DRAFT — pending legal review. These templates are starting points and have not been cleared for production launch.

Data Processing Addendum

Last updated: 2026-05-17 · Version: 1.0.0

This Data Processing Addendum (“DPA”) supplements the Koda Vision Terms of Service when the Customer (the “Controller”) instructs Koda Vision (the “Processor”) to process personal data subject to the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018, or any successor regime (collectively “Data Protection Laws”).

Automatic execution: This DPA is deemed accepted when a Customer whose detected residency is in the EU/EEA or UK accepts the Terms of Service. A countersigned PDF is generated on request via legal@koda-vision.com.

1. Definitions

Terms used but not defined here have the meaning set out in the GDPR. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” have the meanings in GDPR Art. 4.

2. Subject Matter and Duration

Koda Vision processes Personal Data only to provide the Service described in the Terms. Processing continues for the duration of the Customer’s subscription and ceases on account closure plus the retention windows in the Privacy Policy.

3. Nature and Purpose of Processing

Koda Vision processes Personal Data to host content ingested by the Customer, run AI-assisted audits and rewrites, publish back to connected content management systems, and deliver associated usage analytics and billing.

4. Types of Personal Data and Categories of Data Subjects

  • Data subjects: the Customer’s employees, contractors, and end-users whose data appears in submitted content.
  • Categories: contact details, account credentials, content data submitted by the Customer, usage telemetry, and billing details.

5. Controller and Processor Obligations

The Processor shall:

  • process Personal Data only on documented instructions from the Controller (GDPR Art. 28(3)(a));
  • ensure persons authorised to process Personal Data are bound by confidentiality (Art. 28(3)(b));
  • implement the technical and organisational measures listed in Annex II (Art. 32);
  • engage Sub-processors only under the conditions in Section 8;
  • assist the Controller in fulfilling its obligations under Articles 32–36 and in responding to Data Subject requests;
  • at the choice of the Controller, delete or return all Personal Data after the end of the provision of services.

6. Security (Annex II — Technical and Organisational Measures)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 envelope encryption).
  • Passkey-based MFA for staff with production access; passkey or password+TOTP for customers.
  • Per-region database residency (EU, IN, US).
  • Append-only audit log with 2-year retention.
  • Annual third-party penetration test and SOC 2 Type II attestation.
  • Quarterly backup-restore drill, documented disaster recovery plan.

7. Data Subject Requests

Koda Vision will notify the Controller without undue delay of any request received directly from a Data Subject, and will not respond to such a request unless instructed by the Controller. Koda Vision provides DSAR tooling at /api/dsar/request to help the Controller fulfil its obligations under Articles 15–22.

8. Sub-processors (Annex III)

The Controller authorises Koda Vision to engage the Sub-processors listed below. Koda Vision will notify the Controller of any intended changes (additions or replacements) with at least 30 days’ notice and will give the Controller the opportunity to object on reasonable grounds.

Sub-processorCategoryDPASub-processors
Neon (Postgres)databaselinklink
Cloudflare R2object-storagelinklink
Resendtransactional-emaillinklink
Sentryerror-monitoringlinklink
OpenAIai-inferencelinklink
Anthropicai-inferencelinklink
Twiliovoice-smslinklink
ElevenLabsttslinklink

9. International Transfers

Where Personal Data originating in the EU/EEA or UK is transferred outside those territories, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum, are incorporated by reference. The Processor and the Customer respectively act as “data importer” and “data exporter”.

10. Personal Data Breach

Koda Vision will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data, with the information required by Art. 33(3).

11. Audits

The Controller may, no more than once per twelve-month period and on at least 30 days’ notice, audit the Processor’s compliance with this DPA. Koda Vision may satisfy the audit obligation by providing its current SOC 2 Type II report and a completed standard security questionnaire.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Term and Termination

This DPA takes effect on acceptance and remains in force for so long as the Processor processes Personal Data on behalf of the Controller.

Contact

DPA execution / countersigned PDF requests: legal@koda-vision.com.