Data Processing Agreement
Last updated: 2026-05-14
This is a placeholder draft. Replace with a lawyer-reviewed DPA before signing with enterprise customers. SCC modules and country-specific terms have been omitted from this skeleton.
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Tacit Terms of Service (the "Agreement") between Kiwana AI, Inc. ("Processor"), a Delaware corporation that builds and operates Tacit, and the customer entity ("Controller") that accepts the Agreement.
1. Definitions
Capitalized terms not defined here have the meanings given in the Agreement and in the GDPR / UK GDPR / applicable data protection laws.
2. Scope and Roles
Controller determines the purposes and means of the Processing. Processor processes Personal Data on Controller's behalf solely to provide the Service.
3. Processing Details
- Subject matter: AI agent orchestration platform
- Duration: For the term of the Agreement and 30 days thereafter
- Categories of data subjects: Controller's employees, contractors, end-customers whose data Controller uploads
- Categories of data: As uploaded by Controller. Typically: business process descriptions, vendor/customer identifiers, decision records, agent prompts, audit logs.
- Purpose: Providing the Service per the Agreement
4. Sub-processors
A current list is maintained at /legal/subprocessors. Processor will notify Controller at least 30 days before adding a sub-processor, allowing Controller to object.
5. Security Measures
Processor implements:
- TLS 1.2+ in transit
- Encryption at rest (Postgres-managed + per-tenant credential vault via pgcrypto)
- Postgres Row-Level Security for tenant isolation
- Audit logging of administrative actions
- Sub-processor security review
- SOC 2 Type II (in progress)
6. Data Subject Rights
Processor will assist Controller in responding to data subject requests (access, rectification, erasure, portability) within reasonable timeframes. The Service provides self-serve POST /api/tenant/export and POST /api/tenant/delete endpoints.
7. International Transfers
Where Personal Data is transferred outside the EEA/UK to a country not deemed adequate, Processor will rely on Standard Contractual Clauses or equivalent safeguards. SCCs available on request.
8. Breach Notification
Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Controller's data.
9. Audits
On at least 30 days' written notice and not more than once per year (except after a Breach), Controller may audit Processor's compliance. SOC 2 reports satisfy this where available.
10. Term and Termination
This DPA terminates with the Agreement. On termination, Processor will delete or return Personal Data within 30 days unless legally required to retain.
11. Governing Law
Governed by the law of the Agreement.
Signed for Processor by: Kiwana AI, Inc. — name / title / date
Signed for Controller by: [customer] — name / title / date