This Data Processing Agreement ("DPA") supplements the Kryptos Terms of Service for customers that process personal data through the Service. It sets out the rights and obligations of Customer (Controller) and Kryptos (Processor) under applicable data protection laws, including the GDPR and UK GDPR.
1. Definitions
"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR.
"Customer Personal Data" means personal data that Customer (acting as Controller) provides to Kryptos for Processing under the Terms of Service.
"Sub-processor" means a third party engaged by Kryptos to Process Customer Personal Data.
2. Scope and roles
This DPA applies when Kryptos Processes Customer Personal Data on Customer's behalf. Customer is the Controller. Kryptos is the Processor. Each party complies with its respective obligations under applicable data protection laws.
3. Processing instructions
Kryptos Processes Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required by EU/EEA or Member State law to do otherwise. The subject matter, duration, nature, and purpose of Processing, the categories of Data Subjects and types of personal data are described in Annex 1 to this DPA (available on request).
4. Sub-processors
Customer authorises Kryptos to engage Sub-processors. Current Sub-processors are listed on our security overview page. Kryptos will notify Customer of new Sub-processors at least 14 days before they are engaged, giving Customer the opportunity to object.
5. Security
Kryptos implements appropriate technical and organisational measures to protect Customer Personal Data, including encryption in transit and at rest, access controls, vulnerability management, and incident response. Kryptos is SOC 2 Type II certified; the audit report is available under NDA.
6. International transfers
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on Standard Contractual Clauses (Module 2) adopted by the European Commission, incorporated by reference into this DPA.
7. Data subject rights
Kryptos assists Customer in responding to requests from Data Subjects to exercise their rights, including access, rectification, erasure, restriction, portability, and objection. Where Kryptos receives a request directly, it forwards the request to Customer without undue delay.
8. Security incidents
Kryptos notifies Customer of any Personal Data Breach involving Customer Personal Data without undue delay after becoming aware. The notification includes information needed for Customer to meet its own GDPR notification obligations.
9. Duration and termination
This DPA remains in effect as long as Kryptos Processes Customer Personal Data. On termination of the underlying Terms of Service, Kryptos returns or deletes Customer Personal Data per Customer's instructions, subject to any legal retention obligations.
10. General
This DPA is incorporated into and forms part of the Terms of Service. In case of conflict between this DPA and the Terms, this DPA prevails for matters of data protection. Kryptos may update this DPA from time to time; material changes are notified at least 30 days in advance.
DPA execution
Enterprise customers can request a signed DPA from our Data Protection Officer.
dpo@kryptos.io