BY ACCEPTING THIS DATA PROCESSING ADDENDUM, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, EXECUTING AN ORDER FORM, STATEMENT OF WORK, OR OTHER DOCUMENT THAT REFERENCES THIS DATA PROCESSING ADDENDUM, BY USING (OR MAKING ANY PAYMENT FOR) THE KINTER PLATFORM AND/OR ANOTHER KINTER OFFERED SERVICES, OR BY OTHERWISE AFFIRMATIVELY INDICATING YOUR ACCEPTANCE OF THIS DATA PROCESSING ADDENDUM, YOU: (i) AGREE TO THIS DATA PROCESSING ADDENDUM ON BEHALF OF YOUR ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT; (ii) YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND THE CUSTOMER TO THIS DATA PROCESSING ADDENDUM. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DATA PROCESSING ADDENDUM, YOU MUST NOT ACCEPT THIS DATA PROCESSING ADDENDUM AND MAY NOT USE ANY KINTER PLATFORM AND/OR ANOTHER KINTER OFFERED SERVICES, OR RECEIVE PROFESSIONAL SERVICES FROM KINTER INC.
In the course of providing the Services, Kinter Processes Personal Data on behalf of Customer. The parties enter into this DPA to address the requirements of Data Protection Laws applicable to that Processing. If there is any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls. Nothing in this DPA varies or modifies the Standard Contractual Clauses incorporated by reference.
Unless otherwise defined, the following terms have the meanings below. Other capitalized terms have the meanings given in the Agreement or in the applicable Data Protection Laws.
"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations.
"Customer Personal Data" means Personal Data Processed by Kinter on behalf of Customer in connection with the Services, as further described in Annex 1, and excludes any data submitted to the Services in violation of the Agreement, this DPA, or applicable law.
"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, UK GDPR, Swiss FADP, CCPA, and any successor or equivalent laws.
"Data Subject", "Personal Data", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR (and equivalent terms under other Data Protection Laws are interpreted accordingly).
"EEA" means the European Economic Area.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
"Personal Data Breach" means a confirmed breach of security leading to the actual unauthorized destruction, loss, alteration, disclosure of, or access to Customer Personal Data Processed by Kinter, where such breach is reasonably likely to result in a risk to the rights and freedoms of Data Subjects. Suspected, alleged, or potential incidents do not constitute a Personal Data Breach unless and until confirmed by Kinter through its incident response process.
"Restricted Transfer" means a transfer of Customer Personal Data from a jurisdiction whose Data Protection Laws restrict cross-border data transfers (including the EEA, the UK, and Switzerland) to a country not recognized as providing adequate protection.
"Services" means the Kinter products and services provided to Customer under the Agreement, including Kinter's autonomous accounting agents and supporting infrastructure.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.
"Sub-processor" means any third party engaged by Kinter or its Affiliates to Process Customer Personal Data in connection with providing the Services.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.
"UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
With respect to the Processing of Customer Personal Data: (a) Customer is the Controller, or where Customer itself acts as a Processor on behalf of a third-party Controller, Customer is a Processor; and (b) Kinter is a Processor (or sub-processor, as applicable). Each party will comply with its respective obligations under Data Protection Laws.
This DPA applies to Kinter's Processing of Customer Personal Data in connection with the Services. The subject matter, duration, nature and purpose of the Processing, the categories of Data Subjects, and the types of Personal Data are described in Annex 1.
Each party will comply with the Data Protection Laws applicable to it. Customer represents, warrants, and covenants on a continuing basis that: (a) it has provided all required notices and obtained all necessary rights, consents, authorizations, and lawful bases to provide Customer Personal Data to Kinter for the Processing contemplated by the Agreement and this DPA, including for transfer to and Processing by Kinter, its Affiliates, and Sub-processors; (b) its instructions to Kinter (including by configuration of the Services) comply with all Data Protection Laws applicable to Customer; (c) it has the right to grant, and grants to Kinter, all rights necessary to perform the Services; and (d) the Customer Personal Data and Customer's Processing instructions do not violate the rights of any third party. Customer is solely responsible for the accuracy, quality, legality, and lawful basis of Customer Personal Data and the means by which it acquired such data.
To the fullest extent permitted by applicable law, Customer will defend, indemnify, and hold harmless Kinter, its Affiliates, and their respective officers, directors, employees, and agents from and against any third-party claim, action, demand, or proceeding, and any associated damages, fines, penalties, settlement amounts, costs, and reasonable attorneys' fees, arising out of or relating to: (a) Customer's breach of Section 2.3; (b) Customer's Processing instructions or configuration of the Services; (c) any allegation that Customer Personal Data, or Kinter's Processing of it pursuant to Customer's instructions, violates the rights of any third party or any Data Protection Law; or (d) Customer's submission to the Services of categories of Personal Data outside the scope contemplated by Annex 1, including special categories of Personal Data as defined in Article 9 GDPR.
Kinter will Process Customer Personal Data only on documented instructions from Customer, except where required by applicable law (in which case Kinter will, unless prohibited by law, inform Customer of that legal requirement before Processing). The Agreement, this DPA, Customer's use and configuration of the Services, and Customer's submission of data through the Services constitute Customer's complete documented instructions for purposes of Data Protection Laws. Any additional or different instructions are outside the scope of this DPA and the Agreement, require Kinter's prior written agreement, and are subject to additional fees at Kinter's then-current rates.
If Kinter believes an instruction may infringe Data Protection Laws, is ambiguous, or is outside the scope of the Services, Kinter may, in its discretion, decline to act on the instruction and suspend the affected Processing pending resolution, without liability to Customer.
Kinter will ensure that personnel authorized to Process Customer Personal Data are subject to written confidentiality obligations or are under appropriate statutory obligations of confidentiality. Kinter limits access to Customer Personal Data to personnel who need access to perform their duties under the Agreement, in accordance with the principle of least privilege.
Kinter has implemented and will maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, such data. These measures are described in Annex 2 and are aligned with Kinter's SOC 2 Type II controls. Kinter may modify, replace, or update these measures from time to time, including in response to evolving threats, regulatory developments, or operational requirements, provided that such changes do not materially diminish the overall level of protection. Annex 2 represents Kinter's current measures and is not a contractual minimum specification.
Kinter maintains a current SOC 2 Type II report covering Security and Availability Trust Services Criteria. Kinter will make its most recent SOC 2 Type II report available to Customer on reasonable request, no more than once per year, subject to a customary nondisclosure agreement.
Customer is solely responsible for its use of the Services, including securing its account credentials, configuring access controls, role-based permissions, and integrations within the Services, monitoring its own use, and using the security features made available by Kinter. Kinter is not responsible, and will have no liability under this DPA, the Agreement, or otherwise, for any incident, loss, or unauthorized access resulting from (a) Customer's misconfiguration of the Services, (b) compromise of Customer's credentials or end-user devices, (c) Customer's failure to enable available security features, or (d) third-party systems Customer connects to or integrates with the Services.
Customer provides general authorization for Kinter to engage Sub-processors to Process Customer Personal Data in connection with the Services, including Kinter Affiliates and the third parties listed in Annex 3. Kinter will (a) enter into a written agreement with each Sub-processor imposing data protection obligations sufficient to satisfy applicable Data Protection Laws to the extent applicable to the nature of the Sub-processor's services, and (b) remain liable for the acts and omissions of its Sub-processors to the extent required by applicable Data Protection Laws.
Kinter will publish its current list of Sub-processors at a publicly accessible URL (or such successor URL as Kinter may designate) and will provide Customer with a mechanism to subscribe to updates. At least ten (10) days before authorizing a new Sub-processor to Process Customer Personal Data, Kinter will update the list. Customers who have subscribed to updates will be notified through the subscription mechanism. Kinter has no obligation to provide individual notice to Customers who have not subscribed.
