Data Processing Addendum

Last updated: May 21, 2026

Download PDF

This Data Processing Addendum ("DPA") forms part of the agreement between Kavric, Inc. ("Processor") and the customer ("Controller") for the provision of the Kavric Services, and applies where Controller's processing of Personal Data is subject to the GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, or other applicable data protection laws.

1. Definitions

Terms such as "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Sub-processor" have the meanings given in applicable data protection law.

2. Scope and Roles

Controller is the controller of Personal Data; Kavric acts as a Processor when processing Personal Data on Controller's behalf to provide the Services. Kavric is a "service provider" under the CCPA/CPRA and will not "sell" or "share" Personal Data.

3. Processing Details

  • Subject matter: Provision of the Kavric Services.
  • Duration: Term of the customer agreement plus retention period.
  • Nature/purpose: Hosting, transmission, analytics, support, AI processing.
  • Categories of Data Subjects: Controller's employees, contractors, customers, leads.
  • Categories of Personal Data: Names, contact info, project/job data, photos, communications, billing metadata.

4. Kavric Obligations

  • Process Personal Data only on documented instructions from Controller.
  • Ensure personnel are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures (Annex II).
  • Assist Controller with Data Subject requests and Data Protection Impact Assessments.
  • Notify Controller without undue delay (and no later than 72 hours) of any Personal Data Breach.
  • Delete or return Personal Data at the end of the Services, per Controller's choice.

5. Sub-processors

Controller authorizes Kavric to engage Sub-processors, including hosting (Cloudflare, Supabase), payments (Stripe), email (Resend), and AI providers (Google, OpenAI). A current list is available on request. Kavric will impose data protection obligations on Sub-processors that are no less protective than this DPA.

6. International Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as applicable.

7. Audits

Kavric makes available information necessary to demonstrate compliance with this DPA. Controller may request an audit no more than once per year, subject to reasonable confidentiality and scheduling requirements.

8. Liability

Liability under this DPA is subject to the limitations of liability in the main agreement.

Annex I — Processing Details

As described in Section 3 above.

Annex II — Technical and Organizational Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls and least-privilege principles.
  • Audit logging and monitoring of administrative actions.
  • Vulnerability management and regular security reviews.
  • Background checks and security training for personnel.
  • Backup and disaster recovery procedures.

Contact

To execute this DPA or for questions: support@kavric.ai.