Data Processing Agreement

Last updated: January 13, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Kynthar (“Processor,” “we,” “us,” or “our”) and the Customer (“Controller,” “you,” or “your”) and governs the processing of personal data by Kynthar on behalf of the Customer.

GDPR Compliance:This DPA is designed to comply with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

1. Definitions

For the purposes of this DPA:

• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this DPA, the Controller is the Customer.
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. In the context of this DPA, the Processor is Kynthar.
• “Personal Data”means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Data Subject” means an identified or identifiable natural person whose personal data is processed.
• “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
• “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to GDPR Article 51.

2. Subject Matter and Duration

2.1 Subject Matter

This DPA governs the processing of personal data by Kynthar when providing the document intelligence platform and related services (“Services”) to the Customer as described in the Terms of Service.

2.2 Duration

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller, and shall automatically terminate upon the termination or expiration of the Terms of Service, subject to the data deletion provisions set forth herein.

3. Nature and Purpose of Processing

3.1 Nature of Processing

The Processor will process personal data on behalf of the Controller for the following purposes:

• Document Extraction: Automated extraction of data from uploaded documents including invoices, purchase orders, receipts, and other business documents
• Invoice and PO Processing: Parsing, validation, and structuring of invoice and purchase order data for reconciliation and accounting purposes
• Data Structuring: Converting unstructured document content into structured, machine-readable formats
• Integration Services:Facilitating data transfer to Controller's accounting systems and third-party integrations
• Storage and Retrieval: Secure storage of processed documents and extracted data for Controller access

3.2 Purpose Limitation

The Processor shall only process personal data for the purposes specified above and in accordance with the Controller's documented instructions. The Processor shall not process personal data for any other purpose unless required by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).

4. Types of Personal Data Processed

The following categories of personal data may be processed in the course of providing the Services:

Special Categories of Data: The Controller should not upload documents containing special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.) unless strictly necessary and appropriate safeguards are in place. The Controller is responsible for ensuring lawful grounds for processing any such data.

5. Categories of Data Subjects

The personal data processed may relate to the following categories of Data Subjects:

• Controller's employees and contractors
• Controller's customers and clients
• Controller's vendors and suppliers
• Controller's business partners
• Individuals whose information appears on processed documents

6. Processor Obligations

The Processor shall:

6.1 Processing Instructions

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection provisions

6.2 Confidentiality

• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Limit access to personal data to personnel who require such access to perform the Services

6.3 Security Measures

• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
• Regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing

6.4 Sub-processing

• Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller
• Where general written authorization is given, inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller an opportunity to object
• Impose the same data protection obligations as set out in this DPA on any Sub-processor by way of contract

6.5 Assistance to Controller

• Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights
• Assist the Controller in ensuring compliance with obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of processing and information available to the Processor

6.6 Data Deletion and Return

• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the personal data

6.7 Audit Rights

• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
• Allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

7. Sub-processors

7.1 Authorized Sub-processors

The Controller hereby provides general authorization for the Processor to engage the following Sub-processors:

7.2 Sub-processor Changes

The Processor shall notify the Controller of any intended changes to Sub-processors at least 30 days in advance by email or through the Service dashboard. The Controller may object to such changes on reasonable grounds related to data protection. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the affected Services.

7.3 Sub-processor Obligations

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

8. International Data Transfers

8.1 Transfer Mechanisms

Where personal data is transferred to countries outside the European Economic Area (EEA) that have not been deemed to provide an adequate level of data protection by the European Commission, the Processor shall ensure that such transfers are made in compliance with GDPR requirements, including through:

• Standard Contractual Clauses (SCCs):The Processor has entered into the European Commission's Standard Contractual Clauses with relevant Sub-processors for transfers of personal data to third countries
• Supplementary Measures: Where required, the Processor implements supplementary technical and organizational measures to ensure the effective protection of transferred data
• Transfer Impact Assessments: The Processor conducts transfer impact assessments to evaluate the laws and practices of third countries and implements additional safeguards where necessary

8.2 Controller's Authorization

By entering into this DPA, the Controller authorizes the Processor to transfer personal data to Sub-processors located outside the EEA, provided that appropriate safeguards as described above are in place.

8.3 UK and Swiss Transfers

For transfers from the United Kingdom, the Processor relies on the UK International Data Transfer Agreement or UK Addendum to the EU SCCs. For transfers from Switzerland, the Processor relies on the Swiss-approved SCCs or other appropriate safeguards.

