Data Processing Agreement

Last Updated: February 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Kabware Services Ltd ("Processor") and the customer ("Controller") for the provision of the Kabware Services platform, pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR").

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • (a) "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Platform.
  • (b) "Processing" means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
  • (c) "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • (d) "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • (e) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • (f) "Platform" means the Kabware Services digital assistant platform and all related services.
  • (g) "UK GDPR" means the UK General Data Protection Regulation as retained in UK law under the Data Protection Act 2018.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to the processing of Personal Data by the Processor in connection with the provision of the Platform to the Controller.

2.2 Nature and Purpose

The Processor processes Personal Data for the following purposes:

  • (a) Providing and operating the digital assistant platform
  • (b) Processing AI model inference requests (conversations with assistants)
  • (c) Storing and managing uploaded files and knowledge bases
  • (d) User authentication and account management
  • (e) Billing and subscription management
  • (f) Platform monitoring, security, and performance optimisation

2.3 Categories of Data Subjects

  • (a) The Controller's employees and team members
  • (b) The Controller's end users (authenticated and guest users)
  • (c) Individuals whose data appears in uploaded documents or conversations

2.4 Types of Personal Data

  • (a) Contact information (name, email address)
  • (b) Account credentials and authentication data
  • (c) Conversation content and message history
  • (d) Uploaded files and documents
  • (e) Usage data and activity logs
  • (f) IP addresses and device information
  • (g) Billing and payment information (processed via Stripe)

3. Obligations of the Controller

The Controller shall:

  • (a) Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf
  • (b) Provide clear and documented instructions to the Processor regarding the processing of Personal Data
  • (c) Ensure that Data Subjects have been informed about the processing of their Personal Data in accordance with applicable data protection laws
  • (d) Promptly notify the Processor of any changes to applicable data protection laws that may affect the Processor's obligations
  • (e) Ensure that any Personal Data uploaded to the Platform has been collected lawfully and with appropriate consent where required

4. Obligations of the Processor

The Processor shall:

  • (a) Process Personal Data only on documented instructions from the Controller, unless required to do so by UK law
  • (b) Ensure that persons authorised to process Personal Data have committed themselves to confidentiality
  • (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7)
  • (d) Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller (see Section 5)
  • (e) Assist the Controller in responding to requests from Data Subjects exercising their rights under the UK GDPR
  • (f) Assist the Controller in ensuring compliance with data breach notification obligations
  • (g) Delete or return all Personal Data to the Controller after the end of the provision of services, at the Controller's choice (see Section 12)
  • (h) Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR

5. Sub-processors

5.1 Authorised Sub-processors

The Controller provides general authorisation for the Processor to engage the following sub-processors:

Sub-processor Purpose Location
Microsoft Azure Cloud infrastructure, database hosting, storage, application monitoring UK South (primary)
OpenAI AI model inference for digital assistant responses United States
Stripe Payment processing and subscription billing United States / Ireland
Microsoft 365 Transactional email delivery United Kingdom / EU

5.2 Changes to Sub-processors

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. The Processor shall provide at least 30 days' notice before engaging a new sub-processor.

5.3 Sub-processor Obligations

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • (a) Right of access: Providing copies of Personal Data held
  • (b) Right to rectification: Correcting inaccurate Personal Data
  • (c) Right to erasure: Deleting Personal Data upon request
  • (d) Right to restriction: Restricting processing of Personal Data
  • (e) Right to data portability: Providing Personal Data in a structured, machine-readable format (JSON)
  • (f) Right to object: Ceasing processing where the Data Subject objects

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request without the Controller's prior written authorisation, unless required by law.

7. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data:

7.1 Technical Measures

  • (a) Encryption in transit using TLS 1.3
  • (b) Encryption at rest using AES-256
  • (c) Multi-tenant data isolation with tenant-scoped access controls
  • (d) JWT-based authentication with short-lived tokens
  • (e) OTP verification codes stored as SHA-256 hashes
  • (f) Content Security Policy (CSP) headers
  • (g) Input validation and sanitisation
  • (h) Request size limiting to prevent abuse

7.2 Organisational Measures

  • (a) Role-based access controls for platform administration
  • (b) Staff confidentiality obligations
  • (c) Regular security audits and vulnerability assessments
  • (d) Incident response procedures
  • (e) Automated backup and disaster recovery
  • (f) Secure development practices

8. Data Breach Notification

8.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

8.2 Notification Content

The notification shall include, to the extent available:

  • (a) A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
  • (b) The name and contact details of the Processor's point of contact
  • (c) A description of the likely consequences of the Data Breach
  • (d) A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in investigating, mitigating, and remediating the Data Breach.

9. International Data Transfers

9.1 Transfer Restrictions

The Processor shall not transfer Personal Data outside the United Kingdom unless adequate safeguards are in place as required by the UK GDPR.

9.2 Transfer Mechanisms

Where transfers outside the UK are necessary, the Processor relies on:

  • (a) EU-US Data Privacy Framework: For transfers to certified US organisations (OpenAI, Stripe)
  • (b) Standard Contractual Clauses (SCCs): As approved by the ICO, incorporated into sub-processor agreements
  • (c) Adequacy decisions: Where the UK has determined that a country provides adequate data protection

9.3 OpenAI Processing

Conversation data sent to OpenAI for AI inference is processed under OpenAI's enterprise data processing terms, which prohibit the use of customer data for model training. Data is processed transiently and not retained by OpenAI beyond the request lifecycle.

10. Audit Rights

10.1 Right to Audit

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR.

10.2 Audit Process

  • (a) The Controller shall provide at least 30 days' written notice of any audit
  • (b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • (c) The Controller shall bear the costs of any audit
  • (d) Audit frequency shall not exceed once per year, unless required by a supervisory authority or following a Data Breach

10.3 Third-Party Certifications

The Processor may provide third-party audit reports, certifications, or compliance attestations as an alternative to on-site audits, where these adequately demonstrate compliance.

11. Term and Termination

11.1 Duration

This DPA shall remain in effect for the duration of the Controller's use of the Platform and shall automatically terminate when the service agreement between the parties expires or is terminated.

11.2 Survival

Sections relating to confidentiality, data return/deletion, and liability shall survive termination of this DPA.

12. Return and Deletion of Data

12.1 Upon Termination

Upon termination of the service agreement, the Processor shall, at the Controller's choice:

  • (a) Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON); or
  • (b) Delete all Personal Data and certify such deletion in writing

12.2 Retention Period

The Controller has 30 days from termination to request data return. After this period, the Processor shall securely delete all Personal Data, unless retention is required by UK law.

12.3 Exceptions

The Processor may retain anonymised data (from which no individual can be identified) for analytics purposes, and billing records as required by UK tax and accounting regulations (up to 7 years).

Contact

For questions about this Data Processing Agreement, please contact: