Data Processing Agreement

1. Parties

This DPA is entered into between:

• Kiff Agents OÜ, an Estonian private limited company, registry code 17372313, VAT EE102924327, registered at Tööstuse tn 75-71, Põhja-Tallinna linnaosa, Tallinn 10416, Estonia (the "Processor"); and
• [CUSTOMER LEGAL NAME], registered at [ADDRESS], registry code [REGISTRY CODE] (the "Controller").

Each a "party" and together the "parties". This DPA supplements the Terms of Service at /terms and any commercial order form between the parties; in case of conflict on data-protection matters, this DPA prevails.

2. Definitions

Capitalised terms not defined here have the meanings in the GDPR (Regulation (EU) 2016/679).

• "GDPR" — the EU General Data Protection Regulation.
• "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", "Personal Data Breach" — as defined in GDPR Article 4.
• "Audit Data" — Personal Data the Controller submits to or generates within the Service via the runtime, including events, decisions, actions, approvals, and receipts.
• "Service" — the KIFF Cloud product as defined in the Terms of Service.
• "Standard Contractual Clauses" or "SCCs" — the European Commission's 2021 standard contractual clauses for the transfer of Personal Data to third countries.
• "DPF" — the EU–US Data Privacy Framework adequacy decision.
• "TOMs" — the technical and organisational measures described in Annex 2.

3. Scope and roles

This DPA applies where Kiff Agents OÜ Processes Personal Data on the Controller's behalf in connection with the Service. With respect to Audit Data, the Controller is the Controller and Kiff Agents OÜ is the Processor.

Personal Data we process about the Controller's account holders (sign-in metadata, billing contacts, support correspondence) is governed by our privacy policy; for that data we are an independent Controller, not a Processor under this DPA.

4. Subject matter and duration

Subject matter: Processing of Audit Data to deliver the Service.

Duration: from the effective date of this DPA until the later of (a) termination of the underlying Terms of Service, or (b) deletion of all Audit Data per §17. Provisions that by their nature survive termination (audit, indemnification, governing law) survive.

5. Nature and purpose of processing

Kiff Agents OÜ Processes Audit Data only as necessary to provide the Service: receiving proposals, evaluating them against the Controller's domain configuration, holding for human approval where the configuration so requires, executing cleared actions, persisting events and decisions, emitting signed Receipts, and (where the Controller has so configured) publishing tamper-evident summary hashes to a public verifiable trail.

6. Categories of Data Subjects and Personal Data

The categories of Data Subjects and Personal Data Processed under this DPA are determined by the Controller's domain configuration and the data the Controller submits. Kiff Agents OÜ does not control which fields the Controller sends.

Annex 1 records the Controller's declaration of those categories and is updated when the configuration materially changes.

7. Controller's instructions

Kiff Agents OÜ Processes Personal Data only on the Controller's documented instructions. The Controller's documented instructions are: this DPA, the Terms of Service, the Service documentation at /security and /whitepaper, and the Controller's domain configuration in the Service.

Additional or different instructions require written agreement. Kiff Agents OÜ will inform the Controller if, in our opinion, an instruction infringes the GDPR or other applicable data-protection law.

8. Processor obligations (Article 28(3))

Kiff Agents OÜ will:

1. Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law (in which case Kiff Agents OÜ will inform the Controller of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest);
2. ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations;
3. implement the technical and organisational measures described in Annex 2;
4. respect the conditions on engaging Sub-processors set out in §11;
5. taking into account the nature of the Processing, assist the Controller by appropriate measures to fulfil obligations to respond to Data Subject requests under Chapter III of the GDPR;
6. assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of Processing and the information available to Kiff Agents OÜ;
7. at the Controller's choice, delete or return all Personal Data on termination of services per §17, and delete existing copies unless EU or member-state law requires storage;
8. make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits under §16.

9. Confidentiality

Kiff Agents OÜ ensures that personnel with access to Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access is granted on a least-privilege basis and is logged.

11. Sub-processors

The Controller authorises Kiff Agents OÜ to engage the Sub-processors listed in Annex 3 (and at /security#subprocessors, which is the live source of truth). Kiff Agents OÜ imposes data-protection obligations on each Sub-processor that are no less protective than this DPA.

Where Kiff Agents OÜ intends to engage a new Sub-processor or replace an existing one for Processing of the Controller's Personal Data, Kiff Agents OÜ notifies the Controller at least thirty days in advance. The Controller may object to the change on reasonable data-protection grounds within fifteen days of the notice; if a reasonable objection cannot be resolved, either party may terminate the affected portion of the Service on written notice.

12. International transfers

Where Processing of Personal Data involves a transfer to a country outside the European Economic Area without an adequacy decision under Article 45 GDPR, the parties agree that:

• for transfers to Sub-processors certified under the EU–US Data Privacy Framework, the DPF is the transfer mechanism while it remains in force;
• otherwise, the parties incorporate by reference the European Commission's 2021 Standard Contractual Clauses, with Module 2 (controller-to-processor) applicable to transfers from the Controller to Kiff Agents OÜ and Module 3 (processor-to-sub-processor) applicable to transfers from Kiff Agents OÜ to a Sub-processor;
• the docking clause (Clause 7) is not used; the parties to the SCCs are the Controller and Kiff Agents OÜ;
• Annex I.A and I.B of the SCCs are filled in by reference to Annex 1 of this DPA; Annex II of the SCCs by reference to Annex 2 of this DPA; Annex III by reference to Annex 3 of this DPA;
• option 2 of Clause 9(a) (general written authorisation) applies, with the thirty-day notice period in §11 above.

