Data processing addendum

Last updated: May 2026 · This DPA is offered to business customers who require a written data-processing agreement. It supplements but does not replace the Terms of service.

This Data Processing Addendum ("DPA") is entered into between the customer identified in the underlying order or account (the "Customer" or "Controller") and Kairo Labs LLC, an Illinois limited liability company ("Kairo" or "Processor"). It governs Kairo's processing of personal information on Customer's behalf in connection with the Kairo service (the "Service").

1. Roles, scope, and duration

• Roles. Customer is the controller(or "business" under CCPA/CPRA) of the personal information it submits to the Service. Kairo is the processor(or "service provider" under CCPA/CPRA) and processes that personal information only on Customer's documented instructions.
• Documented instructions.Customer's instructions are (a) to provide the Service as described in the Terms, (b) any instructions issued through the Service's configuration controls, and (c) any other written instructions agreed in advance.
• Scope. Processing is limited to what is reasonably necessary to provide the Service and to comply with applicable law.
• Duration.This DPA is effective for the term of the Customer's subscription and continues for any additional period during which Kairo holds Customer personal information.

2. Categories of data and data subjects

• Categories of personal information: account identifiers (name, email, account ID), authentication data, content Customer or its authorized users submit (events, tasks, notes, files, AI prompts and outputs, messages within Spaces), connected-account metadata, usage and security logs.
• Categories of data subjects:Customer's end users, including employees, contractors, students, members, and other individuals to whom Customer issues Kairo accounts or who interact with Customer through the Service.
• Special / sensitive categories: Kairo does not require Customer to submit sensitive personal information. Customer agrees not to submit data subject to HIPAA (PHI), PCI-DSS account data, biometric identifiers, or government identification numbers through the Service.

3. Confidentiality

Kairo personnel who access Customer personal information are bound by written confidentiality obligations that survive termination of their engagement. Access is granted on a least-privilege, need-to-know basis and is revoked promptly on role change or departure.

4. Security measures

Kairo implements the technical and organizational measures described on the Security page, which is incorporated into this DPA by reference. Kairo may update those measures provided that they continue to provide a level of security at least equivalent to that described.

5. Sub-processors

Customer authorizes Kairo to engage the sub-processors listed on the Sub-processors page. Kairo:

• imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA;
• remains responsible to Customer for each sub-processor's performance;
• provides at least 30 days' advance notice before adding or replacing a sub-processor (by updating the page and notifying subscribed Customers by email);
• permits Customer to object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the concern, and absent resolution Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of prepaid unused fees.

6. Data subject requests

Kairo provides in-app tools that allow Customer to access, export, correct, and delete personal information. If Kairo receives a request directly from a data subject relating to Customer data, Kairo will (a) not respond to the substance of the request other than to acknowledge receipt and (b) promptly forward it to Customer. Kairo will reasonably assist Customer in responding to verifiable data-subject requests at no additional charge.

7. Breach notification

Kairo will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed personal-data breach affecting Customer personal information. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

8. Audits and assurance

Kairo will respond in good faith to a reasonable annual written security questionnaire from Customer. Kairo does not currently hold a SOC 2 Type II attestation; if and when one is obtained, Kairo will make the most recent report available to Customer under NDA on request, no more than once per calendar year. Customer may not perform an on-site audit of Kairo's production infrastructure, except where required by a supervisory authority with jurisdiction over Customer.

9. International transfers

Kairo processes and stores all Customer personal information in the United States. Kairo will not transfer Customer personal information outside the United States without first amending this DPA to include appropriate transfer mechanisms (e.g., the EU Standard Contractual Clauses or UK IDTA) and notifying Customer in writing.

10. Return or deletion on termination

On termination of the Service for any reason, Customer may export its data in standard formats (JSON + ICS) for 30 days after termination. After that window, Kairo will delete or anonymize Customer personal information from production systems within 30 days, and from backups as backups roll off (no later than 90 days). Kairo may retain information for longer where required by law or for the establishment, exercise, or defense of legal claims; that information remains subject to the confidentiality and security obligations of this DPA.

11. CCPA / CPRA service-provider terms

With respect to personal information of California residents, Kairo certifies that it (a) is acting as a "service provider" or "contractor," (b) does not sell or share personal information for cross-context behavioral advertising, (c) will not retain, use, or disclose personal information for any purpose other than the business purposes specified in the Terms, (d) will not combine Customer personal information with personal information from other sources except as permitted by 11 CCR §7050(b), and (e) will notify Customer if it determines it can no longer meet these obligations.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions in section 13 of the Terms of service, as if those provisions were restated here. Nothing in this section limits liability that cannot be limited under applicable law.

13. Order of precedence

In the event of a conflict between this DPA and the Terms with respect to the processing of personal information, this DPA controls. In all other respects, the Terms control.

14. Signing this DPA

Customers on paid business plans can request a counter-signed copy of this DPA via DocuSign by emailing legal@heykairo.iowith the account email and the signatory's name and title.