Data Processing Addendum
Kentro Data Processing Addendum
This Data Processing Addendum (the "DPA") is entered into between Kentro Inc., a Delaware corporation ("Kentro," "we," "us," or "our"), and the Tenant that has accepted the Kentro Platform Terms of Service (the "Terms") and whose use of the Services involves the processing of Personal Data (the "Tenant," "you," or "your"). This DPA is incorporated into and forms part of the Terms and governs Kentro's processing of Personal Data on behalf of the Tenant. Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.
1. Introduction and Scope
1.1 Purpose
This DPA sets out the parties' obligations with respect to the Processing of Personal Data by Kentro on behalf of the Tenant in connection with the Services. It is intended to satisfy the requirements of Article 28 of the European Union General Data Protection Regulation ("EU GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other comparable data protection laws to the extent applicable to the processing of Personal Data under the Terms (collectively, "Data Protection Laws").
1.2 Incorporation
This DPA is incorporated into and forms part of the Terms. If and to the extent there is any conflict between this DPA and the Terms, this DPA controls with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses referenced in Section 11, the Standard Contractual Clauses control.
1.3 Applicability
This DPA applies where Kentro Processes Personal Data on behalf of the Tenant as part of the Services. This DPA does not apply to (a) personal information Kentro Processes as a controller (or business) about Platform Users, Visitors, and Tenant contacts, which is governed by the Kentro Privacy Policy, or (b) data that is not Personal Data.
2. Definitions
For purposes of this DPA, the following terms have the meanings set out below. Terms not defined below have the meanings given in the Terms or in Data Protection Laws.
- "Business," "Business Purpose," "Consumer," "Sale," "Share," and "Service Provider" have the meanings given to them in the CCPA/CPRA.
- "Controller," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Processor," and "Supervisory Authority" have the meanings given to them in the EU GDPR or, where applicable, in the equivalent Data Protection Law.
- "Data Protection Laws" has the meaning given in Section 1.1.
- "EU SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- "Sub-processor" means any Processor engaged by Kentro (or by a Kentro affiliate) that Processes Personal Data on Kentro's behalf under this DPA.
- "Tenant Personal Data" means Personal Data that is contained within Tenant Data and that Kentro Processes on behalf of the Tenant under the Terms.
- "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018.
3. Roles of the Parties
As between the parties with respect to Tenant Personal Data, the Tenant is the Controller (and, under the CCPA/CPRA, the Business), and Kentro is the Processor (and, under the CCPA/CPRA, the Service Provider). The Tenant is responsible for determining the purposes and means of Processing, for establishing a lawful basis for the Processing, for providing all required notices to Data Subjects, for obtaining all consents required by Data Protection Laws, and for the accuracy, quality, integrity, and legality of Tenant Personal Data. Kentro Processes Tenant Personal Data solely on the Tenant's documented instructions and in accordance with this DPA.
Where the Tenant itself acts as a Processor on behalf of another Controller, the Tenant represents and warrants that it has obtained the authorizations necessary from that Controller to appoint Kentro as a Sub-processor and to be bound by this DPA on that Controller's behalf.
4. Processing Instructions
4.1 Documented Instructions
Kentro will Process Tenant Personal Data only (a) as necessary to provide, secure, monitor, support, and operate the Services in accordance with the Terms, the Documentation, and this DPA; (b) as further instructed by the Tenant through the use of the Services (including through configuration choices, integrations enabled, and actions initiated by the Tenant's Users); (c) as required by Union, Member State, or other applicable law, in which case Kentro will inform the Tenant of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest; and (d) as permitted by Section 6.3 of the Terms with respect to the generation and use of de-identified and aggregated data.
4.2 Compliance of Instructions
Kentro will inform the Tenant without undue delay if, in Kentro's reasonable opinion, an instruction infringes Data Protection Laws. Kentro is not obligated to perform a legal assessment of the Tenant's instructions.
4.3 Details of Processing
The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex A.
5. Confidentiality of Personnel
Kentro will ensure that persons authorized to Process Tenant Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Kentro limits access to Tenant Personal Data to personnel who need such access to perform their duties on Kentro's behalf.
6. Security Measures
Kentro will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects. Kentro's technical and organizational measures are described in Annex B. Kentro may update the measures from time to time, provided that any update does not materially decrease the overall level of security provided to Tenant Personal Data.
7. Subprocessors
7.1 General Authorization
The Tenant grants Kentro general written authorization to engage Sub-processors to Process Tenant Personal Data in connection with the Services. A list of Sub-processor categories currently engaged by Kentro is set out in Annex C. A current list of specific Sub-processors used to Process Tenant Personal Data is made available to Tenants through the Services or on written request.
7.2 Obligations Flow-Down
Kentro will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective, in substance, than those set out in this DPA, to the extent applicable to the nature of the services provided by the Sub-processor. Kentro remains responsible for the acts and omissions of its Sub-processors to the same extent Kentro would be liable for its own acts and omissions under this DPA.
