Skip to main content

LEGAL

Data Processing Agreement

Last updated:

Scope

This Data Processing Agreement governs the processing of personal data by Kotao GmbH (“Processor”) on behalf of the Customer (“Controller”) in line with Art. 28 GDPR. It applies in addition to the Terms of Service and any order form or statement of work that describes the purchased Kotao services.

If this DPA conflicts with the Terms of Service, an order form, or another commercial document, this DPA prevails for the processing of personal data on behalf of the Controller. Mandatory Standard Contractual Clauses prevail over conflicting provisions as required by their own hierarchy clause.

Subject Matter and Duration

The subject matter of the processing is the operation of the Kotao platform on behalf of the Controller. The duration of the processing is tied to the duration of the underlying subscription agreement.

Nature, Purpose, and Categories

  • Nature and purpose: operating the Kotao platform and the modules selected by the Controller.
  • Categories of data subjects: the Controller’s end-customers, employees, and business contacts.
  • Categories of personal data: contact information, transaction data, scheduling data, and optional payment metadata.

Processing Instructions

The Processor processes personal data only on documented instructions from the Controller, including instructions concerning transfers of personal data to a third country or an international organisation, unless Union or Member State law requires processing without such instructions. If a legal requirement applies, the Processor will inform the Controller before processing unless that law prohibits notice on important public-interest grounds.

The Processor will promptly inform the Controller if an instruction, in the Processor’s opinion, violates GDPR or other Union or Member State data protection law.

Confidentiality

The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access is limited to personnel and service providers who need it to provide the Kotao services.

Sub-processors

The Controller grants the Processor general written authorisation to engage sub-processors for the Kotao services, subject to the notice and objection process below. The Processor’s named sub-processors, including Cloudflare, Neon, Kotao Payments processors, Resend, Amazon SES, PostHog, Sentry, and OpenAI, with purpose, processing region, transfer basis, and version history, are published at Sub-processors. The published list forms part of this DPA for Art. 28(2) and Art. 28(4) GDPR purposes.

The Processor will provide the Controller with at least 30 days’ prior notice of any intended change to the sub-processor list. The Controller may object to the change within that period. If no agreement can be reached, either party may terminate the affected services.

The Processor will impose the same data protection obligations on each sub-processor as those set out in this DPA, by contract or another binding legal act. If a sub-processor fails to fulfil its data protection obligations, the Processor remains responsible to the Controller for the performance of that sub-processor’s obligations.

Technical and Organisational Measures

The Processor maintains technical and organisational measures in line with Art. 32 GDPR, including encryption at rest and in transit, role-based access controls, audit logging, periodic vulnerability scans, and regular penetration testing. The Processor will assist the Controller, taking into account the nature of processing and the information available to the Processor, with the Controller’s obligations under Art. 32 GDPR.

Data Subject Requests

The Processor will assist the Controller in responding to data subject requests within five business days, including providing data exports and supporting deletion or rectification.

Taking into account the nature of processing and the information available to the Processor, the Processor will also provide reasonable assistance with personal data breach communications under Art. 34 GDPR, data protection impact assessments under Art. 35 GDPR, and prior consultation with supervisory authorities under Art. 36 GDPR.

International Transfers

Personal data is primarily processed in the EEA. Where a restricted transfer from the Controller to the Processor is required for the services, the parties rely on the European Commission Standard Contractual Clauses under Decision (EU) 2021/914, Module 2 (controller-to-processor), unless an adequacy decision or another valid transfer mechanism applies. For onward transfers to sub-processors, the Processor will use the appropriate SCC module, adequacy decision, Data Privacy Framework certification, or another valid transfer mechanism listed on the Sub-processors page.

Audits

The Processor will make available all information necessary to demonstrate compliance with this DPA and Art. 28 GDPR. The Controller may audit the Processor’s compliance once per calendar year on reasonable advance notice, and the Processor will contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits must be conducted during normal business hours, must not unreasonably disrupt the Processor’s operations, and must preserve the confidentiality, security, and availability of data belonging to other customers. Once available, the Processor’s SOC 2 Type II report may be provided as evidence for controls covered by the report, without limiting the Controller’s statutory audit rights.

Termination

Upon termination of the underlying agreement, the Processor will, at the Controller’s choice, return or delete all personal data processed on the Controller’s behalf within 30 days, except where retention is required by applicable law. The Processor will delete existing copies unless Union or Member State law requires storage.

Breach Notification

The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting the Controller’s data, in line with Art. 33 GDPR.

Conflict Priority

This DPA prevails over conflicting commercial terms for all processing of personal data on behalf of the Controller. If mandatory data protection law or applicable Standard Contractual Clauses require a stricter obligation, that stricter obligation controls.