Data Processing Agreement

Scope

This Data Processing Agreement governs the processing of personal data by Kotao GmbH (“Processor”) on behalf of the Customer (“Controller”) in line with Art. 28 GDPR. It applies in addition to the Terms of Service.

Subject Matter and Duration

The subject matter of the processing is the operation of the Kotao platform on behalf of the Controller. The duration of the processing is tied to the duration of the underlying subscription agreement.

Nature, Purpose, and Categories

• Nature and purpose: operating the Kotao platform and the modules selected by the Controller.
• Categories of data subjects: the Controller’s end-customers, employees, and business contacts.
• Categories of personal data: contact information, transaction data, scheduling data, and optional payment metadata.

Sub-processors

The Processor uses the following sub-processors:

• Infrastructure and storage providers — global data-centre services with data-residency controls.
• Edge security and delivery providers — global points of presence, governed by Standard Contractual Clauses where required.
• Certified payment processors — payment processing, EEA.

The Processor will provide the Controller with at least 30 days’ prior notice of any intended change to the sub-processor list. The Controller may object to the change within that period. If no agreement can be reached, either party may terminate the affected services.

Technical and Organisational Measures

The Processor maintains technical and organisational measures in line with Art. 32 GDPR, including encryption at rest and in transit, role-based access controls, audit logging, periodic vulnerability scans, and regular penetration testing.

Data Subject Requests

The Processor will assist the Controller in responding to data subject requests within five business days, including providing data exports and supporting deletion or rectification.

International Transfers

Personal data is processed in the EEA. Where transfers outside the EEA are unavoidable, they are governed by Standard Contractual Clauses (Module 3 controller-to-processor and Module 4 processor-to-controller as applicable).

Audits

The Controller may audit the Processor’s compliance once per calendar year on reasonable advance notice. Once available, the Processor’s SOC 2 Type II report may be provided as an alternative to an on-site audit.

Termination

Upon termination of the underlying agreement, the Processor will return or delete all personal data processed on the Controller’s behalf within 30 days, except where retention is required by applicable law.

Breach Notification

The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting the Controller’s data, in line with Art. 33 GDPR.