Legal
Data Processing Addendum
The terms under which Kavanah processes personal data on your behalf, including GDPR Article 28 obligations and international-transfer safeguards.
Last updated: July 1, 2026
1. Roles
For personal data contained in workspace data, the customer is the Controller and Kavanah is the Processor, processing personal data only on the customer's documented instructions — which include use of the Service and this Addendum. Where Kavanah determines the means and purposes of processing (e.g. for billing and account administration), it acts as an independent Controller as described in the Privacy Policy.
2. Scope of processing
- Subject matter: provision of the Kavanah project-management Service.
- Duration: the term of the customer's subscription, plus the deletion window below.
- Nature & purpose: hosting, storing, and processing workspace data to deliver the Service.
- Data subjects: the customer's users, team members, clients, and contacts.
- Categories of data: identifiers and contact details, and any content the customer chooses to store in the Service.
3. Confidentiality & security
Kavanah ensures personnel authorized to process personal data are bound by confidentiality, and implements the technical and organizational measures described in the Security Overview — including encryption in transit and at rest, tenant isolation, role-based access control, and immutable audit logging — appropriate to the risk.
4. Sub-processors
The customer authorizes Kavanah to engage the sub-processors listed on the Sub-processors page. Kavanah imposes data-protection obligations on each sub-processor substantially equivalent to those in this Addendum and remains responsible for their performance. Kavanah will provide notice of new sub-processors and a reasonable opportunity to object.
5. Data subject rights & assistance
Taking into account the nature of the processing, Kavanah assists the customer in responding to data-subject requests and in meeting its obligations regarding security, breach notification, and data protection impact assessments. The Service provides self-serve export and erasure tools from Settings → Data Governance.
6. Personal data breach
Kavanah notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer's data, and provides information reasonably available to help the customer meet its own notification obligations.
7. International transfers
Where processing involves transfer of personal data out of the EEA, UK, or Switzerland, the parties rely on the applicable Standard Contractual Clauses (and the UK Addendum / Swiss amendments as relevant), which are incorporated by reference into the executed Addendum.
8. Deletion & return
On termination, Kavanah deletes or returns the customer's personal data within a defined window (default 30 days), except where retention is required by law. Backups age out on their normal rotation.
9. Audits
Kavanah makes available information necessary to demonstrate compliance with this Addendum, including its third-party audit reports (e.g. SOC 2) under NDA via the Trust & Compliance page, and supports audits as set out in the executed Addendum.
Get the executable DPA
This page is the reference version. To put a DPA in place, request the counter-signable copy — we will complete it against your engagement (including Standard Contractual Clauses where transfers apply) and return it for signature. The signed document, not this page, governs.
Questions from a security, privacy, or procurement team? Email security@kavanah.ai. For SOC 2, penetration-test, or questionnaire artifacts shared under NDA, use the request forms on the Trust & Compliance page.