Data Processing Agreement
Last updated: January 13, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kynthar ("Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") and governs the processing of personal data by Kynthar on behalf of the Customer.
GDPR Compliance: This DPA is designed to comply with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
1. Definitions
For the purposes of this DPA:
- "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this DPA, the Controller is the Customer.
- "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. In the context of this DPA, the Processor is Kynthar.
- "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
- "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51.
2. Subject Matter and Duration
2.1 Subject Matter
This DPA governs the processing of personal data by Kynthar when providing the document intelligence platform and related services ("Services") to the Customer as described in the Terms of Service.
2.2 Duration
This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller, and shall automatically terminate upon the termination or expiration of the Terms of Service, subject to the data deletion provisions set forth herein.
3. Nature and Purpose of Processing
3.1 Nature of Processing
The Processor will process personal data on behalf of the Controller for the following purposes:
- Document Extraction: Automated extraction of data from uploaded documents including invoices, purchase orders, receipts, and other business documents
- Invoice and PO Processing: Parsing, validation, and structuring of invoice and purchase order data for reconciliation and accounting purposes
- Data Structuring: Converting unstructured document content into structured, machine-readable formats
- Integration Services: Facilitating data transfer to Controller's accounting systems and third-party integrations
- Storage and Retrieval: Secure storage of processed documents and extracted data for Controller access
3.2 Purpose Limitation
The Processor shall only process personal data for the purposes specified above and in accordance with the Controller's documented instructions. The Processor shall not process personal data for any other purpose unless required by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
4. Types of Personal Data Processed
The following categories of personal data may be processed in the course of providing the Services:
| Category | Examples |
|---|---|
| Contact Information | Names, email addresses, phone numbers, physical addresses of individuals appearing on invoices and business documents |
| Business Identifiers | Company names, tax identification numbers, VAT numbers, business registration numbers |
| Financial Information | Invoice amounts, payment terms, bank account details (when appearing on documents), transaction references |
| Employment Information | Employee names and titles appearing on documents, signatures |
| Technical Identifiers | User account information, IP addresses, document metadata |
Special Categories of Data: The Controller should not upload documents containing special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.) unless strictly necessary and appropriate safeguards are in place. The Controller is responsible for ensuring lawful grounds for processing any such data.
5. Categories of Data Subjects
The personal data processed may relate to the following categories of Data Subjects:
- Controller's employees and contractors
- Controller's customers and clients
- Controller's vendors and suppliers
- Controller's business partners
- Individuals whose information appears on processed documents
6. Processor Obligations
The Processor shall:
6.1 Processing Instructions
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection provisions
6.2 Confidentiality
- Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Limit access to personal data to personnel who require such access to perform the Services
6.3 Security Measures
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
- Regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing
6.4 Sub-processing
- Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller
- Where general written authorization is given, inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller an opportunity to object
- Impose the same data protection obligations as set out in this DPA on any Sub-processor by way of contract
6.5 Assistance to Controller
- Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights
- Assist the Controller in ensuring compliance with obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of processing and information available to the Processor
6.6 Data Deletion and Return
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the personal data
6.7 Audit Rights
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
- Allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
7. Sub-processors
7.1 Authorized Sub-processors
The Controller hereby provides general authorization for the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, computing services, database hosting | United States (with EU regions available) |
| xAI | AI/ML processing for document extraction and data structuring | United States |
| OpenAI | AI/ML processing for document understanding and content analysis | United States |
| Stripe | Payment processing and billing services | United States (with EU presence) |
7.2 Sub-processor Changes
The Processor shall notify the Controller of any intended changes to Sub-processors at least 30 days in advance by email or through the Service dashboard. The Controller may object to such changes on reasonable grounds related to data protection. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the affected Services.
7.3 Sub-processor Obligations
The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
8. International Data Transfers
8.1 Transfer Mechanisms
Where personal data is transferred to countries outside the European Economic Area (EEA) that have not been deemed to provide an adequate level of data protection by the European Commission, the Processor shall ensure that such transfers are made in compliance with GDPR requirements, including through:
- Standard Contractual Clauses (SCCs): The Processor has entered into the European Commission's Standard Contractual Clauses with relevant Sub-processors for transfers of personal data to third countries
- Supplementary Measures: Where required, the Processor implements supplementary technical and organizational measures to ensure the effective protection of transferred data
- Transfer Impact Assessments: The Processor conducts transfer impact assessments to evaluate the laws and practices of third countries and implements additional safeguards where necessary
8.2 Controller's Authorization
By entering into this DPA, the Controller authorizes the Processor to transfer personal data to Sub-processors located outside the EEA, provided that appropriate safeguards as described above are in place.
