Data Processing Agreement

Skyes Over London LC  ·  Version 1.0  ·  Effective: March 1, 2026

1. Definitions

Terms used but not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR as applicable.

• "Personal Data" means any information relating to an identified or identifiable natural person that Controller submits to the Services
• "Processing" means any operation performed on Personal Data
• "Sub-processor" means any third party engaged by Processor to Process Personal Data
• "Services" means the kAIxU SuperIDE platform as described in the Terms of Service
• "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or disclosure of Personal Data

2. Subject Matter and Duration

Processor agrees to process Personal Data on behalf of Controller solely for the purpose of providing the Services, for the duration of the subscription and for 30 days thereafter (during which Controller may export data prior to deletion).

3. Nature and Purpose of Processing

Category	Examples	Purpose
Identity data	Email address, hashed password	Account management, authentication
Workspace content	Code, text files	Storage and retrieval, AI-assisted editing (with users' consent)
Usage and telemetry	AI call counts, session metadata	Quota enforcement, billing, debugging
Security events	Login IPs, MFA events	Account security, audit logging

Data subjects include: Controller's employees, contractors, and end users who access the Services.

4. Processor Obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller (or as required by applicable law)
• Ensure that authorised personnel are subject to appropriate confidentiality obligations
• Implement technical and organisational measures as described in Section 6 and at /security
• Not engage Sub-processors without prior written consent (including general consent given by Controller's acceptance of this DPA); current Sub-processors are listed at /subprocessors
• Notify Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident
• Assist Controller in responding to data subject rights requests, impact assessments, and regulatory enquiries
• Delete or return all Personal Data upon termination of the Services at Controller's choice, within 30 days

5. Controller Obligations

Controller represents and warrants that it has the legal authority to provide Personal Data to Processor, that Personal Data has been collected lawfully, and that it has provided required notices to data subjects regarding the use of the Services.

6. Technical and Organisational Measures (TOMs)

Domain	Measure
Encryption in transit	TLS 1.2 minimum on all connections; HSTS enforced
Encryption at rest	AES-256 at infrastructure level (Neon PostgreSQL)
Access control	Role-based access (owner / admin / editor / viewer); principle of least privilege
Authentication	bcrypt (cost 12) password hashing; TOTP MFA available
Audit logging	All auth events, data access, and admin actions logged with IP and timestamp
Vulnerability management	npm audit on every CI run; dependency updates reviewed monthly
Incident response	Security Incident response plan with 72-hour notification SLA
Personnel security	Principle of least privilege for internal system access; confidentiality agreements required

7. Sub-processors

Controller grants general written authorisation to engage the Sub-processors listed at /subprocessors. Processor shall notify Controller of any intended changes to Sub-processors with at least 15 days notice. Controller may object in writing within 15 days; if no resolution is reached, Controller may terminate the Services with a pro-rated refund.

8. International Transfers

Where Personal Data is transferred outside the EEA or UK to Sub-processors in the USA, such transfers are made under the EU Standard Contractual Clauses (Controller to Processor, Module 2) and, where applicable, the UK International Data Transfer Addendum. Copies of applicable SCCs are available upon written request to legal@kaixu.app.

9. Audit Rights

Controller (or its appointed auditor under confidentiality) may audit Processor's compliance with this DPA once per calendar year, with 30 days written notice, during business hours. Processor may satisfy audit requests by providing a current SOC 2 Type II report or equivalent third-party assessment in lieu of on-site audit.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA does not expand those limits. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

11. Governing Law

This DPA is governed by the same law as the Terms of Service, except where the GDPR or UK GDPR mandates otherwise. For EU / UK data transfers, the governing law for the SCCs is the law of the relevant EU member state or England and Wales respectively.

12. Contact

Data Protection enquiries: privacy@kaixu.app
Legal: legal@kaixu.app

13. Signatures

By accepting the Terms of Service (including the incorporated DPA), Controller agrees to be bound by this DPA as of the date of acceptance. Enterprise customers requiring a separately countersigned DPA should contact legal@kaixu.app.