Data Processing Addendum

1. Definitions

For the purposes of this Data Processing Addendum ("DPA"):

• "Controller" means the entity that determines the purposes and means of processing Personal Data
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "GDPR" means the General Data Protection Regulation (EU) 2016/679

2. Scope and Roles

This DPA applies when KAAYOS LLC processes Personal Data on behalf of the Customer in connection with the Services. In such cases:

• Customer acts as the Controller
• KAAYOS LLC acts as the Processor
• KAAYOS LLC will process Personal Data only on documented instructions from the Customer

3. Processing Instructions

KAAYOS LLC shall process Personal Data only in accordance with the Customer's documented instructions, unless required to do so by applicable law. The Customer instructs KAAYOS LLC to process Personal Data to provide the Services as described in the Service Agreement.

4. Security Measures

KAAYOS LLC implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Employee training on data protection
• Incident response and breach notification procedures

5. Sub-Processors

The Customer authorizes KAAYOS LLC to engage sub-processors to process Personal Data. Current sub-processors include:

• Cloud hosting providers (AWS, Azure, Google Cloud)
• Email service providers
• Analytics and monitoring services
• Payment processors

KAAYOS LLC will notify the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes.

6. Data Subject Rights

KAAYOS LLC shall assist the Customer in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

7. Data Breach Notification

KAAYOS LLC shall notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting the Customer's data. The notification will include available information about the nature of the breach, affected data categories, approximate number of affected Data Subjects, and measures taken to address the breach.

8. Data Protection Impact Assessment

KAAYOS LLC shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, where required under applicable data protection laws.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area. KAAYOS LLC ensures that appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the European Commission.

10. Audit Rights

KAAYOS LLC shall make available to the Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Customer or an auditor mandated by the Customer. Such audits shall be conducted upon reasonable notice and no more than once per year, unless required by a supervisory authority.

11. Data Retention and Deletion

Upon termination of the Services, KAAYOS LLC shall, at the Customer's choice, delete or return all Personal Data to the Customer and delete existing copies, unless retention is required by applicable law. Deletion will be completed within 30 days of termination.

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Service Agreement. The Customer shall indemnify KAAYOS LLC against claims arising from the Customer's instructions that violate applicable data protection laws.

13. Term and Termination

This DPA shall remain in effect for the duration of the Service Agreement and shall automatically terminate upon termination of the Service Agreement.

14. Contact Information

For questions about this DPA or data processing practices, contact our Data Protection Officer: