Data Processing Addendum

Customer is the controller or similar responsible party for Customer Personal Data. Kochi is the processor or service provider for that data when we process it on Customer’s documented instructions. For account administration, billing, support, product analytics, and other data Kochi determines the purposes and means for, Kochi acts as a controller or equivalent independent business.

Kochi will process Customer Personal Data only to provide the services, comply with Customer’s documented instructions, meet legal obligations, and carry out other instructions that are consistent with the agreement. Kochi will not sell or share Customer Personal Data, and Kochi will not use it to train, fine-tune, or improve AI or machine learning models unless Customer gives explicit written opt-in.

Kochi limits access to Customer Personal Data to personnel and subprocessors who need access for the service and who are bound by confidentiality obligations. Kochi maintains administrative, physical, and technical safeguards designed to protect Customer Personal Data against unauthorized access, loss, or disclosure. Current security measures and operational details may be described in the security documentation or Responsible Disclosure materials.

Customer authorizes Kochi to use subprocessors and cloud providers as needed to deliver the service. Those subprocessors may include Vercel, Neon, WorkOS, Mailmodo, Amplitude, Helicone, Braintrust, Sanity, OpenAI, Anthropic, and Google/Gemini, along with other vendors that support hosting, analytics, messaging, monitoring, and model access. Kochi will impose data protection obligations on subprocessors that are appropriate to their role.

If Kochi becomes aware of a confirmed personal data breach affecting Customer Personal Data, Kochi will notify Customer without undue delay after confirmation and will provide information reasonably available to help Customer meet its own legal obligations. Kochi will also reasonably cooperate with Customer on remediation, containment, and regulatory response.

If Kochi receives a data subject request for Customer Personal Data, Kochi will, where legally permitted and technically feasible, promptly notify Customer and reasonably assist Customer in responding. Customer is responsible for assessing the request and deciding on the lawful response.

On termination of the services, or sooner on Customer’s written request where feasible, Kochi will delete or return Customer Personal Data in accordance with the agreement and applicable law, except where retention is required by law, for dispute resolution, or for backup and disaster recovery cycles that are then overwritten in the ordinary course.

Customer authorizes Kochi to transfer and process Customer Personal Data in the United States and other countries where Kochi or its subprocessors operate. Where the transfer requires additional safeguards, Kochi will rely on appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses or a substantially similar lawful transfer framework.

Kochi will make available information reasonably necessary to demonstrate compliance with this DPA and will respond to reasonable security and privacy questions from Customer. Any on-site audit right must be limited to once per year, during normal business hours, on reasonable notice, and must be scoped to the service being used so that Customer does not disrupt other customers or Kochi’s confidentiality obligations.

Customer understands that Kochi may separately process account details, billing contacts, logs, analytics, and service-usage telemetry as a controller for its own legitimate business purposes, including service operation, security, fraud prevention, and product analytics. That processing is governed by the Privacy Policy and, where applicable, the Cookie Policy.

The table below summarizes the main processing terms for Customer Personal Data.

Questions about this DPA may be sent to support@kochi.so, including requests that require postal contact.

Related documents: the Privacy Policy, the Cookie Policy, the Subprocessors list, and the Responsible Disclosure policy.