Standard Data Processing Addendum (DPA) for enterprise engagements. This template establishes the data processing terms between K0nsult (Processor) and the Client (Controller) in compliance with GDPR requirements.
Template Notice: This is a standard DPA template provided for review and reference purposes. Final DPA terms are negotiated and customized per engagement. This document does not constitute a binding agreement until signed by both parties as part of a Service Order.
For the purposes of this Data Processing Addendum, the following terms shall have the meanings set out below:
"Controller" means the Client, as the entity that determines the purposes and means of the processing of Personal Data.
"Processor" means K0nsult CNC (CODE NO CODE), as the entity that processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Service Order" means the agreement between the parties defining the specific services, scope, and commercial terms of the engagement.
2.1 Subject Matter. This DPA governs the processing of Personal Data by the Processor in connection with the provision of AI agent management, governance consulting, and related services as specified in the applicable Service Order.
2.2 Categories of Data Subjects. The following categories of Data Subjects may be affected: employees, contractors, customers, and business contacts of the Controller, as determined by the Service Order.
2.3 Types of Personal Data. Processing may include: contact information (name, email, phone), organizational data (job title, department), engagement data (meeting notes, project correspondence), and platform usage data (login timestamps, feature usage).
2.4 Purpose of Processing. Personal Data shall be processed solely for the purpose of delivering the services specified in the Service Order, including AI agent configuration, governance framework deployment, reporting, and communication related to the engagement.
2.5 Duration. Processing shall continue for the duration of the Service Order plus any retention period specified in Section 8, unless terminated earlier by either party in accordance with the Service Order terms.
The Processor shall:
3.1 Process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
3.2 Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6.
3.4 Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to Section 4.
3.5 Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
3.6 At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage, as detailed in Section 8.
3.7 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, as detailed in Section 9.
3.8 Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
4.1 Current Sub-processors. The Controller authorizes the use of the following sub-processors as of the date of this DPA:
Fly.io, Inc.
Service: Application hosting and managed PostgreSQL database
Data location: Frankfurt, Germany (EU)
Compliance: SOC 2 Type II
4.2 Notification of Changes. The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. Notification shall be provided at least 30 days before the change takes effect.
4.3 Right to Object. If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.
4.4 Sub-processor Obligations. Where the Processor engages a sub-processor, the Processor shall impose on the sub-processor the same data protection obligations as set out in this DPA by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
4.5 Liability. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
5.1 The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection).
5.2 If a Data Subject contacts the Processor directly with a request, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless instructed by the Controller.
5.3 The Processor shall implement technical and organizational measures to enable the Controller to comply with Data Subject requests, including the ability to search, extract, modify, and delete Personal Data upon Controller instruction.
5.4 The Processor shall respond to Controller instructions regarding Data Subject requests within 5 business days, or sooner if required by applicable law.
6.1 The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall ensure a level of security appropriate to the risk.
6.2 Security measures include, but are not limited to:
6.3 A detailed description of security measures is available in the K0nsult Security Whitepaper, which is incorporated by reference into this DPA.
6.4 The Processor shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.
7.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach, in accordance with Article 33 of the GDPR.
7.2 The notification shall include:
7.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
7.4 The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make this documentation available to the Controller upon request.
8.1 Upon termination or expiry of the Service Order, the Processor shall, at the Controller's election:
8.2 The Controller shall communicate its election within 30 days of termination. If no instruction is received, the Processor shall delete all Personal Data within 60 days of termination.
8.3 The Processor may retain Personal Data to the extent required by applicable Union or Member State law, provided that the Processor ensures the confidentiality of such Personal Data and processes it only for the purpose required by law.
8.4 Deletion shall include all copies, backups, and replicas, except where retention is required by law as stated in Section 8.3.
9.1 The Controller, or an independent auditor appointed by the Controller, may conduct audits to verify the Processor's compliance with this DPA. Audits shall be conducted with at least 30 days' prior written notice.
9.2 Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations.
9.3 The Processor shall cooperate with the audit and provide reasonable access to relevant facilities, systems, and documentation.
9.4 The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear the costs.
9.5 The Processor may satisfy audit obligations by providing the Controller with relevant third-party audit reports (e.g., SOC 2 reports from sub-processors), certifications, or summaries of security assessments, subject to reasonable confidentiality protections.
9.6 Audit frequency shall not exceed one audit per 12-month period, unless a Data Breach has occurred or the Controller has reasonable grounds to suspect non-compliance.
10.1 Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR.
10.2 The Processor shall indemnify the Controller against all claims, liabilities, costs, and expenses arising from the Processor's breach of this DPA or the GDPR, provided that the Controller has not caused or contributed to the breach.
10.3 The aggregate liability of the Processor under this DPA shall be subject to the limitation of liability provisions in the applicable Service Order, except where such limitation is prohibited by applicable law.
10.4 Neither party excludes or limits its liability for fraud, gross negligence, or any liability that cannot be excluded or limited under applicable law.
11.1 This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict of laws provisions.
11.2 Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Warsaw, Poland.
11.3 Where the GDPR applies, the provisions of the GDPR shall take precedence over any conflicting provisions of this DPA.
This Data Processing Addendum is entered into and becomes binding upon execution by both parties.
Template Notice: This is a standard DPA template. Final DPA terms are negotiated per engagement. Contact legal@k0nsult.dev or book a consultation to discuss your specific requirements.
These documents complement the DPA and provide additional detail for enterprise evaluation.
Detailed security architecture covering infrastructure, application, data protection, and agent security controls.
Review SecuritySLA tiers, availability targets, response times, escalation paths, and service credit policy.
Review SLA