Data Processing Agreement

1. Introduction and Scope

1.1 Parties

This Data Processing Agreement is entered into between:

• Controller (Customer): The entity that has agreed to the Terms of Service and uses the Services to process personal data.
• Processor (Kodus): Kodus, which processes personal data on behalf of the Controller.

1.2 Scope

This DPA applies to the processing of personal data by Kodus in its capacity as a data processor on behalf of the Customer (as data controller) in the provision of the Services. This DPA supplements and is incorporated into the Terms of Service.

1.3 Applicability

This DPA applies where:

• The Customer is established in the European Economic Area (EEA), United Kingdom, or Switzerland;
• The Customer processes personal data of individuals located in the EEA, UK, or Switzerland;
• The GDPR, UK GDPR, or Swiss FADP applies to the Customer's processing activities;
• Other applicable data protection laws require a data processing agreement.

2. Definitions

For the purposes of this DPA:

• "Controller" means the Customer, the entity that determines the purposes and means of processing personal data;
• "Processor" means Kodus, which processes personal data on behalf of the Controller;
• "Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller;
• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Data Subject" means an identified or identifiable natural person whose personal data is processed;
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion;
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data;
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, and other relevant legislation;
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation);
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers;
• "Services" means the Kodus platform and related services provided under the Terms of Service.

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Controller shall:

• Determine the purposes and means of processing personal data;
• Ensure a lawful basis exists for all processing activities;
• Provide appropriate privacy notices to data subjects;
• Obtain necessary consents where required;
• Ensure the accuracy of personal data;
• Comply with data subject rights requests;
• Ensure personal data is not processed in violation of Data Protection Laws;
• Provide documented instructions for processing;
• Assess and ensure the adequacy of security measures.

3.2 Processor Responsibilities

The Processor shall:

• Process personal data only on documented instructions from the Controller;
• Ensure persons authorized to process personal data are bound by confidentiality;
• Implement appropriate technical and organizational security measures;
• Assist the Controller with data subject rights requests;
• Assist the Controller with GDPR compliance obligations;
• Delete or return personal data upon termination as instructed;
• Make available information necessary to demonstrate compliance;
• Allow for and contribute to audits conducted by the Controller.

4. Details of Processing

4.1 Subject Matter and Duration

The Processor processes personal data for the duration of the agreement for the purpose of providing the Services as described in the Terms of Service.

4.2 Nature and Purpose of Processing

The Processor processes personal data contained in prompts, workspace content, and agent session data for the following purposes:

• Operating the Kodus CLI, relay backend, and web Dashboard;
• Routing agent prompts and selected workspace content to third-party AI Model Providers for inference;
• Executing agent tool calls (code edits, bash, git, file reads, search, AST operations) against Controller-designated workspaces;
• Persisting chat/session history for Controller's own access in the Dashboard;
• Hosting Controller workspaces and project previews when enabled;
• Managing subscriptions, billing, and usage metering;
• Providing security, abuse monitoring, error reporting, and support;
• Any other purposes as instructed by the Controller.

4.3 Categories of Data Subjects

Personal data processed may relate to the following categories of data subjects:

• Controller's Authorized Users of the Services (e.g., individual developers on a team);
• Third-party individuals whose personal data may incidentally appear in source code, test fixtures, documentation, commit history, or other workspace content that the Controller elects to process through the agent;
• Any other data subjects whose data the Controller elects to process through the Services.

4.4 Types of Personal Data

4.5 Special Categories of Data

The Controller shall not submit special categories of personal data (as defined in Article 9 of GDPR) to the Services unless specifically agreed in writing and appropriate safeguards are implemented.

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

• Process personal data only on documented instructions from the Controller;
• Inform the Controller if, in its opinion, an instruction infringes Data Protection Laws;
• Not process personal data for its own purposes unless permitted by law.

5.2 Confidentiality

The Processor shall ensure that:

• All personnel authorized to process personal data are bound by confidentiality obligations;
• Access to personal data is limited to authorized personnel on a need-to-know basis;
• Personnel receive appropriate data protection training.

5.3 Assistance

The Processor shall assist the Controller with:

• Responding to data subject rights requests;
• Ensuring compliance with security obligations;
• Notifying personal data breaches;
• Conducting data protection impact assessments;
• Prior consultation with supervisory authorities where required.

6. Subprocessors

6.1 General Authorization

The Controller provides general authorization for the Processor to engage subprocessors for the processing of personal data. The Processor shall:

• Maintain a list of current subprocessors;
• Notify the Controller of any intended additions or replacements of subprocessors;
• Provide the Controller with the opportunity to object to such changes;
• Ensure subprocessors are bound by data protection obligations at least as protective as those in this DPA.

6.2 Current Subprocessors

A list of current subprocessors is available upon request and includes:

6.3 Subprocessor Changes

The Processor shall provide at least 30 days' notice before adding or replacing a subprocessor. If the Controller objects to a subprocessor on reasonable data protection grounds, the parties shall work together in good faith to resolve the objection.