Customer may object in writing to a new Sub-processor solely on documented and reasonable grounds based on a specific risk to compliance with Data Protection Laws, and only within ten (10) days of Kinter's update to the published list. The parties will discuss the objection in good faith. If the parties cannot reach a commercially reasonable resolution within thirty (30) days, Customer's sole and exclusive remedy is to terminate the specific portion of the Services that cannot be provided without the objected-to Sub-processor (if any), effective at the end of the then-current term, and receive a pro rata refund of prepaid fees attributable solely to that terminated portion. Customer may not object to, and may not terminate the Services on the basis of, (i) any cloud infrastructure provider, (ii) any large language model or other AI inference provider, or (iii) any Kinter Affiliate, each of which Customer acknowledges is essential to the Services.
Customer acknowledges that the Services use large language model and other artificial intelligence providers (including those listed in Annex 3) to operate Kinter's autonomous accounting agents. Kinter contracts with these providers under terms that prohibit (a) the use of Customer Personal Data to train the providers' models, and (b) retention of Customer Personal Data beyond what is necessary to return inference responses, except as required by applicable law. Where a provider does not offer such terms, Kinter will not use it as a Sub-processor for Customer Personal Data.
The Services include functionality that allows Customer to access, correct, delete, and export Customer Personal Data, which Customer acknowledges is sufficient to enable Customer to fulfill its obligations to respond to Data Subject requests under Data Protection Laws. Taking into account the nature of the Processing and the information available to Kinter, Kinter will provide reasonable assistance to Customer with respect to Data Subject requests primarily through this self-service functionality.
If Customer requests assistance from Kinter beyond the self-service functionality, Kinter may provide such assistance subject to (i) Kinter's then-current professional services rates, (ii) Customer's prior written acceptance of those rates, and (iii) Kinter's reasonable availability.
If Kinter receives a Data Subject request relating to Customer Personal Data directly, Kinter will (a) not respond to the request other than to direct the Data Subject to Customer, unless required by law or expressly instructed by Customer in writing, and (b) notify Customer of the request without undue delay.
Kinter will notify Customer without undue delay after Kinter's incident response team confirms a Personal Data Breach affecting Customer Personal Data. Kinter will use commercially reasonable efforts to provide such notification within seventy-two (72) hours after confirmation. Notification will be made to the administrative or security contact on file for Customer's account and will include, to the extent then known and consistent with Kinter's ongoing investigation, a description of the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
Kinter will provide reasonable assistance to support Customer's investigation and notification obligations under Data Protection Laws, primarily through the information made available under Section 8.1 and Kinter's incident reporting. Assistance beyond the information so provided is subject to Kinter's then-current professional services rates. Kinter's notification of, response to, or assistance regarding a Personal Data Breach is provided without prejudice and is not, and will not be construed as, an acknowledgment by Kinter of fault, liability, or any breach of the Agreement, this DPA, or applicable law.
The following events are not Personal Data Breaches and are not subject to this Section 8: (a) unsuccessful attempts at unauthorized access, including pings, port scans, broadcast attacks on firewalls or edge servers, unsuccessful log-in attempts, and denial-of-service attacks that do not result in unauthorized access to Customer Personal Data; (b) incidents affecting only data that was encrypted at the time of the incident with keys not compromised by the incident, where Kinter reasonably determines the data is not accessible to unauthorized parties; (c) incidents originating from Customer's account credentials, end-user devices, configuration, or connected third-party systems; and (d) incidents reasonably determined by Kinter to be unlikely to result in a risk to the rights and freedoms of Data Subjects.
Taking into account the nature of the Processing and the information available to Kinter, Kinter will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws, primarily by making available the information described in this DPA, Annex 2, and Kinter's SOC 2 Type II report. Assistance beyond the provision of this existing documentation is subject to Kinter's then-current professional services rates.
Kinter Processes Customer Personal Data primarily in the United States. EEA, UK, and Swiss hosting may be available to Customer subject to technical feasibility, configuration at onboarding, and any applicable additional fees specified in the Order Form or Kinter's then-current pricing. Kinter may rely on the SCCs and other transfer mechanisms set out below for transfers from restricted jurisdictions to the United States.
