Data Processing Agreement
Last updated 2026-04-26 · Effective from 2026-04-26
This DPA forms part of the Terms of Service between MATRIXVISTA - FZCO ("Processor", "Kiseki") and the Customer ("Controller").
It applies when Customer's use of Kiseki involves processing Personal Data subject to GDPR (EU/UK) or equivalent regimes.
1. Definitions
Terms in CAPITAL LETTERS have meanings assigned in:
- GDPR (Regulation (EU) 2016/679);
- UK GDPR;
- The Terms of Service.
2. Subject Matter and Duration
2.1. Subject: Processor processes Personal Data on behalf of Controller for the purpose of providing the Kiseki Service.
2.2. Duration: as long as the underlying subscription is active, plus 90 days post-termination for export.
3. Nature and Purpose of Processing
3.1. Categories of Data Subjects
- Controller's prospects, leads, customers (End-users);
- Controller's authorized users (employees, contractors).
3.2. Categories of Personal Data
- Identity data (name, email, phone, social profile);
- Communication data (DM messages, email exchanges);
- Behavioral data (clicks, opens, conversion events);
- Authentication data (account credentials — hashed / encrypted);
- NO special categories (Art. 9 GDPR) without explicit Controller instruction.
3.3. Processing Operations
- Storage (encrypted at rest);
- Transmission (encrypted in transit);
- AI inference (Anthropic, OpenAI) on prompt context;
- Aggregation for analytics;
- Display in Controller's dashboard.
4. Controller Obligations
Controller represents and warrants:
- Lawful basis for processing End-user data (consent, contract, legitimate interest);
- Provided End-users with required privacy notices;
- Provided Processor only with data necessary for the Service;
- Will not instruct Processor to violate GDPR or other applicable law.
5. Processor Obligations
Processor commits to:
5.1. Process Personal Data only on documented instructions from Controller (these Terms plus configurations made via Service).
5.2. Ensure persons processing data are bound by confidentiality obligations.
5.3. Implement appropriate technical and organizational measures (see Annex II) including:
- Encryption (at rest, in transit);
- Access controls (RBAC, MFA);
- Regular security audits;
- Backup and recovery procedures;
- Multi-tenant data isolation;
- Audit logs.
5.4. Not engage sub-processors without prior Controller authorization. Authorized sub-processors listed in Annex I (mirrored at legal.thekiseki.app/sub-processors). Changes notified at least 30 days in advance.
5.5. Assist Controller with:
- Data Subject rights requests (access, erasure, portability, etc.) within reasonable time;
- Data Protection Impact Assessments (DPIAs) when applicable;
- Breach notifications (within 72 hours of awareness).
5.6. Data breach: notify Controller without undue delay (within 72 hours) including:
- Nature, categories, approximate numbers affected;
- Likely consequences;
- Measures taken / proposed.
5.7. Upon termination, delete or return all Personal Data per Controller's choice (within 90 days), unless retained for legal compliance.
5.8. Make available all information needed to demonstrate compliance and contribute to audits (Controller-conducted audits with reasonable notice, max 1/year, scope-limited).
6. International Transfers
6.1. Sub-processors located outside the EEA are bound by Standard Contractual Clauses (SCCs) per Commission Decision 2021/914.
6.2. Controller authorizes Processor to use SCCs Module 2 (Controller to Processor) and Module 3 (Processor to Sub-Processor) for transfers to Processor's sub-processors.
6.3. For UK transfers: UK Addendum to SCCs applies.
7. Liability
7.1. Each party is liable for damages caused by its non-compliance with GDPR / this DPA.
7.2. Liability limits in the underlying Terms of Service apply to this DPA.
8. Audits
Controller may audit Processor's compliance once per calendar year, with 30 days' notice, scope to be agreed in writing. Processor will provide:
- ISO 27001 certifications (planned Year 2);
- SOC 2 Type II reports (planned Year 2–3);
- Vulnerability scan summaries on request.
9. Annex I — Sub-processors
The current canonical list of sub-processors is mirrored at legal.thekiseki.app/sub-processors and constitutes Annex I to this DPA. Changes are notified at least 30 days in advance per §5.4.
10. Annex II — Technical and Organizational Measures
| Measure | Implementation |
|---|---|
| Pseudonymization | Customer data tagged with tenant_id, RLS enforced at Postgres |
| Encryption at rest | AES-256 (Postgres TDE, S3-compatible storage) |
| Encryption in transit | TLS 1.3 minimum, all external traffic |
| Access control | RBAC with least privilege; MFA enforced for admin |
| Audit logging | All access to Customer data logged 12 months |
| Backup | Encrypted snapshots, 90-day rolling, geographically distributed |
| Incident response | 24/7 security monitoring, defined runbook |
| Personnel training | Privacy + security training annually |
| Data minimization | Only collect what Service requires |
| Multi-tenant isolation | Postgres RLS + role NOBYPASSRLS, queue tenant scoping |
| Vulnerability management | Quarterly scans, patches applied within 30 days for high / critical |
| Vendor risk | Sub-processor DPAs reviewed annually |
11. Signatures
By using the Service after the effective date of this DPA, Controller (Customer) is deemed to have accepted this DPA. For executed signed copies, contact legal@thekiseki.app.