K
Kendra
Public Beta
⚠ DRAFT — Pending Attorney Review. This document is a placeholder published during YourKendra's Public Beta. Attorney review is scheduled this week. Final versions will publish at /legal/final/ after review. For questions, email legal@yourkendra.com.

YourKendra — Data Processing Agreement (Template)

Version: 0.1-draft · Public Beta · This template is offered to B2B customers who require a signed DPA.

1. Parties and Scope

This DPA forms part of the Terms of Service between YourKendra ("Processor") and the Customer ("Controller"). It governs Processor's processing of Personal Data on behalf of Controller.

2. Definitions

"Personal Data," "Processing," "Data Subject," and "Supervisory Authority" have the meanings given in applicable data protection laws (GDPR Art. 4, CCPA §1798.140).

3. Processor Obligations

3.1 Process Personal Data only on documented Controller instructions.
3.2 Ensure personnel with access are bound by confidentiality obligations.
3.3 Implement appropriate technical and organizational security measures, including:
- AES-256 encryption at rest and in transit
- Row-Level Security (RLS) on all customer-scoped data
- Principle of least privilege on internal access
- Audit logging of data-access events

3.4 Assist Controller with:
- Data Subject requests (access, correction, deletion, portability)
- Data Protection Impact Assessments
- Regulator inquiries

3.5 Notify Controller of any Personal Data Breach within 72 hours of awareness.
3.6 On termination, at Controller's choice: return or delete all Personal Data within 30 days.

4. Sub-processors

⚠ Lawyer review required: enumerate + link each. Keep /legal/draft/subprocessors authoritative.

Controller authorizes Processor to use the sub-processors listed at /legal/draft/subprocessors. Processor will notify Controller at least 30 days before adding a new sub-processor. Controller may object within 14 days.

5. Data Transfers

⚠ Lawyer review required: if EU customer, add SCCs annex here.

Where Controller is outside the US, Processor will implement appropriate transfer safeguards (Standard Contractual Clauses or equivalent).

6. Audit Rights

⚠ Lawyer review required: frequency cap + scope.

Upon 30 days' written notice, no more than once per year, Controller may audit Processor's compliance. Audit costs borne by Controller unless material non-compliance discovered.

7. Liability

Liability under this DPA is subject to the limitation of liability in the main Terms of Service.

8. Term

This DPA remains in force for the duration of the Terms of Service and survives termination to the extent necessary for final data return/deletion.

9. Execution

Customers who require a signed DPA may request one at legal@yourkendra.com.

END OF DPA TEMPLATE · VERSION 0.1-DRAFT · PENDING ATTORNEY REVIEW

← Back to Trust & Compliance