To the extent that Customer's provision of Customer Personal Data to Kinter, or Kinter's onward transfer to a Sub-processor, constitutes a Restricted Transfer subject to the GDPR, the parties agree that the SCCs are incorporated into this DPA by reference and will apply as follows: (a) Module Two (Controller to Processor) applies where Customer is a Controller; (b) Module Three (Processor to Processor) applies where Customer is a Processor acting on behalf of a third-party Controller. The optional docking clause in Clause 7 is included. Clause 9(a) Option 2 (general written authorization) applies, with the time period set in Section 6.2 of this DPA. The optional language in Clause 11(a) is excluded. Clause 17 Option 1 applies, with the law of Ireland as the governing law. Clause 18(b) specifies the courts of Ireland. Annexes I, II, and III to the SCCs are populated by Annexes 1, 2, and 3 of this DPA respectively.
To the extent that Customer Personal Data is subject to the UK GDPR and is the subject of a Restricted Transfer, the parties agree that the UK Addendum is incorporated into this DPA by reference and applies to the transfer, with the SCCs as the underlying clauses and the information in Tables 1 to 3 populated by reference to this DPA and its Annexes. Table 4 selects "Importer" as the party that may end the Addendum when the Approved Addendum changes.
To the extent that Customer Personal Data is subject to the Swiss FADP and is the subject of a Restricted Transfer, the SCCs apply with the following modifications: (a) references to the GDPR are interpreted as references to the FADP where applicable; (b) the term "member state" is interpreted to permit Data Subjects in Switzerland to exercise their rights in their place of habitual residence; (c) the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner with respect to data transfers exclusively governed by the FADP.
If Kinter adopts an alternative transfer mechanism recognized under Data Protection Laws (including binding corporate rules, the EU-US Data Privacy Framework or any successor framework, or other approved mechanisms), that mechanism will apply in lieu of the SCCs to the extent permitted by law, without further action by Customer.
Kinter will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR. This includes the SOC 2 Type II report, the documentation of technical and organizational measures in Annex 2, and reasonable responses to a single security questionnaire of reasonable scope no more than once per twelve (12) months. Customer acknowledges and agrees that the information made available under this Section 11.1 is the primary means of demonstrating Kinter's compliance and is sufficient for that purpose absent specific facts indicating otherwise.
On-site audits are available only where (i) the documentation made available under Section 11.1 is materially insufficient to demonstrate compliance with a specific requirement of Data Protection Laws and Customer has identified the deficiency in writing, or (ii) following a confirmed Personal Data Breach materially affecting Customer's Personal Data. Such audits will: (a) be conducted no more than once per twenty-four (24) months, except as required by Data Protection Laws or following a Personal Data Breach materially affecting Customer; (b) be conducted by an independent third-party auditor mutually agreed by the parties, bound by confidentiality obligations no less stringent than those in the Agreement, and not a competitor of Kinter; (c) be scheduled on at least sixty (60) days' prior written notice; (d) take place during regular business hours and in a manner that does not unreasonably interfere with Kinter's operations; (e) be limited in scope to information directly relevant to the specific deficiency or Personal Data Breach identified; (f) exclude access to data of other Kinter customers, source code, security architecture documentation that would compromise Kinter's security posture, and information subject to confidentiality obligations to other parties; (g) be at Customer's sole expense; and (h) be subject to Customer's prior written agreement to the audit plan and scope. Customer will provide Kinter with a copy of the audit report, and the report and all information learned in the audit are Kinter's Confidential Information under the Agreement.
Kinter will reasonably cooperate with audits or inspections required by a Supervisory Authority with jurisdiction over the Processing, subject to applicable confidentiality obligations and at Customer's expense to the extent the audit or inspection is initiated at Customer's request or on the basis of Customer's specific Processing.
