Data Processing Agreement

In this DPA:

• "Controller" means the Customer entity that has accepted the KPC Terms.
• "Processor" means KPC, which processes personal data on the Controller's behalf.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
• "Processing" has the meaning given in applicable data protection law.
• "Sub-processor" means any third party engaged by KPC to process personal data in connection with the services.
• "EEA" means the European Economic Area.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission (Decision 2021/914).

KPC agrees to:

1. Process personal data only on documented instructions from the Controller, including the instructions set out in these Terms and this DPA, unless required to do so by applicable law.
2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in section 7 below.
4. Respect the conditions for engaging sub-processors set out in section 5 below.
5. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to KPC.
6. At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires further storage.
7. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits as described in section 9.
8. Notify the Controller without undue delay if KPC is of the opinion that an instruction infringes applicable data protection law.

The Controller represents and warrants that:

• It has a lawful basis for processing personal data and for instructing KPC to process personal data on its behalf.
• It has provided all required notices and obtained all required consents from data subjects prior to uploading personal data to the platform.
• It will not upload special categories of personal data (health data, biometrics, etc.) unless expressly agreed in writing.
• It will promptly inform KPC of any instruction that it believes would cause KPC to violate applicable data protection law.

The Controller provides general authorisation for KPC to engage the sub-processors listed below. KPC will inform the Controller of any intended addition or replacement of sub-processors by updating this DPA with at least 14 days' notice. The Controller may object to a new sub-processor on reasonable grounds by notifying KPC at [email protected] within 14 days of the notice.

KPC has entered into data processing agreements with each sub-processor that impose data protection obligations at least equivalent to those in this DPA.

Canada has been recognised as providing an adequate level of protection for personal data under the GDPR (European Commission adequacy decision). Transfers of personal data from EEA Controllers to KPC (a Canadian processor) therefore do not require an additional transfer mechanism.

For onward transfers from KPC to sub-processors located in the United States (Anthropic, Stripe, Resend), KPC relies on the EU Standard Contractual Clauses (controller-to-processor, Commission Decision 2021/914, Module 3) as the transfer mechanism. Copies of the applicable SCCs are available on request.

KPC has implemented and maintains the following technical and organisational security measures:

• Encryption in transit: All data transmitted between clients and the KPC platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: Invoice files and extracted data are stored in object storage with server-side encryption.
• Access controls: Role-based access control restricts data access to authorised users within a Controller's account. KPC staff access to production systems is limited to personnel who require it for service operation.
• File purging: Uploaded invoice files are retained for up to 30 days from upload for processing and verification, then automatically deleted from object storage.
• Authentication: User accounts are protected by hashed passwords (bcrypt) and short-lived JWT access tokens. Compromised password detection is applied at registration and password change.
• Logging and monitoring: Access logs are retained for security monitoring. Anomalous activity triggers internal alerts.
• Penetration testing and review: Security reviews are conducted periodically or following significant platform changes.

In the event of a personal data breach affecting the Controller's personal data, KPC will:

1. Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach (consistent with GDPR Art. 33).
2. Provide the Controller with sufficient information to allow it to meet its own breach reporting obligations, including: a description of the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach.
3. Cooperate with the Controller and take reasonable steps to mitigate and remediate the breach.

Breach notifications will be sent to the primary account email address on file. Customers are responsible for keeping their account contact information current.

Upon the Controller's written request and at the Controller's expense, KPC will make available information reasonably necessary to demonstrate compliance with this DPA, including:

• Completion of a KPC-approved security questionnaire;
• Review of relevant audit reports, certifications, or attestations that KPC makes generally available to its customers; or
• A scheduled on-site or virtual audit, subject to at least 30 days' written notice, execution of a mutually agreed confidentiality agreement, and agreement on the scope and duration of the audit.

Audits may not unreasonably interfere with KPC's business operations and may be conducted no more than once per year unless following a confirmed security incident.

KPC will provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under applicable data protection law (access, rectification, erasure, portability, restriction, objection). The Controller is responsible for responding to data subject requests; KPC will assist within a reasonable timeframe upon written request.

Controllers can fulfil the following rights directly within the KPC platform without requiring KPC assistance:

• Data export (Art. 20 portability): Settings → Data & Privacy → Download Data Export
• Account erasure (Art. 17): Settings → Data & Privacy → Delete Account (permanent, within 30 days for any backup purging)

KPC retains personal data for the duration of the Controller's active subscription. Upon account deletion:

• Account records and extracted invoice data are deleted from production databases immediately.
• Backup copies are purged within 30 days of deletion.
• Invoice files uploaded to object storage are retained for up to 30 days from upload (see section 7) and are then purged automatically, with any remaining files also purged upon account deletion.

KPC may retain aggregated, de-identified data that cannot reasonably be used to identify the Controller or any data subject after account deletion for the purpose of service analytics.

This DPA is effective from the date the Controller first accepts the KPC Terms and remains in force for the duration of the service agreement. It terminates automatically upon expiry or termination of the service agreement, subject to any post-termination obligations set out herein.

Upon termination, KPC's obligations under section 11 (retention and deletion) apply.

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of law principles.

KPC may update this DPA from time to time to reflect changes in applicable law, KPC's services, or KPC's sub-processor list. Material changes will be communicated via account notification or email at least 14 days before they take effect. Continued use of the service following the effective date of an update constitutes acceptance of the revised DPA.

For questions about this DPA, to request a signed copy, or to exercise any rights described herein, contact KPC's Privacy Officer:

Email: [email protected]
Subject line: "DPA Request" or "Privacy Inquiry"