Data Processing Addendum

Last updated · May 20, 2026 · v0.1 — draft

This Data Processing Addendum (the “DPA”) forms part of the master agreement (the “Agreement”) between the customer entity that has subscribed to Kommit (the “Customer”) and Kommit, Inc., a Delaware corporation (“Kommit”). It governs the Processing of Personal Data by Kommit on Customer's behalf. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.

1. About this DPA

Kommit operates a control plane for enterprise AI agents. In delivering the Service, Kommit acts as a Processor of Personal Data that Customer or its end-users submit to the Service. This DPA sets out the parties' respective obligations under the GDPR, UK GDPR, and Swiss FADP and incorporates the EU Standard Contractual Clauses by reference where international transfers are involved.

2. Definitions

Capitalised terms not defined here have the meaning given in the Agreement.

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings set out in Article 4 of the GDPR.
• “Customer Data” means any data, including Personal Data, that Customer or its end-users submit to the Service for Processing.
• “Data Protection Laws” means the EU GDPR (Regulation 2016/679), the UK GDPR, the Swiss FADP, and any implementing or successor legislation applicable to the Processing.
• “Service” means the Kommit control plane, runtime, SDKs, APIs, and any associated tools made available to Customer under the Agreement.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), as supplemented for UK and Swiss transfers by the UK Addendum issued by the ICO and the relevant Swiss adaptations.
• “Sub-processor” means any third party engaged by Kommit to Process Customer Data on Customer's behalf.

3. Subject matter and duration of processing

The subject matter of the Processing is Kommit's provision of the Service to Customer pursuant to the Agreement. The Processing continues for the term of the Agreement and for the additional period specified in Section 13 (Return or deletion of Customer Data).

4. Nature, purpose, and scope of processing

Kommit Processes Customer Data solely to provide, secure, and operate the Service in accordance with Customer's documented instructions, including routing AI model calls, recording audit-trail events, applying policy and evaluation gates, and producing the outputs that Customer's workflows request. Kommit will not Process Customer Data for any other purpose, including the training or fine-tuning of any artificial intelligence model.

5. Customer Data, data subjects, and special categories

Depending on how Customer configures the Service, Customer Data may include identifiers, contact details, employment information, content of business communications, and any other data Customer submits to the Service. Categories of Data Subjects may include Customer's employees, contractors, prospects, customers, and end-users.

Customer is responsible for determining whether the Service is appropriate for any special categories of Personal Data (Article 9 GDPR), including health, biometric, or criminal-record data. Where Customer chooses to Process such data through the Service, Customer remains responsible for the lawful basis and for configuring the Service's redaction and policy controls accordingly.

6. Roles and obligations

Customer acts as the Controller and Kommit as the Processor of the Customer Data. Kommit will:

• Process Customer Data only on Customer's documented instructions, including with respect to international transfers, except as otherwise required by applicable law (in which case Kommit will inform Customer of that legal requirement before Processing unless the law prohibits such notice on important grounds of public interest).
• Ensure that personnel authorised to Process Customer Data are subject to a binding duty of confidentiality.
• Implement and maintain appropriate technical and organisational measures in line with Article 32 GDPR (Section 9).
• Assist Customer, taking into account the nature of the Processing, in responding to Data Subject requests and in meeting Customer's obligations under Articles 32 to 36 GDPR.
• At Customer's choice, delete or return Customer Data at the end of the provision of services, as set out in Section 13.
• Make available to Customer the information necessary to demonstrate compliance with these obligations, including by allowing for and contributing to audits as set out in Section 12.

7. Sub-processors

Customer authorises Kommit to engage Sub-processors to Process Customer Data in connection with the Service. The current list is maintained at /subprocessors and is incorporated by reference into this DPA.

Kommit will give Customer at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service without penalty.

Kommit imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to Customer for the acts and omissions of its Sub-processors.

