Data Processing Addendum

This DPA sets out the terms under which Kaldros processes personal data on your behalf under the EU/UK GDPR and equivalent regimes. It becomes binding on acceptance of the Terms of Service or by countersigned contract.

Roles

You are the data controller. Kaldros is the data processor. Kaldros does not determine the purposes of processing for customer data.

Nature and purpose of processing

To operate the Kaldros platform for the duration of the subscription, specifically: to capture, hash-chain, store, and produce evidence from customer-submitted agent events.

Sub-processors

Listed at /legal/sub-processors. We notify of new sub-processors at least 30 days in advance through that page (email subscription available).

Transfers

EU workspaces' data is stored in EU regions. Where data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (2021/914) with supplementary measures.

Security

Our technical and organisational measures are listed at /legal/security. They include encryption in transit and at rest, access controls, vulnerability management, and incident response.

Breach notification

We notify you without undue delay and within 48 hours of becoming aware of a personal data breach affecting your workspace.

Audit rights

Enterprise customers may audit once per year on 30 days' notice, or rely on our third-party certification reports (SOC 2, ISO 27001 when available).

Draft · an executable PDF version is available on request.