Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy between Karkadi LLC ("Karkadi," "Processor") and the customer ("Customer," "Controller") and governs the processing of personal data in connection with Karkadi's AI monitoring and testing services.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

"Processing" means any operation performed on Personal Data, including collection, storage, use, analysis, and deletion.

"Controller" means the Customer, who determines the purposes and means of Processing Personal Data.

"Processor" means Karkadi LLC, which processes Personal Data on behalf of the Controller.

"Subprocessor" means any third party engaged by Karkadi to process Personal Data on behalf of the Controller.

2. Roles and Scope

The Customer acts as the Controller. Karkadi acts as the Processor. Karkadi processes Personal Data solely to provide the AI testing, monitoring, and reporting services described in the Terms of Service.

Processing activities include:

• Executing structured tests against customer AI systems
• Recording AI agent responses and outputs during testing
• Storing test results, scores, and diagnostic data
• Generating and delivering performance reports

3. Processing Instructions

Karkadi will process Personal Data only in accordance with the Customer's documented instructions, as reflected in the Terms of Service and any applicable service agreement. Karkadi will not process Personal Data for any purpose other than providing the contracted services unless required by applicable law.

If Karkadi believes an instruction from the Customer infringes applicable data protection law, Karkadi will promptly notify the Customer.

4. Security Measures

Karkadi implements reasonable technical and organizational measures to protect Personal Data against unauthorized access, loss, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+)
• Access controls with role-based permissions
• Secure infrastructure hosted by reputable cloud providers
• Regular review of security practices

5. Subprocessors

The Customer authorizes Karkadi to engage the following Subprocessors for the purposes described:

Subprocessor	Purpose	Location
Supabase	Data storage and application infrastructure	United States
Stripe	Payment processing	United States
Resend	Transactional email delivery	United States
Langfuse	AI observability infrastructure	EU / United States
HubSpot	Customer relationship management	United States

Karkadi will notify the Customer at least 14 days before engaging a new Subprocessor. If the Customer objects to a new Subprocessor, the Customer may terminate the affected services by providing written notice within 14 days of notification.

Karkadi ensures that all Subprocessors are bound by data protection obligations no less protective than those set out in this DPA.

6. Data Subject Rights

Karkadi will assist the Customer in responding to data subject requests (access, correction, deletion, portability, objection) to the extent technically feasible and as required by applicable law. Karkadi will notify the Customer promptly if it receives a data subject request directly, unless prohibited by law from doing so.

7. Data Breach Notification

In the event of a Personal Data breach, Karkadi will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include:

• Nature of the breach, including categories and approximate number of data subjects affected
• Contact information for Karkadi's designated point of contact
• Description of likely consequences
• Description of measures taken or proposed to address the breach

8. International Data Transfers

Where Personal Data is transferred from a jurisdiction that restricts international data transfers (such as the EEA, UK, or Switzerland) to a jurisdiction without an adequate level of data protection, Karkadi will ensure that appropriate transfer mechanisms are in place. These may include:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission
• UK International Data Transfer Addendum, where applicable
• Other lawful transfer mechanisms recognized by applicable data protection authorities

9. Data Retention and Deletion

Karkadi will retain Personal Data only for as long as necessary to provide the contracted services. Upon termination of the service agreement, Karkadi will delete or return Personal Data within 30 days, unless retention is required by applicable law.

The Customer may request earlier deletion by contacting hello@karkadi.com.

10. Audit Rights

Upon reasonable written request and no more than once per 12-month period, Karkadi will make available to the Customer information necessary to demonstrate compliance with this DPA. This may include summaries of security practices, third-party audit reports, or certifications where available.

On-site audits may be conducted at the Customer's expense, with at least 30 days' advance written notice and subject to reasonable confidentiality obligations.

11. No Model Training

Karkadi does not use Customer Personal Data or AI interaction data to train, fine-tune, or improve machine learning models. Data is processed solely to deliver the contracted testing and monitoring services.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement between the Customer and Karkadi. Obligations relating to data deletion, security, and confidentiality survive termination.

13. Contact

For DPA-related inquiries: hello@karkadi.com