Data Processing Agreement (DPA)

Effective Date: Upon digital acceptance by the Customer.

This Data Processing Agreement ("DPA") is an addendum to the KaiDrys Terms of Service and forms a binding contract between KaiDrys Organization ("Data Processor") and the Business User / Organization ("Data Controller", "Customer").

DIGITAL ACCEPTANCE (CLICKWRAP AGREEMENT)

By checking the box stating "I have read and agree to the Data Processing Agreement" during the creation of an Organization account or upon upgrading to a Business plan, the Customer formally accepts and executes this DPA under the EU eIDAS Regulation.

1. SCOPE AND DEFINITIONS

This DPA applies exclusively to the processing of personal data provided by the Customer (which may include data of their clients, employees, or patients) into the KaiDrys Platform. The terms "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" shall have the meanings given in the GDPR (Regulation EU 2016/679).

2. OBLIGATIONS OF KAIDRYS (THE PROCESSOR)

KaiDrys agrees to:

2.1. Process the Personal Data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law.
2.2. Ensure that persons authorized to process the Personal Data have committed themselves to strict confidentiality.
2.3. Implement appropriate technical and organizational measures (Article 32 GDPR) to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest.
2.4. Assist the Customer, insofar as possible, to fulfill the Customer's obligation to respond to requests for exercising Data Subject rights (e.g., right to access, right to be forgotten).
2.5. Notify the Customer without undue delay (and no later than 48 hours) after becoming aware of a Personal Data Breach.

3. SUB-PROCESSORS

The Customer grants KaiDrys general authorization to engage sub-processors (specifically: Supabase for database hosting, Vercel for app hosting, Stripe for billing). KaiDrys shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

4. INTERNATIONAL TRANSFERS

KaiDrys primarily hosts data within the European Union (EU) or European Economic Area (EEA). Should data be transferred outside the EEA, KaiDrys guarantees that such transfers are governed by the EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

5. DELETION OR RETURN OF DATA

Upon termination of the Service or deletion of the Customer's Organization account, KaiDrys shall, at the choice of the Customer, delete or return all Personal Data, and delete existing copies unless EU or Member State law requires storage of the personal data.

6. AI TRAINING RESTRICTION ON B2B DATA

Notwithstanding Section 3.3 of the Terms of Service, KaiDrys explicitly commits that any Personal Data identified as highly sensitive (e.g., health data) uploaded under a valid DPA by a verified healthcare/enterprise entity, will be excluded from the global AI training dataset unless explicitly permitted by the Customer via a separate opt-in consent.