Data Processing Agreement

Last updated: February 25, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kindesk ("Processor", "we", "us") and the customer ("Controller", "you") and governs the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This DPA applies automatically to all customers who use Kindesk to process personal data of their contacts, leads, and business relationships.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Kindesk CRM Service as described in the Terms of Service.

2.2 Categories of Data Subjects

• Contacts and leads of the Controller
• Employees and team members of the Controller's organization
• Business contacts and partners of the Controller

2.3 Types of Personal Data

• Contact information (name, email, phone number)
• Company and organizational data
• Communication data (email content synced by the Controller)
• Deal and transaction records
• Notes, tasks, and activity history
• Custom fields defined by the Controller
• Consent records maintained by the Controller

2.4 Duration

Processing continues for the duration of the service agreement. Upon termination, Personal Data will be available for export for 30 days, after which it will be securely deleted.

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA, unless required by EU or Member State law
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational security measures as described in Section 6
• Respect the conditions for engaging sub-processors as set out in Section 5
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests (right of access, rectification, erasure, portability, restriction, objection)
• Assist the Controller in ensuring compliance with security obligations, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities
• At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by law
• Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits and inspections

4. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis to process the Personal Data and to instruct the Processor accordingly
• Provide clear and documented processing instructions
• Comply with its obligations under the GDPR, including providing notice to Data Subjects and responding to Data Subject requests
• Ensure that the use of AI features (where enabled) is compatible with the purposes for which Personal Data was collected

5. Sub-processors

5.1 Authorization

The Controller provides general written authorization for the Processor to engage sub-processors. The current list of sub-processors is set out below.

5.2 Current Sub-processors

5.3 Changes to Sub-processors

The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds and no resolution can be found, the Controller may terminate the affected Service.

5.4 Liability

The Processor shall remain fully liable for the acts and omissions of its sub-processors as if they were its own.

6. Technical and Organizational Measures

The Processor implements the following measures to ensure the security of Personal Data (Art. 32 GDPR):

6.1 Encryption

• TLS 1.2+ for all data in transit
• AES-256 encryption for data at rest
• Encrypted storage of OAuth tokens and API secrets

6.2 Access Control

• Role-based access control (RBAC) with granular permissions
• Multi-tenancy with strict organization-level data isolation
• Two-factor authentication support
• API key authentication with scoped permissions

6.3 Monitoring and Audit

• Comprehensive audit logging of all data access and modifications
• Session tracking with IP and user agent recording
• Admin impersonation logging and controls

6.4 Data Lifecycle

• Soft-deletion patterns with configurable retention
• GDPR export and deletion request processing
• Automated session expiration and cleanup

6.5 Infrastructure

• EU-hosted servers and databases
• HTTP security headers (HSTS, CSP, X-Frame-Options)
• Regular dependency updates and security patches

7. Data Subject Requests

The Processor provides built-in tools for the Controller to handle Data Subject requests:

• Right of access and portability: GDPR data export functionality in Settings → Data Privacy
• Right to erasure: GDPR deletion functionality with full audit trail
• Right to rectification: full edit capabilities for all contact records
• Consent management: consent tracking with source, timestamp, and revocation support

If the Processor receives a Data Subject request directly, it will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless legally required to do so.

8. Data Breach Notification

In the event of a Data Breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach
• Provide sufficient information to enable the Controller to fulfill its obligation to notify the supervisory authority (within 72 hours per Art. 33 GDPR) and, where required, affected Data Subjects (Art. 34 GDPR)
• Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
• Document the breach, its effects, and the remedial actions taken

9. International Transfers

Personal Data is primarily stored within the European Union. Where processing by a sub-processor involves transfer outside the EEA, the Processor ensures adequate safeguards through EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by appropriate technical measures.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and the obligations under Article 28 GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice, scope, and confidentiality obligations.

11. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination:

• The Controller may request export of all Personal Data within 30 days
• After the 30-day export period, the Processor shall securely delete all Personal Data, unless retention is required by applicable law
• The Processor shall provide written confirmation of deletion upon request

12. Governing Law

This DPA is governed by the same governing law as the Terms of Service, without prejudice to mandatory data protection law provisions.

13. Contact

For DPA-related inquiries, contact us at support@kindesk.app.