Data Processing Agreement

1. Definitions

• "Applicable Data Protection Laws" means all applicable EU and member state legislation (including GDPR), UK GDPR, Swiss data protection law, U.S. state privacy laws (including CCPA/CPRA), and any successor or replacement laws.
• "Customer Personal Data" means any Personal Data processed by Kent or its Sub-processors on behalf of and pursuant to documented instructions of the Customer.
• "GDPR" means Regulation (EU) 2016/679 (and, where applicable, UK GDPR).
• "Personal Data Breach" means a confirmed breach of Kent's security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
• "Sub-processor" means any third-party processor engaged by Kent to process Customer Personal Data on behalf of the Customer.
• "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Commission Decision 2021/914.
• "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner's Office.

2. Roles and Legal Bases

For EU/UK Personal Data: Customer is the controller; Kent is the processor. For U.S. Personal Data: Customer is the "business"; Kent is the "service provider/contractor" under applicable U.S. privacy laws.

• This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR.
• Kent processes Customer Personal Data solely on behalf of and under the documented instructions of Customer.
• Kent may process Service Data, Log Data, and de-identified data as an independent controller solely for analytics, security, billing, and product development.
• Kent does not engage in automated decision-making with legal or similarly significant effects on data subjects.

3. Subject Matter and Processing

3.1 Scope

Kent shall process Customer Personal Data only on Customer's documented instructions as described in Annex 1 and in accordance with Applicable Data Protection Laws.

3.2 Prohibited Uses

Kent shall NOT:

• Use Customer Personal Data for training, retraining, fine-tuning, or developing any AI or machine learning model
• Sell Customer Personal Data or share it for cross-contextual behavioral advertising
• Retain, use, or disclose Customer Personal Data for any purpose other than providing the Services
• Combine Customer Personal Data with personal data from other sources for any prohibited purpose

3.3 Instructions

Kent may refuse or propose alternatives to any instruction it reasonably believes would breach this DPA or Applicable Data Protection Laws, and will promptly inform Customer.

4. Customer Obligations

Customer represents and warrants that:

• It has maintained all necessary rights, consents, and authorizations for Customer Personal Data
• It has a lawful basis for processing and all required approvals from data subjects
• It is solely responsible for the accuracy, quality, and legality of Customer Personal Data
• It will comply with all Applicable Data Protection Laws
• It will not provide any protected health information (HIPAA), financial account numbers, government IDs, biometric data, or other specially sensitive categories without appropriate safeguards

5. Kent's Obligations

• Process Customer Personal Data only in accordance with Customer's documented instructions
• Implement and maintain appropriate technical and organizational security measures (Section 9)
• Ensure personnel with access are bound by confidentiality obligations
• Limit access to personnel who require it to perform the Services
• Assist Customer in responding to data subject requests (Section 7)
• Notify Customer without undue delay after confirming a Personal Data Breach (Section 8)
• Upon termination, return or delete Customer Personal Data (Section 11)

6. Sub-processors

6.1 Current Sub-processors

Customer authorizes Kent to engage the Sub-processors listed at mykent.app/legal/subprocessors. Kent will update this list when engaging new Sub-processors.

6.2 Notice and Objection

Kent will notify Customer at least twenty (20) business days before a new Sub-processor commences processing. Customer may object on reasonable grounds within the notice period by contacting info@mykent.app. If the parties cannot agree, Customer may terminate the affected Services and receive a refund of prepaid fees.

6.3 Flow-Down

Kent shall impose the same data protection obligations on each Sub-processor as are imposed on Kent under this DPA.

7. Data Subject Rights

Kent will promptly forward to Customer any request received from a data subject for whom Customer is responsible. Kent will provide reasonable assistance to Customer in fulfilling its obligations to respond to data subject requests under Applicable Data Protection Laws.

8. Personal Data Breach Notification

Kent will inform Customer without undue delay (and in no event later than 72 hours) after confirming a Personal Data Breach. The notification will include:

• Description of the breach
• Type of data affected
• Approximate number of data subjects affected
• Likely consequences
• Measures taken or proposed to address the breach

Kent's notification is not an acknowledgment of fault or liability. Kent may delay notification if required by a competent law enforcement agency.