8. International transfers and Standard Contractual Clauses

Where the Processing of Customer Data involves a transfer of Personal Data to a country outside the European Economic Area, the United Kingdom, or Switzerland that has not received an adequacy decision, the parties enter into the Standard Contractual Clauses (Module Two — Controller to Processor), which are incorporated into this DPA by reference. For UK transfers, the UK International Data Transfer Addendum applies; for Swiss transfers, the FADP-equivalent adaptations apply.

Customer's signature on the Agreement is deemed signature of the SCCs. The optional clauses are populated as follows: docking clause (Clause 7) applies; option 2 of Clause 9 (general written authorisation for Sub-processors with thirty-day notice) applies; the certification of deletion under Clause 8.5 applies; Clause 17 governing law is the law of the Republic of Ireland; Clause 18 forum is the courts of Ireland.

9. Technical and organisational measures

Kommit implements and maintains the technical and organisational measures set out below, which form Annex II of the Standard Contractual Clauses for the purposes of this DPA:

• Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256.
• Access controls. Role-based access control with least-privilege defaults. Production access is scoped, time-bound, and logged. Workspace-level data isolation enforced at the database layer through row-level security.
• Authentication. SSO and SCIM provisioning available for enterprise tiers. Service accounts for automated workflows. Audit logging on every authentication event.
• Logging and monitoring. Every input, output, tool call, and approval recorded in a tamper-evident audit trail. Application, infrastructure, and security events centrally collected and retained.
• Software development lifecycle. Code review, dependency scanning, and automated test coverage prior to deployment. Changes promoted through staging environments.
• Personnel. All personnel with potential access to Customer Data sign confidentiality undertakings and complete data-protection training.
• Business continuity. Encrypted backups taken on a regular schedule. Recovery objectives and tested restore procedures.
• Vendor management. Sub-processors selected and reviewed for data-protection capability prior to engagement; ongoing oversight via contracts containing equivalent obligations to this DPA.

A current operational description of these measures is published at /trust.

10. Personal data breach notification

Kommit will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notice will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Kommit will assist Customer in meeting its own breach-notification obligations to Supervisory Authorities and Data Subjects.

11. Data subject rights

Where Kommit receives a request from a Data Subject exercising rights under the GDPR (including access, rectification, erasure, restriction, portability, and objection) relating to Customer Data, Kommit will refer the request to Customer and assist Customer, taking into account the nature of the Processing, in responding within the statutory timeframe.

12. Audit rights

Kommit will, on Customer's written request and not more than once per twelve-month period (except where required by a Supervisory Authority or following a Personal Data Breach), make available the information necessary to demonstrate compliance with this DPA, including independent third-party audit reports and certifications, where available.

Where Customer reasonably determines that the information made available is insufficient, Kommit will allow for an on-site audit conducted by Customer or by an independent third-party auditor mutually agreed upon, subject to reasonable confidentiality, security, and scheduling requirements. The audit will not unreasonably interfere with Kommit's operations.

13. Return or deletion of Customer Data

On termination or expiry of the Agreement, Kommit will, at Customer's written choice, return or delete all Customer Data in its possession, except to the extent that retention is required by applicable law. Unless Customer requests otherwise, Kommit will delete Customer Data within thirty (30) days of termination, subject to backup retention cycles after which residual copies will be overwritten in the ordinary course. Where Customer requests certification of deletion, Kommit will provide it.

14. Order of precedence and amendments

In the event of conflict, this DPA prevails over the Agreement with respect to the Processing of Personal Data, and the Standard Contractual Clauses prevail over any conflicting provision of this DPA in respect of the matters they cover. Kommit may amend this DPA from time to time as required by changes in Data Protection Laws, the Standard Contractual Clauses, or supervisory guidance, provided that the amendments do not materially diminish the protections afforded to Customer Data.

15. Contact

To execute this DPA, request the latest signed copy, or raise a data-protection question, email legal@getkommit.ai. For security disclosures or breach reports, see our Trust Center or email security@getkommit.ai.