Data Processing Addendum (DPA)
Last updated: March 28, 2026
This Data Processing Addendum ("DPA") supplements the OpenKBS Terms of Use (the "Agreement") and governs the processing of personal data by OpenKBS ("Processor", "Company", "we") on behalf of the Customer ("Controller", "you") in connection with the Customer's use of the Platform.
This DPA applies to the extent that the Company processes Personal Data on the Customer's behalf as a data processor under applicable Data Protection Laws.
By using the Platform, you agree to this DPA. If you have entered into the Agreement on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to this DPA.
1. Definitions
"Applicable Data Protection Laws" means all laws and regulations relating to the processing of Personal Data that apply to the parties, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and any other applicable data protection legislation.
"Controller" means the entity that determines the purposes and means of processing of Personal Data. In the context of this DPA, the Customer is the Controller.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to a Data Subject that is processed by the Company on behalf of the Customer through the Platform.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
"Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, OpenKBS is the Processor.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.
2. Scope and Roles
2.1. Roles. The Customer acts as the Controller (or, where the Customer is itself a processor, as a processor engaging a sub-processor) and the Company acts as the Processor with respect to Personal Data processed through the Platform.
2.2. Scope. This DPA applies to all Personal Data that the Customer or its Users upload, store, or otherwise process through the Platform, including data processed in connection with Expert Services.
2.3. Customer Obligations. The Customer is responsible for:
(a) ensuring that its use of the Platform and the processing instructions it provides comply with Applicable Data Protection Laws;
(b) ensuring that it has obtained all necessary consents and authorizations to share Personal Data with the Platform;
(c) providing clear and documented instructions to the Company regarding the processing of Personal Data.
3. Processing Instructions
3.1. The Company shall process Personal Data only on documented instructions from the Customer, unless required by applicable law. The Customer's instructions are defined by these Terms, the Agreement, and the Customer's use and configuration of the Platform.
3.2. If the Company believes that an instruction from the Customer infringes Applicable Data Protection Laws, the Company will promptly notify the Customer.
3.3. The Company shall not process Personal Data for its own purposes, including for training AI models, marketing, or profiling, except as necessary to provide and maintain the Platform as described in the Agreement.
4. Details of Processing
| Element | Description | |---------|-------------| | Subject Matter | Processing of Personal Data to provide the Platform and related services | | Duration | For the term of the Agreement, plus any retention period required by law | | Nature and Purpose | Storage, retrieval, transmission, and processing of Personal Data as necessary to operate the Platform, including transmitting data to AI Service providers for inference | | Categories of Data Subjects | Determined by the Customer; may include Customer's employees, clients, end users, and other individuals whose data is uploaded to the Platform | | Categories of Personal Data | Determined by the Customer; may include names, contact information, identification data, and any other data uploaded by the Customer |
5. Data Security
5.1. Technical and Organizational Measures. The Company implements appropriate technical and organizational measures to protect Personal Data, including:
(a) Encryption in Transit: All data transmitted between the Customer and the Platform is encrypted using TLS/SSL;
(b) Access Controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis, with role-based access controls;
(c) Data Isolation: Customer data is logically isolated between projects and accounts;
(d) Infrastructure Security: The Platform is hosted on cloud infrastructure (AWS) that maintains independent security certifications (ISO/IEC 27001, SOC 2);
(e) Regular Security Reviews: The Company reviews and updates security measures periodically to address evolving threats.
5.2. Customer Responsibility. The Customer is responsible for maintaining the security of its Account credentials and API keys. The Company is not liable for unauthorized access resulting from the Customer's failure to protect its credentials.
6. Sub-processors
6.1. Authorization. The Customer provides general authorization for the Company to engage Sub-processors to process Personal Data, subject to the conditions of this Section.
6.2. Current Sub-processors. A list of current Sub-processors is available upon request by contacting office@openkbs.com and will be maintained on the Company's website. Key categories include:
- Cloud Infrastructure: AWS (hosting, compute, storage) — US, EU, Asia-Pacific regions
- AI Service Providers: OpenAI, Anthropic, Google (AI model inference — configured with data protection measures including, where available, zero data retention and regional data processing options)
- Payment Processing: Stripe or equivalent (billing and transactions)
6.3. Notification of Changes. The Company will notify the Customer of any intended addition or replacement of Sub-processors by updating the Sub-processor list on its website or by email notification at least fourteen (14) days before the new Sub-processor begins processing Personal Data.
