Data Processing Addendum
Standard contractual terms for enterprise procurement and GDPR Article 28.
Last updated: May 14, 2026
Why this document matters
This DPA is a legally binding contract that puts our data-processing commitments in writing. It's what your security and procurement teams will ask for. If we fail to protect Customer Personal Data as promised, you have legal recourse.
1. Parties
This Data Processing Addendum (“DPA”) supplements and forms part of the agreement (the “Agreement”) between:
- “Customer” — the organization that subscribes to the Service.
- “Kontaim” — Kontaim Inc., the provider of the Service.
Where Customer processes personal data using the Service and that personal data is subject to data protection law (including GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and equivalents), this DPA governs the respective rights and obligations of the parties.
2. Definitions
- “Customer Personal Data” means personal data that Customer or its Authorized Users submit to or generate within the Service, including data captured from Participants in live sessions.
- “Data Protection Law” means all laws governing the processing of personal data that apply to a party.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” have the meanings set out in the GDPR (and analogous meanings under other applicable laws).
- “Subprocessor” means any third-party Processor engaged by Kontaim to process Customer Personal Data.
3. Roles & Scope
Customer is the Controller of Customer Personal Data. Kontaim is the Processor and will process Customer Personal Data only for the purposes set out in this DPA and the Agreement, and only on Customer's documented instructions. The categories of data and Data Subjects are described in Section 4 below.
4. Subject Matter & Nature of Processing
Purpose: providing the Service — building, hosting, and analyzing interactive experiences and the live sessions Customer runs with them.
Categories of Personal Data:
- Authorized User account data (name, email, role, hashed password or SSO identifier).
- Participant data: chosen display name, device-derived browser fingerprint (optional, for reconnection only), and event data generated during sessions (responses, scores, completion).
- Customer Content metadata (titles, descriptions, configuration).
Categories of Data Subjects: Customer's employees and other Authorized Users; Participants who join Customer's live sessions.
Duration of processing: the duration of the Agreement, plus retention periods described in Section 9.
5. Kontaim's Obligations
- Process Customer Personal Data only on Customer's documented instructions and as needed to provide the Service.
- Ensure personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational measures described in Section 7.
- Assist Customer in responding to Data Subject requests and in fulfilling Customer's obligations under Articles 32–36 of the GDPR (and equivalents).
- Make available to Customer information necessary to demonstrate compliance with this DPA.
6. Customer's Obligations
- Comply with Data Protection Law as Controller of Customer Personal Data.
- Establish a lawful basis for any processing performed via the Service, including obtaining required notices and consents from Data Subjects.
- Configure the Service appropriately for Customer's use case (retention windows, access controls, integrations).
- Use Kontaim's features for managing Data Subject requests where available, before requesting Kontaim's direct assistance.
7. Security Measures
Kontaim maintains, at a minimum:
- Encryption in transit (TLS 1.2+) and at rest (AES-256) for Customer Personal Data.
- Role-based access control with least-privilege defaults; SSO with SAML/OIDC available on enterprise plans.
- Row-level authorization on all database tables containing Customer Personal Data.
- Centralized audit logging for administrative and access events.
- Continuous vulnerability scanning and dependency monitoring; periodic penetration testing.
- Backup encryption and a rolling 35-day retention with secure deletion.
- A documented incident-response process (see Section 8).
Our full security posture, including SOC 2 readiness status, is described on the Security & Compliance page.
8. Personal Data Breach Notification
Kontaim will notify Customer without undue delay, and in any case within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include all information required for Customer to meet its own notification obligations under Data Protection Law, to the extent then known.
9. Data Retention & Deletion
- Customer Personal Data is retained while the Customer's subscription is active.
- On termination, Customer may export its data for thirty (30) days, after which Kontaim will delete Customer Personal Data within thirty (30) days, except where retention is required by law.
- Backups containing Customer Personal Data are purged on a rolling 35-day cycle.
- Customer may at any time issue deletion requests for specific records via the Service or via support@kontaim.com; such requests are processed within seventy-two (72) hours.
10. Subprocessors
Customer authorizes Kontaim to engage Subprocessors to process Customer Personal Data, subject to the protections in this DPA. Kontaim remains responsible for its Subprocessors' performance. The current Subprocessor list is published below and will be updated from time to time; material additions will be notified to Customer at least thirty (30) days in advance, and Customer may object on reasonable grounds.
Current subprocessors
| Subprocessor | Purpose | Location | Customer PD? |
|---|---|---|---|
| Supabase | Database & auth | Canada (Montreal) | Yes (encrypted) |
| Stripe | Billing & payments | USA (PCI-DSS L1) | Billing contact only |
| Vercel | Application hosting | Global CDN | No (stateless) |
| PostHog | Product analytics (privacy-hardened) | EU / US (configurable) | Pseudonymous IDs only |
| Anthropic / OpenAI / Google AI | AI generation | USA | Inference inputs (not retained for training under enterprise terms) |
11. International Transfers
Where Customer Personal Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to a Subprocessor outside those jurisdictions, the parties rely on the Standard Contractual Clauses (Module 2 or 3 as applicable) adopted by the European Commission, the UK International Data Transfer Addendum, and equivalent mechanisms, which are incorporated by reference into this DPA.
12. Data Subject Rights
Kontaim will, to the extent legally permitted, assist Customer in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Where possible, Customer should use built-in Service features to satisfy such requests directly.
13. Audits
On reasonable written notice (and no more than once per year, except after a Personal Data Breach or as required by a supervisory authority), Kontaim will provide Customer with information reasonably necessary to demonstrate compliance with this DPA, including the most recent third-party audit reports (e.g., SOC 2 once obtained) under NDA. On-site audits will be conducted only by mutual agreement and at Customer's expense.
14. Liability
The parties' liability arising under this DPA is subject to the limitation-of-liability provisions of the Agreement.
15. Term & Termination
This DPA remains in effect for the duration of the Agreement. On termination, the provisions of this DPA that by their nature should survive (including Sections 8, 9, 11, 12, and 14) will survive.
16. Governing Law
This DPA is governed by the same law and jurisdiction as the Agreement, except where Data Protection Law requires otherwise.
Negotiated DPAs are available for enterprise procurement. Customers may request a countersigned copy or substitute their own DPA template (subject to review) by emailing support@kontaim.com.
Need a customized DPA? Contact us at support@kontaim.com