Data Processing Addendum

You are the Data Controller. Kauzio is the Data Processor. We process Personal Data only on your documented instructions, which include your use of the product and any written direction you give us.

We process Personal Data for the duration of your subscription, plus a 30-day grace period for export and deletion. After the grace period, Personal Data is irreversibly deleted from production stores and from backups within 90 days.

To provide the Kauzio decision-intelligence platform: ingesting operational data you choose to connect, producing decision verdicts, storing tamper-evident decision receipts, and enabling your team to collaborate on those decisions.

Data subjects typically include your employees, contractors, and where relevant, your customers. Categories of Personal Data include contact identifiers, role, decision content, and any operational data you choose to ingest. Special category data should not be sent to Kauzio.

Kauzio applies, at a minimum: AES-256 at rest, TLS 1.3 in transit, per-tenant row-level isolation, role-based access control, audit logging on production access, mandatory two-factor for engineering staff, and encrypted backups. The full security overview is at /security.

We use a small set of sub-processors to deliver the service. Material additions are notified by email at least 14 days before they come into effect, and you may object in writing.

• Amazon Web Services (eu-west-2) . primary hosting and storage.
• Stripe Payments Europe , payment processing for billing.
• Anthropic / OpenAI. large-model inference for decision engines. Inputs are not used to train shared models.
• Plausible Analytics. aggregate, privacy-friendly product analytics. No personal identifiers.

Personal Data is stored primarily in the United Kingdom. Where transfers outside the UK occur. for example, model inference. we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with the applicable transfer impact assessment on file.

We assist you in responding to data subject requests (access, erasure, rectification, restriction, portability) without undue delay. End users may export and delete their own data directly from Settings.

We will notify you in writing within 72 hours of becoming aware of a Personal Data Breach affecting your workspace, with the information required for you to fulfil your own notification duties under UK GDPR Articles 33 and 34.

You may audit Kauzio's compliance with this DPA once per contract year on 30 days' written notice, during business hours, at your own expense, under reasonable confidentiality terms. In place of an on-site audit we will, on request, share our current security overview and any third-party assurance reports we hold.

Data Protection enquiries: privacy@kauzio.com. Kauzio Ltd, Nottingham, United Kingdom. Registered with the UK Information Commissioner's Office.