Customer is solely responsible for retrieving Customer Personal Data prior to or during the fifteen (15) day period following termination or expiration of the Agreement using the export functionality made available by the Services. Customer may also use the export functionality at any time during the term. Following the fifteen (15) day post-termination export window, Kinter will delete Customer Personal Data from its production systems within sixty (60) days, except that (a) Kinter may retain Customer Personal Data to the extent required by applicable law, in which case Kinter will continue to protect it under this DPA, (b) Kinter's backup, archival, and disaster-recovery systems may retain Customer Personal Data until purged in the ordinary course of Kinter's retention schedule, after which it will be automatically purged, and (c) Kinter may retain de-identified, aggregated, or statistical data derived from Customer Personal Data that cannot reasonably be used to identify any Data Subject.
Assistance with data export, retrieval, or deletion beyond the standard self-service functionality is subject to Kinter's then-current professional services rates and prior written agreement.
Each party's liability arising out of or related to this DPA, the SCCs, the UK Addendum, and any Processing of Personal Data, whether in contract, tort, statute, or under any other theory of liability, is subject to and counts against the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations to a party's liability means the aggregate liability of that party and its Affiliates under the Agreement, this DPA, the SCCs, and the UK Addendum together. Customer's claims arising under the SCCs and the UK Addendum count against the same aggregate cap and are not additive.
To the maximum extent permitted by applicable law, neither party will be liable to the other for any indirect, incidental, consequential, special, exemplary, or punitive damages, including lost profits, lost revenue, lost business opportunity, lost or corrupted data, regulatory fines or penalties imposed on the other party, or business interruption, arising out of or relating to this DPA, regardless of the legal theory and regardless of whether the party has been advised of the possibility of such damages.
For the avoidance of doubt, this Section 13 does not limit either party's liability to a Data Subject under the third-party-beneficiary provisions of the SCCs to the extent such limitation is prohibited by applicable law.
Any claim or action arising out of or relating to this DPA must be brought within twelve (12) months after the date the claim or action accrued, or such claim or action shall be permanently barred, except where a longer period is required by applicable Data Protection Laws.
This Section 14 applies to Customer Personal Data that is subject to the CCPA. Kinter is a "service provider" as defined in the CCPA, and Customer Personal Data is provided to Kinter for the limited and specified purposes set forth in the Agreement and this DPA. Kinter (a) will not Sell or Share (as those terms are defined in the CCPA) Customer Personal Data; (b) will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, including for any commercial purpose other than providing the Services; (c) will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Kinter and Customer; and (d) will not combine Customer Personal Data with personal information received from other sources, except as permitted by the CCPA. Kinter certifies that it understands and will comply with the restrictions in this Section 14. Kinter will notify Customer if it determines it can no longer meet its obligations under the CCPA, and Customer may take reasonable and appropriate steps to stop and remediate unauthorized use, provided that any such steps will be agreed by the parties in good faith and will not include termination of the Agreement except as expressly provided in the Agreement.
This DPA takes effect on the effective date of the Agreement and continues until the later of (a) termination or expiration of the Agreement and (b) Kinter's deletion of Customer Personal Data in accordance with Section 12. Sections that by their nature should survive (including Sections 2.4, 12, 13, 14, and any provision of the SCCs that survives) will survive termination.
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls. In the event of any conflict between this DPA and the SCCs (or the UK Addendum) with respect to a Restricted Transfer, the SCCs (or the UK Addendum, as applicable) control. Kinter may update this DPA from time to time to reflect changes in Data Protection Laws, Sub-processors, or Kinter's operations, and updates will be effective upon posting to Kinter's website or notice to Customer, except that material reductions in Customer's substantive rights require Customer's written consent (which will not be unreasonably withheld).
If any provision of this DPA is held unlawful, void, or unenforceable by a court of competent jurisdiction or by a Supervisory Authority, including as a result of a change in or interpretation of Data Protection Laws, that provision shall be severed from this DPA to the minimum extent necessary and the remaining provisions shall remain in full force and effect. The parties agree to replace any invalid or unenforceable provision with a valid and enforceable provision that most closely approximates the original intent and economic effect of the invalid provision.
This DPA may be executed in counterparts, including by electronic signature, each of which will be deemed an original. The Agreement is otherwise unchanged and remains in full force and effect.