8.3 UK and Swiss Transfers
For transfers from the United Kingdom, the Processor relies on the UK International Data Transfer Agreement or UK Addendum to the EU SCCs. For transfers from Switzerland, the Processor relies on the Swiss-approved SCCs or other appropriate safeguards.
9. Security Measures
The Processor implements the following technical and organizational security measures:
9.1 Technical Measures
- Encryption: All personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access controls with principle of least privilege
- Authentication: Secure password-based authentication with session management
- Network Security: Firewalls, intrusion detection systems, and network segmentation
- Logging and Monitoring: Comprehensive audit logging of access to personal data
- Vulnerability Management: Regular security scanning and penetration testing
- Backup and Recovery: Regular encrypted backups with tested recovery procedures
9.2 Organizational Measures
- Security Policies: Documented information security policies and procedures
- Employee Training: Regular data protection and security awareness training
- Background Checks: Background verification for personnel with access to personal data
- Incident Response: Documented incident response procedures
- Vendor Management: Security assessments of Sub-processors
- Business Continuity: Business continuity and disaster recovery plans
9.3 Security Certifications
The Processor's infrastructure providers (AWS) maintain industry-standard security certifications including SOC 2 Type II, ISO 27001, and PCI DSS compliance.
10. Data Breach Notification
10.1 Notification to Controller
The Processor shall notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach affecting Controller's data. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
10.2 Cooperation
The Processor shall cooperate with the Controller and provide reasonable assistance in investigating the breach and fulfilling the Controller's data breach notification obligations under applicable law.
11. Audit Rights
11.1 Controller Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Such audits may be conducted:
- Upon reasonable notice (minimum 30 days, except in case of suspected breach)
- During regular business hours
- No more than once per year (unless a breach has occurred or is suspected)
- At the Controller's expense, unless the audit reveals material non-compliance
11.2 Third-Party Audits
The Processor may satisfy audit requirements by providing:
- Third-party audit reports (e.g., SOC 2 Type II)
- Security certifications and attestations
- Responses to standardized security questionnaires
11.3 Confidentiality
The Controller and any third-party auditors must maintain the confidentiality of any information obtained during an audit and sign appropriate non-disclosure agreements.
12. Data Subject Rights
12.1 Controller Responsibility
The Controller is responsible for responding to requests from Data Subjects exercising their rights under GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.
12.2 Processor Assistance
The Processor shall assist the Controller in responding to Data Subject requests by:
- Promptly forwarding any Data Subject requests received directly to the Controller
- Providing technical capabilities for the Controller to access, export, or delete personal data
- Implementing Data Subject requests within 5 business days of receiving Controller instructions
- Not responding directly to Data Subjects unless authorized by the Controller or required by law
12.3 Costs
The Processor shall provide reasonable assistance at no additional charge for standard requests. For requests requiring significant effort beyond normal Service functionality, the Processor may charge reasonable fees based on actual costs incurred.
13. Data Protection Impact Assessments
Where required under GDPR Article 35, the Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and, where necessary, prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
14. Term and Termination
14.1 Term
This DPA shall commence on the effective date of the Terms of Service and shall continue until the termination or expiration of the Terms of Service.
14.2 Data Return and Deletion
Upon termination of the Services:
- The Controller may request return of personal data in a commonly used, machine-readable format within 30 days of termination
- Unless legally required otherwise, the Processor shall delete all personal data within 90 days of termination
- Upon request, the Processor shall provide written certification of data deletion
- The Processor may retain anonymized or aggregated data that does not identify individual Data Subjects
14.3 Survival
Provisions of this DPA that by their nature should survive termination (including confidentiality, audit rights, and limitation of liability) shall survive the termination of this DPA.
15. Liability
Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service. For the avoidance of doubt:
- The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller
- Where both parties are responsible for damage caused by processing, each party shall be liable for the entire damage to ensure effective compensation of the Data Subject, but shall be entitled to claim back from the other party that part of the compensation corresponding to their part of the responsibility
16. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service. For Data Subjects in the European Union, nothing in this DPA shall limit their rights under GDPR or their right to bring claims before their local supervisory authority or courts.
17. Amendments
This DPA may be amended by the Processor to reflect changes in applicable data protection laws or guidance from supervisory authorities. The Processor shall provide at least 30 days' notice of material amendments. Continued use of the Services after amendments take effect constitutes acceptance of the amended DPA.
18. Contact Information
Data Protection Inquiries
For questions about this DPA or data protection matters:
Email: legal@kynthar.com
We will respond to inquiries within 5 business days.
19. Acknowledgment
By using the Services, the Controller acknowledges that they have read, understood, and agree to this Data Processing Agreement. This DPA, together with the Terms of Service and Privacy Policy, constitutes the complete agreement between the parties regarding data processing.