Legal — DPA
Data Processing Agreement
Last updated: 22 May 2026 · Version 1.0 · EU SCCs Module 2 (Controller to Processor)
This DPA is incorporated by reference into the Master Services Agreement or Order Form signed between Kairos and the Client. To receive a signed copy, email patricio@kairos.rest.
PDF download coming soon
Preamble
This Data Processing Agreement ("DPA") is entered into between the Client identified in the applicable Order Form ("Controller") and MUR Data Solutions S.L. trading as Kairos ("Processor").
This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Kairos platform service and incorporates the European Commission Standard Contractual Clauses, Module 2 (Controller to Processor), Commission Implementing Decision (EU) 2021/914.
1. Definitions
Terms have the meaning given in GDPR (Regulation (EU) 2016/679). In addition:
- "Personal Data" — as defined in GDPR Art. 4(1)
- "Sub-Processor" — any third party engaged by the Processor to process Personal Data on the Controller's behalf
- "Security Incident" — any breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data
2. Subject Matter and Duration
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Service as described in the applicable MSA or Order Form. This DPA commences on the effective date of that agreement and terminates upon its expiry or earlier termination.
3. Nature and Purpose of Processing
The Processor shall process Personal Data solely to provide the Service, including: ingesting and analysing restaurant operational data; running AI inference on PII-redacted prompts; generating reports and insights; and providing the platform dashboard to authorised users.
4. Types of Personal Data and Categories of Data Subjects
| Data subject | Types of personal data |
|---|---|
| Restaurant staff | Name, employment details, salary (where processed via staff module) |
| Guests | Reviewer names in public reviews (redacted before LLM processing) |
| Client contacts | Name, email address, job title |
| Platform users | Name, email, login activity (collected directly by Processor via Clerk) |
5. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (these Terms constitute such instructions), unless required by EU or Member State law
- Ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations
- Implement appropriate technical and organisational measures per GDPR Art. 32 (see Annex II)
- Not engage Sub-Processors without prior authorisation (general authorisation granted by acceptance of this DPA; current list at kairos.rest/subprocessors)
- Assist the Controller with fulfilling data subject rights requests under GDPR Chapter III
- Assist the Controller with obligations under GDPR Art. 32–36 (security, breach notification, DPIA, prior consultation)
- At the Controller's choice, delete or return all Personal Data on termination, and delete existing copies unless law requires retention
- Make available all information necessary to demonstrate compliance; cooperate with audits (maximum once per year, 30 days' notice, at Controller's cost)
6. Sub-Processors
The Controller grants general authorisation to engage Sub-Processors listed at kairos.rest/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a Sub-Processor. The Processor imposes data protection obligations on each Sub-Processor no less protective than this DPA.
7. International Transfers
Where Personal Data is transferred to a Sub-Processor outside the EEA, the Processor relies on the safeguards described in the Privacy Policy §5 (EU-US DPF or SCCs). These SCCs are incorporated into this DPA by reference.
8. Security Incident Notification
The Processor shall notify the Controller without undue delay and within 72 hours after becoming aware of a Security Incident affecting Personal Data under this DPA. Notification will include: nature of the incident; categories and approximate number of data subjects affected; likely consequences; measures taken or proposed.
9. Term and Termination
This DPA is co-terminus with the underlying MSA or Order Form. On termination, Section 5(g) (data deletion / return) applies. Sections 5, 7, and 8 survive termination to the extent required by applicable law.
Annex I.A — Parties
| Controller | Processor | |
|---|---|---|
| Name | [Client legal name per Order Form] | MUR Data Solutions S.L. trading as Kairos |
| Address | [Client address per Order Form] | Torrent de l'Olla 121, 1º 2ª, CP 08012 Barcelona, España |
| CIF | [Client VAT/tax ID] | B19837715 |
| Contact | [Client DPO or legal contact] | patricio@kairos.rest |
| Role | Controller | Processor |
Annex I.B — Description of Transfer
Personal data is transferred from Controller to Processor for the purpose of providing the Kairos restaurant intelligence platform. Data categories and subject categories are listed in Section 4. Processing is continuous for the duration of the subscription.
Annex I.C — Competent Supervisory Authority
The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), Spain, in accordance with Clause 13 of the SCCs.
Annex II — Technical and Organisational Security Measures (Art. 32 GDPR)
- Encryption at rest: database encrypted via Prisma Postgres; S3 objects encrypted with AES-256
- Encryption in transit: TLS 1.2+ enforced on all connections
- Access control: RBAC via Clerk; principle of least privilege; MFA required for admin accounts
- PII redaction: guest review data redacted before any LLM inference call
- Error monitoring: Sentry configured with PII scrubbing rules
- Audit logging: key data access events logged with timestamp and user ID
- Backups: 30-day rolling backups; restoration tested quarterly
- Vulnerability management: dependency scanning in CI pipeline; critical patches applied within 7 days
- Incident response: documented procedure; 72h notification SLA to Controller
- Personnel: all personnel with access to personal data bound by confidentiality agreements
Annex III — Authorised Sub-Processors
See kairos.rest/subprocessors for the current authorised Sub-Processor list. The Controller will be notified of changes per Section 6 of this DPA.