Where supplementary measures are appropriate following a transfer impact assessment, Kiff Agents OÜ implements them (encryption in transit and at rest, access logging, data minimisation as documented in Annex 2).

13. Security measures

Kiff Agents OÜ implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk under Article 32 GDPR. The specific measures are described in Annex 2 of this DPA and at /security; the latter is updated more frequently than this template and is the authoritative source for the current state of TOMs.

14. Personal Data Breach notification

Kiff Agents OÜ notifies the Controller of a Personal Data Breach affecting the Controller's Personal Data without undue delay and in any event within seventy-two (72) hours after becoming aware of it. The notice includes, to the extent known at the time and updated as further information becomes available:

• the nature of the Breach, including categories and approximate numbers of Data Subjects and records concerned;
• the likely consequences of the Breach;
• the measures taken or proposed to address the Breach and to mitigate its possible adverse effects;
• the name and contact details of a single point of contact at Kiff Agents OÜ for further information.

The Controller's own Article 33 GDPR clock to its supervisory authority starts from the Controller's own awareness of the Breach; this notice supports that obligation.

15. Data Subject requests

Kiff Agents OÜ assists the Controller, by appropriate technical and organisational measures and taking into account the nature of the Processing, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Articles 15 to 22 GDPR.

Kiff Agents OÜ acknowledges Controller's requests for assistance within five (5) business days. Direct requests received from Data Subjects are forwarded to the Controller without undue delay; Kiff Agents OÜ does not respond to those requests on its own behalf except to confirm receipt and direct the Data Subject to the Controller.

16. Audit rights

Kiff Agents OÜ makes available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR. On reasonable prior written notice (at least thirty days, except for an audit triggered by a confirmed material breach), the Controller may audit Kiff Agents OÜ once per twelve-month period.

In lieu of an on-site audit, Kiff Agents OÜ may satisfy its obligation by providing a current third-party assessor's report (for example, a SOC 2 Type II report or an ISO 27001 certificate) where one exists. As of v0.1, no such report exists; the audit right is exercised on-site or via a documentation review.

Audits are conducted during normal business hours, do not unreasonably interfere with the Service, and respect the confidentiality of Kiff Agents OÜ's other customers. The Controller bears its own audit costs; where an audit reveals material non-compliance by Kiff Agents OÜ, Kiff Agents OÜ reimburses the Controller's reasonable audit costs.

17. Return or deletion of Personal Data

At the Controller's choice and within thirty days of termination of the Service for the Controller, Kiff Agents OÜ either returns the Audit Data in a structured, commonly used, and machine-readable format, or deletes it. In the absence of a choice within that window, Kiff Agents OÜ deletes the Audit Data.

Hashes already published to the public verifiable trail remain because the trail is immutable. When per-tenant cryptographic salting (per /security#public-trail) ships, destruction of the per-tenant salt makes those published hashes permanently unlinkable to the records that produced them.

Backups are deleted on the next backup cycle following deletion of the primary record. Kiff Agents OÜ may retain Personal Data where storage is required by EU or member-state law (for example, Estonian Accounting Act §12).

18. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where applicable law prohibits such limitation. Each party is liable for damage caused by its own infringement of the GDPR per Article 82 GDPR.

19. Term and termination

This DPA takes effect on signature by both parties and continues for the duration described in §4. Termination of the Terms of Service automatically terminates this DPA, subject to surviving obligations.

20. Governing law

This DPA is governed by the laws of the Republic of Estonia, without prejudice to mandatory provisions of the GDPR or to consumer-protection rules where applicable. Disputes arising under this DPA are subject to the venue and choice-of-law rules in §18 of the Terms of Service.

Annex 1 — Description of Processing

Filled in per signed instance.

A. List of parties

Controller and Processor as identified in §1.

B. Description of transfer

Categories of Data Subjects: [as declared by the Controller — typically the Controller's customers, employees, or other parties whose data flows through the Controller's domain configuration].
Categories of Personal Data: [as determined by the Controller's domain configuration — typically tenant identifiers, actor identifiers, entity identifiers, action parameters, and reason strings as set out at /security#data-we-process].
Sensitive data: [Controller declaration; default: none].
Frequency of transfer: continuous (each request to the Service).
Nature of Processing: as described in §5.
Purposes of Processing: as described in §5.
Period for retention: per /privacy#retention and §17.

C. Competent supervisory authority

The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Annex 2 — Technical and Organisational Measures

A summary appropriate for an Article 28 DPA. The live and more detailed posture is at /security; that page is authoritative and updated within 30 days of material change.

Annex 3 — Sub-processors

The current list is at /security#subprocessors; that list is authoritative and updated within 30 days of any change. As of this template version:

Document version: v0.1 template.
Status: reference text; not a signed contract; pending external legal review before any signature.
Source of truth: this page is rendered from apps/web/internal/pages/dpa.templ. History is in git.