GDPR Article 28 commitments for EU and UK customers.

1. Definitions

Capitalized terms have the meanings given in GDPR. "Customer" means the entity that subscribes to the platform. "Personal data", "processing", "controller", "processor", "data subject", and "supervisory authority" have the meanings in Article 4 of GDPR.

2. Roles

The Customer is the controller. KAIRO is the processor. When KAIRO processes personal data on its own behalf (for account management, billing, fraud prevention, and security), KAIRO acts as a controller as described in the Privacy Policy.

3. Subject matter and duration

KAIRO processes personal data for the duration of the Customer's subscription and during any post-termination grace period as described in the Privacy Policy and Terms of Service. The subject matter is the operation of the KAIRO platform.

4. Nature and purpose of processing

KAIRO processes personal data to deliver the platform, including: account authentication, agent-orchestrated tool runs, structured output delivery, billing, support, security, and fraud prevention.

5. Categories of data subjects

• The Customer's authorized users.
• Individuals identified in content the Customer submits to the platform.
• Public figures and business contacts identified in public web data the platform analyzes for the Customer.

6. Categories of personal data

• Identification data: names, email addresses, work titles, employer.
• Professional data: roles, employment history (where in public records), and business affiliations.
• Contact data: business phone, business email, business address.
• Usage data: tool runs, timestamps, audit log entries.
• Any other categories the Customer submits to the platform.

KAIRO does not knowingly process special categories of personal data under Article 9 (health, biometric, racial or ethnic origin, political opinions) unless the Customer expressly submits such content. Customers should not submit special categories of data without prior arrangement.

7. Processor obligations

KAIRO will:

• Process personal data only on documented instructions from the Customer, including with regard to transfers, unless required by law.
• Ensure that persons authorized to process personal data are bound by confidentiality.
• Implement technical and organizational measures as described in Section 11.
• Respect the conditions for engaging subprocessors as described in Section 8.
• Assist the Customer with data subject requests under Articles 12 to 23 of GDPR.
• Assist the Customer with security, breach notification, data protection impact assessments, and prior consultations under Articles 32 to 36 of GDPR.
• On termination of services, delete or return all personal data as the Customer chooses, subject to legal retention obligations.
• Make available to the Customer all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits.

8. Subprocessors

The Customer authorizes KAIRO to engage subprocessors. The current list of subprocessors is on the Trust Center page. KAIRO will give the Customer at least thirty (30) days notice of new subprocessors. The Customer may object to a new subprocessor on reasonable grounds. If the parties cannot resolve the objection, the Customer may terminate the affected service for cause.

KAIRO remains liable to the Customer for the performance of its subprocessors' data protection obligations.

9. International transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on the Standard Contractual Clauses adopted by the European Commission (EU 2021/914) and the UK International Data Transfer Addendum, as applicable. KAIRO maintains supplementary technical and contractual measures consistent with the Schrems II decision.

10. Data subject requests

KAIRO will, to the extent legally permitted, notify the Customer if it receives a request from a data subject. KAIRO will not respond to the request directly unless authorized by the Customer or required by law. KAIRO will provide reasonable assistance to the Customer in responding to such requests.

11. Security measures

KAIRO maintains technical and organizational measures appropriate to the risk, including:

• Encryption of personal data in transit using TLS.
• Row-level security on the production database.
• Token-bucket rate limiting on public API routes.
• Server-side admin gates and role-based access control.
• Input sanitization and SSRF protection on outbound requests.
• Structured audit logging of usage events and gate decisions.
• JWT-backed session authentication with short-lived tokens.
• Documented incident response procedures.
• Background screening for personnel with access to production systems.

The current security architecture is described on the Security page.

12. Personal data breach

KAIRO will notify the Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting the Customer's personal data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

13. Records of processing

KAIRO maintains records of processing activities as required by Article 30 of GDPR. The Customer may request access to records relating to its account through the contact channel.

14. Audits

Once per twelve (12) months, with at least thirty (30) days written notice, the Customer may request to audit KAIRO's compliance with this DPA. KAIRO may satisfy the audit obligation by providing an independent third-party report or certification. Audits will be conducted during business hours and in a manner that does not unreasonably interfere with KAIRO's operations.

15. Liability and indemnification

Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits a party's liability to data subjects under GDPR or other applicable law.

16. Order of precedence

In the event of any conflict between this DPA and the Terms of Service or any order form, this DPA controls with respect to the processing of personal data. The Standard Contractual Clauses, when incorporated, control over any conflicting provisions of this DPA.

17. Execution

This DPA is automatically incorporated into the Terms of Service when the Customer accesses the platform from the European Economic Area, the United Kingdom, or Switzerland, or when the Customer notifies KAIRO that it is subject to GDPR or UK GDPR. The Customer may request a countersigned copy through the contact channel.

This Data Processing Addendum was generated as a template starting point. Before relying on this DPA with real EU or UK customers, have it reviewed by qualified privacy counsel and execute the most current version of the EU Standard Contractual Clauses and UK International Data Transfer Addendum as exhibits.