7. Data Subject Rights

7.1 Assistance with Requests

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws, including:

• Right of Access: Providing copies of personal data;
• Right to Rectification: Correcting inaccurate personal data;
• Right to Erasure: Deleting personal data;
• Right to Restriction: Restricting processing of personal data;
• Right to Data Portability: Providing personal data in portable format;
• Right to Object: Ceasing certain processing activities;
• Rights Related to Automated Decision-Making: Providing information and human intervention.

7.2 Response Process

If the Processor receives a request directly from a data subject:

• The Processor shall promptly notify the Controller;
• The Processor shall not respond directly unless authorized by the Controller;
• The Controller shall be responsible for responding to the request.

8. Security Measures

8.1 Technical and Organizational Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

8.2 Technical Measures

• Encryption: Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
• Access Controls: Role-based access control, multi-factor authentication;
• Network Security: Firewalls, intrusion detection, DDoS protection;
• Monitoring: Security logging, anomaly detection, continuous monitoring;
• Backup: Regular automated backups with encryption;
• Patch Management: Regular security updates and vulnerability management.

8.3 Organizational Measures

• Personnel: Background checks, confidentiality agreements, security training;
• Access Management: Principle of least privilege, regular access reviews;
• Incident Response: Documented incident response procedures;
• Business Continuity: Disaster recovery and business continuity plans;
• Vendor Management: Security assessments of subprocessors;
• Physical Security: Secure data centers with physical access controls.

9. Data Breach Notification

9.1 Notification to Controller

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay upon becoming aware of the breach;
• Provide notification within 72 hours where feasible;
• Provide information necessary for the Controller to meet its breach notification obligations.

9.2 Breach Information

The notification shall include, to the extent known:

• Nature of the breach, including categories and number of data subjects affected;
• Name and contact details of the data protection point of contact;
• Likely consequences of the breach;
• Measures taken or proposed to address the breach;
• Measures to mitigate adverse effects.

9.3 Assistance

The Processor shall assist the Controller with:

• Investigating the breach;
• Fulfilling notification obligations to supervisory authorities;
• Communicating with affected data subjects if required;
• Implementing measures to address and mitigate the breach.

10. International Data Transfers

10.1 Transfer Mechanisms

Where personal data is transferred outside the EEA, UK, or Switzerland, the Processor shall ensure that appropriate safeguards are in place, including:

• Adequacy Decisions: Transfers to countries with adequate data protection;
• Standard Contractual Clauses: EU Commission-approved SCCs;
• UK International Data Transfer Agreement: For UK transfers;
• Supplementary Measures: Additional technical and organizational measures as necessary.

10.2 Standard Contractual Clauses

Where the Controller is subject to GDPR and personal data is transferred to the Processor or subprocessors in the United States, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) incorporated herein by reference.

10.3 Transfer Impact Assessment

The Processor shall assist the Controller in conducting transfer impact assessments where required and shall implement supplementary measures to address any identified risks.

11. Audits and Assessments

11.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

11.2 Audit Process

Audits shall be conducted:

• With reasonable advance notice (at least 30 days except in emergencies);
• During normal business hours;
• No more than once per year unless required by law or following a security incident;
• Subject to appropriate confidentiality obligations.

11.3 Certifications and Reports

The Processor may satisfy audit requests by providing:

• Relevant certifications (e.g., SOC 2 Type II, ISO 27001);
• Third-party audit reports;
• Penetration test reports;
• Responses to security questionnaires.

12. Termination and Data Return

12.1 Upon Termination

Upon termination of the Services, the Processor shall, at the Controller's choice:

• Return all personal data to the Controller in a commonly used, machine-readable format; or
• Delete all personal data and certify such deletion.

12.2 Data Retention Period

The Controller shall have thirty (30) days following termination to request return of personal data. After this period, the Processor may delete all personal data unless required by law to retain it.

12.3 Survival

Obligations regarding confidentiality, security, and limitation of liability shall survive termination of this DPA.

13. Liability

13.1 Processor Liability

The Processor shall be liable for damages caused by processing that does not comply with this DPA or applicable Data Protection Laws, unless the Processor demonstrates it is not responsible for the event giving rise to the damage.

13.2 Limitation

Any limitations of liability set forth in the Terms of Service shall apply to this DPA, except to the extent prohibited by applicable law.

13.3 Indemnification

Each party shall indemnify the other for any fines, penalties, or damages arising from the indemnifying party's breach of this DPA or applicable Data Protection Laws.

14. General Provisions

14.1 Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data. In the event of a conflict between this DPA and applicable Data Protection Laws, the applicable laws shall prevail.

14.2 Amendments

Kodus may update this DPA from time to time to reflect changes in Data Protection Laws or our data processing practices. Material changes will be communicated to the Controller.

14.3 Governing Law

This DPA shall be governed by the laws applicable to the Terms of Service, unless Data Protection Laws require otherwise.

14.4 Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.5 Entire Agreement

This DPA, together with the Terms of Service and incorporated policies, constitutes the entire agreement between the parties regarding data processing.