LEGAL

Data Processing Agreement

Article 28 GDPR · Last updated: April 26, 2026

A signed PDF version is available on request — privacy@kaos.ad. (Download PDF placeholder)

1. Roles of the Parties

Under this DPA, the Customer is the Data Controller and KAOS AI SECURITY, S.L. (NIF Provisional B24966996, C/ Concilio de Trento, 213, 4a Pta. 2, 08020 Barcelona, Spain) is the Data Processor acting on the Customer’s documented instructions. Where the contracting entity is KAOS S.L.U (Andorra), KAOS AI SECURITY, S.L. acts as a sub-processor of KAOS S.L.U for EEA personal data.

2. Subject Matter and Duration

Subject matter: processing of personal data necessary to provide the KAI Platform and the Services. Duration: for the term of the main agreement plus any post-termination wind-down period agreed in writing.

3. Nature and Purpose

We process personal data to deliver the Services described in the main agreement, including hosting, scanning, vulnerability identification, reporting, support, and billing.

4. Categories of Data and Data Subjects

Data subjectsCategories of personal data
Customer’s authorized usersName, business email, role, IP address, audit logs, MFA factors.
End users of Customer’s tested systemsIdentifiers incidentally present in the targets the Customer authorizes us to test (e.g., usernames, email addresses, log entries, application data).
Customer billing contactsName, business email, billing address, VAT number.

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Section 7).
  • Assist the Controller in responding to data subject requests and in fulfilling Articles 32–36 GDPR.
  • Notify the Controller of personal data breaches without undue delay, and in any event within 72 hours of becoming aware.
  • At Controller’s choice, return or delete personal data at the end of the Services.

6. Sub-processors

The Controller provides general written authorization for KAOS to engage sub-processors. We will inform the Controller of intended changes and give an opportunity to object on reasonable grounds. The current sub-processor list includes (illustrative; current list available on request):

Sub-processorPurposeLocation
Amazon Web ServicesCloud hosting and storageEU (Frankfurt / Ireland)
VercelWeb frontend hosting and CDNGlobal edge, EU primary
StripePayment processingEU / US (SCCs)
AnthropicAI model inference (Claude)EU / US (SCCs)

The Controller may request the current authoritative list at any time at privacy@kaos.ad.

7. Technical and Organizational Measures (TOMs)

Encryption

  • Encryption in transit (TLS 1.2+) for all customer-facing endpoints.
  • Encryption at rest (AES-256) for application databases and object storage.
  • Field-level encryption for credentials and integration secrets.

Access control

  • Mandatory multi-factor authentication for all employee accounts.
  • Least-privilege role-based access; just-in-time elevation for production.
  • Single sign-on (SSO) supported for customer tenants on enterprise plans.

Logging and monitoring

  • Centralized, tamper-evident audit logs for tenant administrative events.
  • 24x7 alerting on anomalous access and authentication patterns.

Operational security

  • Annual third-party penetration testing of the platform.
  • Continuous internal red team and secure SDLC practices.
  • Documented incident response plan with on-call rotation.
  • Background checks on personnel handling production access.

8. International Transfers

Where personal data is transferred outside the EEA to a country without an adequacy decision, transfers are governed by the European Commission Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Sub-processor as applicable), with supplementary measures where required.

Transfers between the EEA and Andorra rely on the European Commission’s adequacy decision in respect of Andorra (2010).

9. Audit Rights

Once per year, and at the Controller’s reasonable cost, the Controller may audit our compliance with this DPA on at least 30 days’ written notice. Audits will be conducted during business hours, will respect the confidentiality of other customers, and may be satisfied by independent third-party reports (e.g., SOC 2, ISO 27001) where available.

10. Personal Data Breach Notification

We will notify the Controller without undue delay, and within 72 hours of becoming aware, of a personal data breach affecting Controller data, providing the information required by Article 33(3) GDPR to the extent then known and updating the Controller as more information becomes available.

11. Return or Deletion of Data

Upon termination or expiry of the Services, and at the Controller’s choice, we will return or delete all Controller personal data within 60 days, unless EU or Member State law requires retention. Backups containing personal data are encrypted and rotated out within 90 days.

12. Liability and Order of Precedence

Liability under this DPA is governed by the limitations in the main agreement between the parties. In case of conflict between this DPA and the main agreement with respect to data protection, this DPA prevails.

13. Contact

Privacy and DPA queries: privacy@kaos.ad.