Legal — DPA

Data Processing Agreement

Last updated: 22 May 2026 · Version 1.0 · EU SCCs Module 2 (Controller to Processor)

This DPA is incorporated by reference into the Master Services Agreement or Order Form signed between Kairos and the Client. To receive a signed copy, email patricio@kairos.rest.

PDF download coming soon

Preamble

This Data Processing Agreement ("DPA") is entered into between the Client identified in the applicable Order Form ("Controller") and MUR Data Solutions S.L. trading as Kairos ("Processor").

This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Kairos platform service and incorporates the European Commission Standard Contractual Clauses, Module 2 (Controller to Processor), Commission Implementing Decision (EU) 2021/914.

1. Definitions

Terms have the meaning given in GDPR (Regulation (EU) 2016/679). In addition:

  • "Personal Data" — as defined in GDPR Art. 4(1)
  • "Sub-Processor" — any third party engaged by the Processor to process Personal Data on the Controller's behalf
  • "Security Incident" — any breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data

2. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Service as described in the applicable MSA or Order Form. This DPA commences on the effective date of that agreement and terminates upon its expiry or earlier termination.

3. Nature and Purpose of Processing

The Processor shall process Personal Data solely to provide the Service, including: ingesting and analysing restaurant operational data; running AI inference on PII-redacted prompts; generating reports and insights; and providing the platform dashboard to authorised users.

4. Types of Personal Data and Categories of Data Subjects

Data subjectTypes of personal data
Restaurant staffName, employment details, salary (where processed via staff module)
GuestsReviewer names in public reviews (redacted before LLM processing)
Client contactsName, email address, job title
Platform usersName, email, login activity (collected directly by Processor via Clerk)

5. Obligations of the Processor

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller (these Terms constitute such instructions), unless required by EU or Member State law
  2. Ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations
  3. Implement appropriate technical and organisational measures per GDPR Art. 32 (see Annex II)
  4. Not engage Sub-Processors without prior authorisation (general authorisation granted by acceptance of this DPA; current list at kairos.rest/subprocessors)
  5. Assist the Controller with fulfilling data subject rights requests under GDPR Chapter III
  6. Assist the Controller with obligations under GDPR Art. 32–36 (security, breach notification, DPIA, prior consultation)
  7. At the Controller's choice, delete or return all Personal Data on termination, and delete existing copies unless law requires retention
  8. Make available all information necessary to demonstrate compliance; cooperate with audits (maximum once per year, 30 days' notice, at Controller's cost)

6. Sub-Processors

The Controller grants general authorisation to engage Sub-Processors listed at kairos.rest/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a Sub-Processor. The Processor imposes data protection obligations on each Sub-Processor no less protective than this DPA.

7. International Transfers

Where Personal Data is transferred to a Sub-Processor outside the EEA, the Processor relies on the safeguards described in the Privacy Policy §5 (EU-US DPF or SCCs). These SCCs are incorporated into this DPA by reference.

8. Security Incident Notification

The Processor shall notify the Controller without undue delay and within 72 hours after becoming aware of a Security Incident affecting Personal Data under this DPA. Notification will include: nature of the incident; categories and approximate number of data subjects affected; likely consequences; measures taken or proposed.

9. Term and Termination

This DPA is co-terminus with the underlying MSA or Order Form. On termination, Section 5(g) (data deletion / return) applies. Sections 5, 7, and 8 survive termination to the extent required by applicable law.

Annex I.A — Parties

ControllerProcessor
Name[Client legal name per Order Form]MUR Data Solutions S.L. trading as Kairos
Address[Client address per Order Form]Torrent de l'Olla 121, 1º 2ª, CP 08012 Barcelona, España
CIF[Client VAT/tax ID]B19837715
Contact[Client DPO or legal contact]patricio@kairos.rest
RoleControllerProcessor

Annex I.B — Description of Transfer

Personal data is transferred from Controller to Processor for the purpose of providing the Kairos restaurant intelligence platform. Data categories and subject categories are listed in Section 4. Processing is continuous for the duration of the subscription.

Annex I.C — Competent Supervisory Authority

The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), Spain, in accordance with Clause 13 of the SCCs.

Annex II — Technical and Organisational Security Measures (Art. 32 GDPR)

  • Encryption at rest: database encrypted via Prisma Postgres; S3 objects encrypted with AES-256
  • Encryption in transit: TLS 1.2+ enforced on all connections
  • Access control: RBAC via Clerk; principle of least privilege; MFA required for admin accounts
  • PII redaction: guest review data redacted before any LLM inference call
  • Error monitoring: Sentry configured with PII scrubbing rules
  • Audit logging: key data access events logged with timestamp and user ID
  • Backups: 30-day rolling backups; restoration tested quarterly
  • Vulnerability management: dependency scanning in CI pipeline; critical patches applied within 7 days
  • Incident response: documented procedure; 72h notification SLA to Controller
  • Personnel: all personnel with access to personal data bound by confidentiality agreements

Annex III — Authorised Sub-Processors

See kairos.rest/subprocessors for the current authorised Sub-Processor list. The Controller will be notified of changes per Section 6 of this DPA.