9. Security Measures

The Processor implements the following technical and organizational security measures:

9.1 Technical Measures

• Encryption: All personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access controls with principle of least privilege
• Authentication: Secure password-based authentication with session management
• Network Security: Firewalls, intrusion detection systems, and network segmentation
• Logging and Monitoring: Comprehensive audit logging of access to personal data
• Vulnerability Management: Regular security scanning and penetration testing
• Backup and Recovery: Regular encrypted backups with tested recovery procedures

9.2 Organizational Measures

• Security Policies: Documented information security policies and procedures
• Employee Training: Regular data protection and security awareness training
• Background Checks: Background verification for personnel with access to personal data
• Incident Response: Documented incident response procedures
• Vendor Management: Security assessments of Sub-processors
• Business Continuity: Business continuity and disaster recovery plans

9.3 Security Certifications

The Processor's infrastructure providers (AWS) maintain industry-standard security certifications including SOC 2 Type II, ISO 27001, and PCI DSS compliance.

10. Data Breach Notification

10.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach affecting Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

10.2 Cooperation

The Processor shall cooperate with the Controller and provide reasonable assistance in investigating the breach and fulfilling the Controller's data breach notification obligations under applicable law.

11. Audit Rights

11.1 Controller Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Such audits may be conducted:

• Upon reasonable notice (minimum 30 days, except in case of suspected breach)
• During regular business hours
• No more than once per year (unless a breach has occurred or is suspected)
• At the Controller's expense, unless the audit reveals material non-compliance

11.2 Third-Party Audits

The Processor may satisfy audit requirements by providing:

• Third-party audit reports (e.g., SOC 2 Type II)
• Security certifications and attestations
• Responses to standardized security questionnaires

11.3 Confidentiality

The Controller and any third-party auditors must maintain the confidentiality of any information obtained during an audit and sign appropriate non-disclosure agreements.

12. Data Subject Rights

12.1 Controller Responsibility

The Controller is responsible for responding to requests from Data Subjects exercising their rights under GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.

12.2 Processor Assistance

The Processor shall assist the Controller in responding to Data Subject requests by:

• Promptly forwarding any Data Subject requests received directly to the Controller
• Providing technical capabilities for the Controller to access, export, or delete personal data
• Implementing Data Subject requests within 5 business days of receiving Controller instructions
• Not responding directly to Data Subjects unless authorized by the Controller or required by law

12.3 Costs

The Processor shall provide reasonable assistance at no additional charge for standard requests. For requests requiring significant effort beyond normal Service functionality, the Processor may charge reasonable fees based on actual costs incurred.

13. Data Protection Impact Assessments

Where required under GDPR Article 35, the Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and, where necessary, prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.

14. Term and Termination

14.1 Term

This DPA shall commence on the effective date of the Terms of Service and shall continue until the termination or expiration of the Terms of Service.

14.2 Data Return and Deletion

Upon termination of the Services:

• The Controller may request return of personal data in a commonly used, machine-readable format within 30 days of termination
• Unless legally required otherwise, the Processor shall delete all personal data within 90 days of termination
• Upon request, the Processor shall provide written certification of data deletion
• The Processor may retain anonymized or aggregated data that does not identify individual Data Subjects

14.3 Survival

Provisions of this DPA that by their nature should survive termination (including confidentiality, audit rights, and limitation of liability) shall survive the termination of this DPA.

15. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service. For the avoidance of doubt:

• The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller
• Where both parties are responsible for damage caused by processing, each party shall be liable for the entire damage to ensure effective compensation of the Data Subject, but shall be entitled to claim back from the other party that part of the compensation corresponding to their part of the responsibility

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service. For Data Subjects in the European Union, nothing in this DPA shall limit their rights under GDPR or their right to bring claims before their local supervisory authority or courts.

17. Amendments

This DPA may be amended by the Processor to reflect changes in applicable data protection laws or guidance from supervisory authorities. The Processor shall provide at least 30 days' notice of material amendments. Continued use of the Services after amendments take effect constitutes acceptance of the amended DPA.

18. Contact Information

Data Protection Inquiries

For questions about this DPA or data protection matters:

Email: legal@kynthar.com

We will respond to inquiries within 5 business days.

19. Acknowledgment

By using the Services, the Controller acknowledges that they have read, understood, and agree to this Data Processing Agreement. This DPA, together with the Terms of Service and Privacy Policy, constitutes the complete agreement between the parties regarding data processing.