Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement between Kantoku Pte. Ltd. ("Kantoku") and the Customer.

This DPA applies where Kantoku processes Personal Data on behalf of the Customer as a Processor in connection with the Services.

This DPA should be read together with the Terms of Service, the Privacy Policy, and the Definitions document. Defined terms have the meaning given to them in the Definitions document unless expressly stated otherwise in this DPA.

2. Roles of the Parties

2.1 Customer as Controller. The Customer determines the purposes and means of processing Personal Data contained in Customer Data. The Customer acts as Controller for such Personal Data, unless otherwise required by Applicable Law.

2.2 Kantoku as Processor. Kantoku processes Personal Data contained in Customer Data on behalf of the Customer as Processor and only in accordance with this DPA, the Agreement, the Customer's configuration and use of the Services, and Applicable Law.

2.3 Customer Responsibility. The Customer is responsible for ensuring that:

1. it has the rights, notices, consents, authorizations, or other legal bases required to provide Personal Data to Kantoku;
2. its use of the Services complies with Applicable Law;
3. its configuration and use of the Services comply with Applicable Law; and
4. the Personal Data provided through the Services is accurate, relevant, and lawful for the purposes for which it is processed.

3. Scope of Processing

3.1 Subject Matter. The subject matter of processing is the processing of Personal Data contained in Customer Data in connection with the provision of the Services.

3.2 Duration. The duration of processing is the term of the Agreement, unless Personal Data is deleted earlier in accordance with the Agreement, this DPA, the Customer's configuration and use of the Services, or Applicable Law.

3.3 Nature and Purpose. Kantoku processes Personal Data for the purpose of providing, operating, maintaining, supporting, securing, and improving the Services, in each case only as permitted by the Agreement, this DPA, the Customer's configuration and use of the Services, or Applicable Law.

3.4 Categories of Personal Data. The categories of Personal Data processed depend on the Customer's use of the Services and may include:

1. Account and contact information;
2. business and organizational information;
3. User information;
4. information included in Customer Data;
5. support and communication information;
6. technical identifiers, logs, metadata, and Usage Data; and
7. any other Personal Data submitted, uploaded, or otherwise made available by or on behalf of the Customer through the Services.

3.5 Categories of Data Subjects. The categories of individuals whose Personal Data may be processed depend on the Customer's use of the Services and may include:

1. Customers;
2. Users and Authorized Users;
3. End-Users;
4. employees, contractors, representatives, or personnel of the Customer;
5. the Customer's clients, vendors, service providers, or business contacts; and
6. other individuals whose Personal Data is submitted, uploaded, or otherwise made available through the Services.

4. Processing Instructions

4.1 Scope of Instructions. Kantoku shall process Personal Data only as necessary to provide the Services and in accordance with the Agreement, this DPA, the Customer's configuration and use of the Services, and Applicable Law. These constitute the Customer's documented instructions for purposes of this DPA.

4.2 No Additional Instructions Unless Accepted. Kantoku is not required to comply with any instruction that is not reflected in the Agreement, this DPA, or the Customer's configuration and use of the Services, unless Kantoku expressly agrees to such instruction in writing.

4.3 Limit on Instructions. Kantoku is not required to comply with any instruction that, in Kantoku's reasonable opinion, would violate Applicable Law, create a material security or operational risk, or fall outside the scope of the Services or Agreement.

4.4 Notice of Unlawful Instructions. If Kantoku becomes aware that an instruction may violate Applicable Law, Kantoku will inform the Customer unless prohibited from doing so by Applicable Law.

5. Confidentiality

Kantoku shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

Kantoku shall limit access to Personal Data to personnel, contractors, Subprocessors, and service providers who need access for purposes related to the provision, operation, support, security, or maintenance of the Services.

6. Security Measures

6.1 Security Measures. Kantoku shall implement reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, use, disclosure, alteration, or loss, taking into account the nature of the Personal Data, the risks presented by the processing, and Applicable Law.

6.2 Customer Responsibilities. The Customer is responsible for securely configuring and using the Services, managing Accounts, maintaining the confidentiality of Credentials, assigning appropriate access permissions, and ensuring that its Users comply with the Agreement.

6.3 No Security Guarantee. While Kantoku takes reasonable steps designed to protect Personal Data, security risks cannot be eliminated entirely, and Kantoku does not guarantee that Personal Data will be free from all security risks.

7. Subprocessors

7.1 Authorization. The Customer authorizes Kantoku to engage Subprocessors to process Personal Data in connection with the provision of the Services.

7.2 Subprocessor Obligations. Kantoku shall ensure that each Subprocessor is subject to contractual or other legally binding obligations designed to protect Personal Data in a manner materially consistent with this DPA.

7.3 Subprocessor List. Kantoku maintains a Subprocessor List identifying Subprocessors engaged in connection with the Services.

7.4 Changes to Subprocessors. Kantoku may update the Subprocessor List from time to time. Where required by Applicable Law or the Agreement, Kantoku will provide notice of material changes to Subprocessors.