9. Security

Kent implements technical and organizational security measures appropriate to the risk, including:

• AES-256-GCM encryption for cloud-synced data at rest
• TLS 1.2 or higher for all data in transit
• Role-based access controls and row-level security policies
• Regular security assessments and penetration testing
• Incident response procedures
• Employee security training and background checks for personnel with access to Customer Personal Data

10. International Data Transfers

10.1 Safeguards

Kent shall not transfer Customer Personal Data to a third country unless covered by adequate protection, EU SCCs, UK SCCs, other appropriate safeguards, or explicit Customer consent.

10.2 EU SCCs

For ex-EEA transfers, Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and Kent is processing as a processor.

10.3 UK Addendum

For ex-UK transfers, the EU SCCs as amended by the UK Addendum apply.

10.4 Government Requests

Kent has not received any formal legal requests from government intelligence or security services for access to Customer Personal Data. If Kent receives such a request, it will attempt to redirect the agency to Customer and give reasonable notice, unless legally prohibited.

11. Return and Deletion

Upon termination, Kent will immediately discontinue all processing (other than secure storage). Within thirty (30) calendar days, Customer may instruct Kent to return or delete all Customer Personal Data. If no instruction is received within thirty (30) days, Kent may permanently delete or irreversibly anonymize the data. Service Data may be retained indefinitely in anonymized and aggregated form.

12. Use of AI and Machine Learning

Kent shall not use any Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any artificial intelligence or machine learning model. Customer Personal Data shall be processed solely for providing, maintaining, securing, and supporting the Services. Kent may process de-identified and aggregated Service Data only for statistical reporting, security analysis, or operational insights -- provided that such information cannot identify Customer, its end users, or any natural person.

13. U.S. Privacy Laws

To the extent Kent's processing is subject to U.S. Privacy Laws, Kent shall:

• Use, retain, and disclose Customer Personal Data only as necessary to perform the business purposes specified in the Agreement
• Comply with applicable obligations as a "service provider" or "contractor"
• Not sell or share Customer Personal Data
• Not combine Customer Personal Data with personal data from other sources for any prohibited purpose
• Notify Customer without undue delay if it determines it cannot meet its obligations under applicable U.S. Privacy Laws

14. Confidentiality

Each party agrees to hold all Confidential Information in confidence using at least the same degree of care as it uses to protect its own (but no less than reasonable care), for the duration of the Agreement and for five (5) years thereafter.

15. Liability

The parties' liability under this DPA is limited in accordance with the limitation of liability provisions of the Agreement. Neither party shall be liable for indirect, special, incidental, punitive, exemplary, or consequential damages. Customer shall indemnify Kent from claims arising from Customer's instructions, failure to secure lawful basis or consents, provision of prohibited sensitive data, or any breach of this DPA by Customer.

16. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, as provided in the Agreement.

17. Contact and DPO

For all data processing inquiries, data subject requests, or DPA-related questions:

info@mykent.app | mykent.app

We will appoint a Data Protection Officer (DPO) prior to active processing of EU personal data.

Annex 1 -- Description of Processing

Data Exporter

Customer, as defined in the Agreement.

Data Importer

Kent, a Delaware company. Contact: info@mykent.app

Nature and Purpose of Processing

Kent processes Customer Personal Data to: provide the Service; ingest, organize, and retrieve data through the local Brain knowledge graph; integrate with Connected Services; execute agent tasks on Customer's behalf; and maintain, secure, and improve the Services.

Categories of Data Subjects

• Customer's employees, contractors, and authorized users
• Third parties whose data Customer processes through the Service
• End users of Connected Services Customer has authorized

Categories of Personal Data

• Account data: name, email, account preferences
• Content data: documents, emails, files, calendar events, contacts, and other data ingested into the Brain
• Usage data: feature usage, device information, session logs
• Agent task data: inputs and outputs of agent tasks Customer initiates

Sensitive Data

Customer shall not provide sensitive categories of personal data (including health data, financial account numbers, government identifiers, biometric data) without implementing appropriate additional safeguards.

Retention

Customer Personal Data is retained for the duration of the Agreement and deleted within thirty (30) days of termination per Section 11, unless applicable law requires longer retention.