Data Exporter: Customer (as identified in the Agreement or Terms of Service). Role: Controller, or Processor on behalf of a third-party Controller.
Data Importer: Kinter, Inc, a Delaware corporation. Role: Processor.
For Restricted Transfers governed by the GDPR: the Irish Data Protection Commission (consistent with Section 10.2 of the DPA). For Restricted Transfers governed by the UK GDPR: the UK Information Commissioner. For Restricted Transfers governed by the Swiss FADP: the Swiss Federal Data Protection and Information Commissioner.
Kinter implements and maintains the technical and organizational measures described below. These measures are aligned with Kinter's SOC 2 Type II controls and are subject to ongoing review and improvement. Kinter may modify these measures provided the modifications do not materially diminish the overall level of protection. The descriptions below are summary in nature and are not intended to operate as a contractual minimum specification.
1. Information Security Program. Kinter maintains a written information security program with documented policies and procedures, owned by Kinter's security function. The program is reviewed at least annually. Kinter holds a current SOC 2 Type II report covering the Security and Availability Trust Services Criteria.
2. Access Controls and Identity Management. Access to systems Processing Customer Personal Data is granted on a least-privilege, need-to-know basis. Production access requires multi-factor authentication and is logged. Personnel access is reviewed periodically and revoked promptly upon role change or termination. Customer-facing authentication supports SSO and MFA.
3. Encryption. Customer Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent industry-standard encryption. Encryption keys are managed via AWS KMS with documented key rotation and access controls.
4. Network and Infrastructure Security. The Services are hosted on Amazon Web Services. Network controls include segmentation, security groups, web application firewalling, intrusion detection, and DDoS protections. Customer environments are logically segregated. Production environments are isolated from development and corporate environments.
5. Application Security and Change Management. Kinter performs secure development practices including code review, dependency scanning, application security testing, and pre-release security review for material changes. Production changes follow a documented change management process with peer review, automated testing, and audit logging.
6. Vulnerability Management and Penetration Testing. Kinter performs ongoing vulnerability scanning and remediates identified issues based on severity and exploitability. An independent third party conducts a penetration test of the Services at least annually. A summary of the most recent penetration test is available under NDA.
7. Logging and Monitoring. Kinter logs security-relevant events from production systems, applications, and infrastructure. Logs are centralized, integrity-protected, and retained consistent with Kinter's retention policies. Security monitoring is in place to alert on anomalous activity.
8. Incident Response. Kinter maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is tested at least annually. Customer notification of confirmed Personal Data Breaches is governed by Section 8 of the DPA.
9. Business Continuity and Disaster Recovery. Kinter maintains business continuity and disaster recovery plans, including documented recovery time and recovery point objectives. Backups are encrypted and tested periodically. The plans are reviewed and tested at least annually.
10. Personnel Security. Personnel undergo background checks where permitted by law. All personnel are subject to written confidentiality obligations. Security awareness training is required at hire and at least annually thereafter, with role-specific training for personnel handling Customer Personal Data.
11. Vendor and Sub-processor Management. Kinter performs security and privacy due diligence on Sub-processors and other vendors with access to Customer Personal Data, and maintains contractual data protection commitments consistent with this DPA.
12. Data Segregation and Tenancy. Customer Personal Data is logically segregated using customer-scoped identifiers and access controls enforced at the application and database layers.
13. Data Deletion and Media Sanitization. Customer Personal Data is deleted in accordance with Section 12 of the DPA. Cloud storage media is sanitized via cryptographic erasure and the controls implemented by the underlying cloud provider, consistent with industry standards (NIST SP 800-88 or equivalent).
The current list of Sub-processors is published at kinter.ai/legal/subprocessors. The list below is illustrative as of the effective date of this DPA and is to be reconciled with the current published list, which controls.
The location identified is the primary Processing location. Sub-processors may Process Customer Personal Data in additional locations to the extent set out in their own data processing agreements with Kinter, subject to the cross-border transfer commitments in Section 10 of the DPA.