7.5 Subprocessor Objections. Where required by Applicable Law, the Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within a reasonable period after notice of the change. Kantoku will review the objection in good faith. If the objection cannot be resolved, the Customer's remedy is to stop using the affected Services or terminate the affected Subscription in accordance with the Agreement. The Customer is not entitled to prevent Kantoku from using the Subprocessor for other customers or for the continued operation of the Services generally.

8. Assistance to Customer

8.1 Data Subject Requests. Taking into account the nature of the Services, Kantoku shall provide reasonable assistance to the Customer, where required by Applicable Law, to enable the Customer to respond to requests from individuals exercising rights in relation to their Personal Data.

8.2 Customer Responsibility for Requests. Where Kantoku receives a request from an individual relating to Personal Data processed on behalf of a Customer, Kantoku may refer the request to the Customer or notify the Customer, unless prohibited by Applicable Law.

8.3 Compliance Assistance. Taking into account the nature of the processing and the information available to Kantoku, Kantoku shall provide reasonable assistance to the Customer where required by Applicable Law in relation to data protection impact assessments, consultations with public authorities, or other Customer compliance obligations relating to the Services.

8.4 Fees for Assistance. Kantoku may charge reasonable fees for assistance provided under this Section, based on the scope, complexity, and effort required, unless such assistance is required due to Kantoku's breach of this DPA.

9. Personal Data Breach

9.1 Notification. Kantoku shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed by Kantoku on behalf of the Customer.

9.2 Content of Notification. The notification will include information reasonably available to Kantoku, which may include:

1. a description of the nature of the Personal Data Breach;
2. the categories and approximate number of affected individuals, where known;
3. the categories and approximate volume of affected Personal Data, where known;
4. likely consequences, where known;
5. measures taken or proposed to address the Personal Data Breach; and
6. contact information for follow-up.

9.3 Cooperation. Kantoku shall provide reasonable cooperation to assist the Customer in meeting any notification or reporting obligations under Applicable Law.

9.4 No Admission. Notification of a Personal Data Breach does not constitute an admission of fault or liability by Kantoku.

10. International Transfers

Personal Data may be processed in countries other than the country where the Customer, User, or individual is located.

Where required by Applicable Law, Kantoku shall take reasonable steps to ensure that Personal Data transferred internationally receives a standard of protection comparable to that required under applicable data protection laws.

The Customer acknowledges that Kantoku may process Personal Data in locations where Kantoku, its Subprocessors, or service providers operate, subject to the Agreement, this DPA, and Applicable Law.

11. Deletion and Return

11.1 Deletion or Return. Upon termination or expiry of the Agreement, Kantoku shall delete or return Personal Data contained in Customer Data in accordance with the Agreement, this DPA, the Customer's configuration and use of the Services, and Applicable Law.

11.2 Retention Exceptions. Kantoku may retain Personal Data to the extent required by Applicable Law or as reasonably necessary for backup, archival, audit, security, legal, or compliance purposes, provided that such retained Personal Data remains subject to appropriate protections.

11.3 Backup and Archival Copies. Personal Data retained in backup or archival systems may not be immediately deleted, but will be deleted or overwritten in accordance with Kantoku's standard backup and retention processes.

12. Audit and Information Rights

12.1 Information. Upon reasonable written request, Kantoku shall provide information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the Services and the information available to Kantoku.

12.2 Audit Approach. The parties agree that audits and information requests should be conducted in a manner that avoids unnecessary disruption to Kantoku's business and systems and does not compromise the security, confidentiality, or availability of the Services or information relating to other customers.

12.3 Security and Compliance Documentation. Where available, Kantoku may satisfy audit or information requests by providing relevant security documentation, self-assessments, control summaries, CAIQ responses, third-party reports, certifications, or responses to reasonable questionnaires.

12.4 No Direct System or On-Site Access. Kantoku is not required to provide physical site access, direct system access, source code access, access to other customers' information, or access that would compromise the security, confidentiality, or availability of the Services. Any audit or review shall be conducted remotely and through documentation, questionnaires, summaries, or other information reasonably made available by Kantoku.

12.5 Fees. Kantoku may charge reasonable fees for audit support unless the audit is required due to Kantoku's breach of this DPA.

13. Limitation of Liability

The limitations and exclusions of liability set out in the Agreement apply to this DPA, except to the extent prohibited by Applicable Law.

14. Term and Termination

This DPA remains in effect for as long as Kantoku processes Personal Data on behalf of the Customer under the Agreement.

Termination or expiry of this DPA does not affect obligations that by their nature should survive, including confidentiality, security, deletion, return, audit, and liability provisions.

15. Order of Precedence

If there is a conflict between this DPA and the Terms of Service, this DPA controls for matters relating to Kantoku's processing of Personal Data as Processor on behalf of the Customer.

If there is a conflict between this DPA and the Privacy Policy, this DPA controls for matters relating to Kantoku's processing of Personal Data as Processor on behalf of the Customer.

16. Contact

Questions regarding this DPA may be directed to:

Kantoku Pte. Ltd.
Email: privacy@kantoku.io