6.4. Objection. If the Customer has a reasonable objection to a new Sub-processor, the Customer may notify the Company in writing within fourteen (14) days of receiving notice. The parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected services.
6.5. Sub-processor Obligations. The Company ensures that all Sub-processors are bound by data protection obligations no less protective than those in this DPA.
6.6. Liability. The Company remains liable to the Customer for the acts and omissions of its Sub-processors to the same extent the Company would be liable if performing the services directly.
7. Data Subject Rights
7.1. The Company will assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2. If the Company receives a request directly from a Data Subject, it will promptly redirect the request to the Customer, unless legally required to respond directly.
7.3. The Company will provide reasonable technical assistance to enable the Customer to respond to Data Subject requests within the timeframes required by applicable law.
8. Security Incidents
8.1. Notification. The Company will notify the Customer of any Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident.
8.2. Incident Details. The notification will include, to the extent available:
(a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected;
(b) the likely consequences of the incident;
(c) a description of the measures taken or proposed to address the incident and mitigate its effects;
(d) the name and contact details of a point of contact for further information.
8.3. Cooperation. The Company will cooperate with the Customer and provide reasonable assistance in investigating and remediating the Security Incident, including assistance with any notifications to supervisory authorities or Data Subjects required under Applicable Data Protection Laws.
8.4. Documentation. The Company will document all Security Incidents, including the facts, effects, and remedial actions taken, and make this documentation available to the Customer upon request.
9. Data Transfers
9.1. The Company may transfer Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland only where appropriate safeguards are in place, including:
(a) transfers to countries with an adequacy decision by the European Commission;
(b) Standard Contractual Clauses approved by the European Commission;
(c) other legally recognized transfer mechanisms under Applicable Data Protection Laws.
9.2. Where Standard Contractual Clauses are required, they are hereby incorporated by reference into this DPA. The applicable SCCs are the European Commission's Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Module Two: Controller to Processor), as set out in Commission Implementing Decision (EU) 2021/914.
9.3. For transfers from the United Kingdom, the International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner) shall apply.
10. Audits
10.1. The Company will make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
10.2. The Company will allow and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following:
(a) audit requests must be made with at least thirty (30) days' advance written notice;
(b) audits may be conducted no more than once per year, unless a Security Incident has occurred or a supervisory authority requires an additional audit;
(c) audits shall be conducted during normal business hours and shall not unreasonably disrupt the Company's operations;
(d) the auditor must be bound by confidentiality obligations;
(e) audit costs are borne by the Customer, unless the audit reveals a material breach by the Company.
10.3. Where feasible, the Company may satisfy audit requirements by providing a current SOC 2 Type II report or equivalent third-party audit report.
11. Data Retention and Deletion
11.1. Upon termination of the Agreement, the Company will, at the Customer's choice:
(a) return all Personal Data to the Customer in a standard, machine-readable format (JSON, CSV, or equivalent); and/or
(b) delete all Personal Data from the Company's systems and the systems of its Sub-processors.
11.2. The Customer must exercise this choice within fifteen (15) days following termination. After this period, the Company may delete all Personal Data.
11.3. The Company may retain Personal Data to the extent required by applicable law, subject to appropriate security measures and the confidentiality obligations of this DPA.
11.4. Upon request, the Company will provide written confirmation of deletion.
12. Assistance with Compliance
The Company will provide reasonable assistance to the Customer in ensuring compliance with its obligations under Applicable Data Protection Laws, including:
(a) data protection impact assessments;
(b) prior consultations with supervisory authorities;
(c) responding to inquiries from supervisory authorities relating to the processing of Personal Data under this DPA.
13. Limitation of Liability
The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Laws to the extent such limitation is prohibited by law.
14. Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
15. Governing Law
This DPA is governed by the same governing law as the Agreement. For Customers located in the European Union, this DPA is governed by the laws of the Republic of Bulgaria, without prejudice to the mandatory provisions of Applicable Data Protection Laws.
16. Contact
For questions about this DPA or to exercise any rights under it, please contact:
Email: office@openkbs.com
© 2026 OpenKBS. All rights reserved.