Data Processing Addendum (DPA)

Provider: Kacper Kolasa trading as Kasper Automation

Client: CLIENT LEGAL NAME

Contact: hello@kasperautomation.com

Security contact: security@kasperautomation.com

Effective date: 2025-12-12  |  Last updated: 2025-12-12

This Data Processing Addendum ("DPA") forms part of the agreement between the Controller and the Processor for the Services. It applies where the Processor processes Personal Data on behalf of the Controller.

If you need this DPA countersigned, email hello@kasperautomation.com with subject line "DPA Signature Request".

Download: Available upon request

Subprocessors list: /subprocessors.html

1) Definitions

For the purposes of this DPA:

"Applicable Data Protection Law"
Means UK GDPR, the Data Protection Act 2018, EU GDPR (where applicable), and any other applicable laws relating to the Processing of Personal Data under this DPA.
"Controller"
Has the meaning given in Applicable Data Protection Law.
"Processor"
Has the meaning given in Applicable Data Protection Law.
"Personal Data"
Means any information relating to an identified or identifiable natural person that is processed under this DPA.
"Processing"
Has the meaning given in Applicable Data Protection Law, and "Process" and "Processed" shall be construed accordingly.
"Subprocessor"
Means any Processor appointed by the Processor to Process Personal Data on behalf of the Controller.
"Services"
Means the services described in the parties' agreement, statement of work, proposal, or other written agreement.

2) Roles of the parties

2.1 The Controller is the Controller of Personal Data Processed under this DPA.

2.2 The Processor Processes Personal Data only on behalf of and in accordance with the Controller's documented instructions, as described in this DPA and the agreement between the parties.

3) Details of processing

3.1 The subject matter, duration, nature, and purpose of Processing, and the types of Personal Data and categories of Data Subjects are described in Annex 1 (Processing Details).

3.2 The Controller may update Annex 1 in writing where reasonably necessary to reflect changes to the Services.

4) Controller obligations

4.1 The Controller warrants that it has complied and will comply with Applicable Data Protection Law in relation to Personal Data provided to the Processor and instructions given to the Processor.

4.2 The Controller is responsible for:

  • Determining the purposes and lawful basis for Processing;
  • Ensuring appropriate notices are provided to Data Subjects;
  • Handling Data Subject requests, except where the Processor is required to assist under this DPA.

5) Processor obligations

5.1 Instructions. The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. Where the Processor is required by law to Process Personal Data other than on the Controller's instructions, the Processor shall (to the extent permitted by law) inform the Controller of that legal requirement.

5.2 Confidentiality. The Processor shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security. The Processor shall implement appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. The measures are described in Annex 2 (Security Measures).

5.4 Subprocessors.

  • The Controller authorises the Processor to appoint Subprocessors in accordance with this Section.
  • The Processor shall maintain an up-to-date list of Subprocessors at /subprocessors.html.
  • Where contractually required, the Processor will provide notice of material changes to Subprocessors.
  • The Processor shall ensure each Subprocessor is bound by written terms that provide a level of protection for Personal Data equivalent to this DPA.
  • The Processor remains responsible to the Controller for the performance of its Subprocessors' obligations.

5.5 Assistance with Data Subject requests. Taking into account the nature of the Processing, the Processor shall provide reasonable assistance to the Controller to fulfil the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, to the extent the Controller cannot fulfil the request through its own access to the relevant systems.

5.6 Assistance with compliance. The Processor shall provide reasonable assistance to the Controller with respect to:

  • Security obligations;
  • Notifications to supervisory authorities and Data Subjects;
  • Data protection impact assessments and prior consultation where required, taking into account the information available to the Processor.

5.7 Personal Data Breach notification. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach involving Personal Data Processed under this DPA. The notification will include information reasonably necessary for the Controller to meet its obligations under Applicable Data Protection Law, to the extent such information is available to the Processor.

5.8 Deletion or return. At the Controller's choice, upon termination of the Services, the Processor shall delete or return Personal Data to the Controller, and delete existing copies, unless retention is required by applicable law. The Processor may retain limited information where necessary for legal compliance, billing, or dispute resolution, in accordance with Applicable Data Protection Law.

5.9 Audits and information. The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. Audits and inspections, if requested, shall:

  • Be limited to once per [12] months unless a Personal Data Breach occurs;
  • Be conducted on reasonable notice;
  • Be subject to confidentiality; and
  • Not unreasonably disrupt the Processor's business.

The Controller shall bear its own costs and reimburse the Processor for reasonable time and expenses incurred in supporting the audit.

6) International transfers

6.1 Where Applicable Data Protection Law restricts transfers of Personal Data outside the UK or EEA, the parties shall ensure appropriate safeguards are in place.

6.2 Depending on the circumstances, safeguards may include:

  • The EU Standard Contractual Clauses (SCCs); and/or
  • The UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs; and/or
  • Another lawful transfer mechanism permitted by Applicable Data Protection Law.

6.3 The Processor shall, on request, provide the Controller with information about the transfer mechanism used for relevant Subprocessors where applicable.

7) Liability

7.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement between the parties, unless Applicable Data Protection Law requires otherwise.

7.2 Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law.

8) Order of precedence

If there is a conflict between this DPA and the main agreement, this DPA shall prevail in relation to the Processing of Personal Data, except where the main agreement provides greater protection for Personal Data, in which case the main agreement shall prevail to that extent.

9) Term and termination

9.1 This DPA remains in effect for as long as the Processor Processes Personal Data on behalf of the Controller under the Services.

9.2 Sections that by their nature should survive termination shall survive, including Sections 5.8, 7, and 8.

10) Contact

For data protection and security requests: security@kasperautomation.com

General contact: hello@kasperautomation.com

Annex 1 — Processing Details

A1. Subject matter

Provision of automation consulting, implementation, and maintenance services, including building and supporting workflows and integrations.

A2. Duration of Processing

For the term of the Services and any agreed support period, subject to deletion/return provisions in this DPA.

A3. Nature and purpose of Processing

Processing activities may include: receiving, transmitting, transforming, updating, and routing data between systems, and performing workflow logging and diagnostics necessary for reliability and support.

A4. Categories of Data Subjects

May include (depending on the Controller's business): prospects, leads, customers, employees, contractors, and other individuals whose data is stored in the Controller's systems.

A5. Types of Personal Data

May include (depending on workflows): names, email addresses, phone numbers, account identifiers, CRM fields, message content, files intentionally routed through workflows, and workflow metadata (timestamps, record IDs).

A6. Special categories of data

Not processed.

A7. Frequency of Processing

Continuous.

Annex 2 — Security Measures

The Processor maintains measures designed to protect Personal Data, which may include:

  • Access controls based on least privilege where feasible
  • Secure handling of credentials and secrets (OAuth where available)
  • Environment and account hardening appropriate to hosting model
  • Monitoring and alerting for workflow failures (where applicable)
  • Documented incident response process
  • Retention controls for logs and support records
  • Secure communication channels for operational support

The specific measures implemented depend on whether delivery is Client-hosted or Managed by us, and will be documented per project where required.

Annex 3 — Subprocessors

Current Subprocessors list: /subprocessors.html

Signature

Controller

Name:

Title:

Company:

Signature:

Date:

Processor

Name: Kacper Kolasa

Title: CEO

Company: Kacper Kolasa trading as Kasper Automation

Signature:

Date: