Curschmannstr. 31, 20251 Hamburg, Germany, registered in the commercial register of Amtsgericht Hamburg under HRB 159532 (“Processor”), governing the processing of personal data on behalf of the Controller in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning the processing of personal data.

2. Subject matter, nature and duration

  • Subject matter: provision of the Service as described in the Terms of Service.
  • Nature and purpose: hosting, storage, retrieval, transmission, and processing of personal data necessary to deliver the Service to the Controller and its authorised users.
  • Duration: the term of the underlying contract, plus any period required by law or as instructed by the Controller for return or deletion of data.
  • Categories of data subjects: the Controller’s employees, contractors, end-users, customers, and other persons whose data the Controller chooses to process via the Service.
  • Categories of personal data: identification and contact data, account credentials, content uploaded by the Controller, usage and log data, and other categories the Controller chooses to process via the Service. No special categories of personal data (Art. 9 GDPR) are processed; the Service is not intended for, and the Controller agrees not to submit, special categories of personal data unless separately agreed in writing.

3. Instructions and roles

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

4. Confidentiality

The Processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.

5. Security of processing

The Processor implements appropriate technical and organisational measures (“TOMs”) within the meaning of Art. 32 GDPR. The current TOMs, as currently deployed, are described in Annex 2 and include, at minimum: encryption in transit (TLS 1.2+), encryption at rest for databases and backups, role-based access controls with least privilege, audit logging, secret management, secure software development lifecycle practices, regular dependency review, vendor due-diligence, and incident-response procedures.

6. Sub-processors

The Controller grants the Processor general authorisation to engage sub-processors. The current list of sub-processors is set out in Annex 1 and mirrors the sub-processor table in the Privacy Policy.

The Processor will inform the Controller of any intended addition or replacement of sub-processors at least thirty (30) days in advance, giving the Controller the opportunity to object on reasonable data-protection grounds. If the Controller objects, the parties will discuss in good faith; failing resolution, the Controller may terminate the affected portion of the Service on written notice. The Processor imposes on each sub-processor data protection obligations no less protective than those in this DPA.

7. Data subject rights

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests for the exercise of data subject rights laid down in Chapter III GDPR.

8. Assistance with Articles 32 to 36

The Processor assists the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR taking into account the nature of processing and the information available, including: security measures, personal-data-breach notifications, data protection impact assessments, and prior consultation with the supervisory authority.

9. Personal data breach

The Processor notifies the Controller without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. Notifications include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

10. Return or deletion of data

At the choice of the Controller, the Processor deletes or returns all personal data after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage. The standard offboarding period is thirty (30) daysfollowing termination, after which deletion occurs in accordance with the Processor’s deletion schedule subject to backup-rotation cycles.

11. Audits

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are conducted no more than once per twelve-month period (except where required by a supervisory authority or following a personal data breach), with reasonable advance notice, during business hours, and subject to confidentiality. The Processor may satisfy audit obligations by providing third-party certifications or attestations (e.g., SOC2, ISO27001) where available.

12. International data transfers

Where the Processor or its sub-processors transfer personal data outside the EEA to a country not benefiting from an adequacy decision, the transfer is governed by the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), in the appropriate modular form (typically Module Two: Controller to Processor, or Module Three: Processor to Sub-Processor), which are incorporated into this DPA by reference and deemed executed between the parties. Supplementary measures are applied where required by the EDPB recommendations following Schrems II.

13. Liability and final provisions

Liability for breaches of this DPA is governed by the underlying contract. Mandatory provisions of the GDPR remain unaffected. This DPA is governed by German law; mandatory provisions of the Controller’s habitual jurisdiction remain unaffected.


Annex 1 — Sub-processor list

The sub-processor list is published and maintained in the Privacy Policy and currently includes:

  1. Polar Software Inc.— Merchant of Record (payments, invoicing, tax remittance). USA + EU. SCCs + DPF.
  2. Resend, Inc.— transactional email delivery. EU (eu-west-1). DPA, EU-resident processing.
  3. Mux, Inc.— video infrastructure. USA. SCCs + DPF.
  4. Neon, Inc.— managed PostgreSQL. USA (AWS us-east-1, N. Virginia). EU-US Data Privacy Framework (DPF) + SCCs (Decision 2021/914) fallback.
  5. Vercel Inc.— application hosting and edge delivery. USA + EU edge. SCCs + DPF.

Annex 2 — Technical and organisational measures (TOMs)

The following technical and organisational measures, as currently deployed, form the operative Annex 2:

  • Access control: role-based access with least privilege; multi-factor authentication for administrative access; quarterly access reviews.
  • Encryption: TLS 1.2+ for data in transit; AES-256 (or equivalent) for data at rest in primary databases and backups.
  • Logging and monitoring: centralised application and audit logs; anomaly detection on authentication events; retention aligned with the Privacy Policy.
  • Secret management: secrets stored in a managed vault; rotation policy; no secrets in source control.
  • Software development lifecycle: code review requirements; dependency scanning; release gates including automated tests.
  • Business continuity: regular backups with geographically separated storage; documented restore procedures; periodic restoration tests.
  • Incident response: documented runbook; on-call rotation; communication plan covering Controller notification within 72 hours of becoming aware of a personal data breach.
  • Vendor management: due diligence and contractual data-protection obligations imposed on all sub-processors listed in Annex 1.
  • Pseudonymisation and minimisation: applied where technically feasible without impairing the functionality of the Service.
  • Physical security: delegated to data-centre sub-processors (Annex 1) under their respective certifications.

Annex 3 — Standard Contractual Clauses

The EU Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference. The applicable modules, optional clauses, and annexes I–III are populated as follows: parties as set out in Section 1; description of processing as in Section 2; the competent supervisory authority is the supervisory authority of the Controller’s establishment; technical and organisational measures as in Annex 2; sub-processors as in Annex 1.