7.3 Notice of Changes and Objection Right
Kentro will notify the Tenant of the addition or replacement of any Sub-processor that Processes Tenant Personal Data (through the Services, by email to a Tenant administrator, or by other reasonable means) at least 30 days before the Sub-processor begins Processing Tenant Personal Data. The Tenant may object to the appointment of a new Sub-processor on reasonable data protection grounds by notifying Kentro in writing within that 30-day period. If the parties are unable to resolve the objection through good-faith discussion (including by Kentro proposing alternative measures), the Tenant may, as its sole and exclusive remedy, terminate the affected portion of the Services on written notice to Kentro. Kentro will refund any prepaid, unused Fees for the terminated portion of the Services.
8. AI Subprocessors
As disclosed in Annex C and in Section 6 of the Terms, Kentro engages third-party AI model providers to deliver AI Services, including Kentro Copilot. Kentro's commercial agreements with these providers prohibit them from using Tenant Personal Data submitted through the Services to train models that are made publicly available. AI model providers Process Tenant Personal Data as Sub-processors under written contracts that impose data protection obligations consistent with this DPA, and in the case of transfers subject to European Data Protection Law, on the basis of the appropriate transfer mechanisms described in Section 11. Kentro will not enable AI Services to Process Tenant Personal Data other than as necessary to deliver the AI Services on the Tenant's instructions and as permitted by the Terms.
9. Personal Data Breach Notification
Kentro will notify the Tenant without undue delay after becoming aware of a Personal Data Breach affecting Tenant Personal Data. Where required by Article 33 of the EU GDPR or by comparable law, Kentro will provide notification within 72 hours after Kentro's discovery of the Personal Data Breach. Kentro's notification will describe, to the extent then known, the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Kentro will cooperate with the Tenant to provide information reasonably necessary for the Tenant to comply with its own breach notification obligations to Supervisory Authorities and Data Subjects.
Kentro's notification of a Personal Data Breach is not, in itself, an acknowledgment of fault or liability. The Tenant remains responsible for making any notifications to Supervisory Authorities and Data Subjects that are required of the Tenant as Controller under Data Protection Laws.
10. Assistance to the Tenant
10.1 Data Subject Requests
Kentro will provide the Tenant with reasonable assistance, by appropriate technical and organizational measures and taking into account the nature of the Processing, to fulfill the Tenant's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and rights not to be subject to solely automated decision-making). Where a Data Subject submits such a request directly to Kentro, Kentro will (a) not respond to the request except to acknowledge receipt and inform the Data Subject that the request should be directed to the Tenant, unless authorized in writing by the Tenant to respond directly, and (b) refer the request to the Tenant.
10.2 DPIAs and Consultations
Taking into account the nature of the Processing and the information available to Kentro, Kentro will provide reasonable assistance to the Tenant in ensuring compliance with the Tenant's obligations under Articles 32 to 36 of the EU GDPR and comparable provisions of other Data Protection Laws, including data protection impact assessments and prior consultations with Supervisory Authorities.
11. International Transfers
11.1 EU SCCs (Module Two)
Where Kentro Processes Tenant Personal Data that is subject to the EU GDPR outside the European Economic Area in a country that has not been recognized by the European Commission as providing an adequate level of protection, the parties are deemed to have entered into the EU SCCs, Module Two (Controller to Processor), which are incorporated into this DPA by reference. For purposes of the EU SCCs:
- The Tenant is the "data exporter" and Kentro is the "data importer."
- The optional docking clause in Clause 7 is included.
- In Clause 9, Option 2 (General Written Authorization) applies, with the time period specified in Section 7.3 of this DPA.
- In Clause 11, the optional independent dispute resolution language is omitted.
- In Clause 17, Option 1 applies, and the governing law is the law of the Republic of Ireland.
- In Clause 18, the courts of the Republic of Ireland are the chosen forum.
- Annex I of the EU SCCs is populated with the information in Annex A of this DPA and the parties' identities from the Terms. Annex II of the EU SCCs is populated with the technical and organizational measures in Annex B of this DPA. Annex III of the EU SCCs is populated by reference to Annex C of this DPA and the Sub-processor list maintained by Kentro.
11.2 UK Addendum
Where Kentro Processes Tenant Personal Data that is subject to the UK GDPR outside the United Kingdom in a country that has not been recognized as providing an adequate level of protection, the parties are deemed to have entered into the UK Addendum, which is incorporated by reference and read together with the EU SCCs as modified by Section 11.1. For purposes of the UK Addendum, Table 1 is populated with the parties' identities from the Terms; Table 2 refers to the version of the EU SCCs described in Section 11.1; Table 3 is populated with the information in Annexes A, B, and C of this DPA; and in Table 4, neither party may end the UK Addendum other than as permitted by the UK Addendum.
11.3 Swiss Transfers
Where Kentro Processes Tenant Personal Data that is subject to the Swiss FADP outside Switzerland in a country that has not been recognized as providing an adequate level of protection, the EU SCCs as modified by Section 11.1 apply, with the following modifications: references to the EU GDPR are deemed to include references to the Swiss FADP; the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority; the governing law is Swiss law; and the forum is the courts of Switzerland.
11.4 Alternative Transfer Mechanisms
If the European Commission, the United Kingdom, or Switzerland approves a different or additional lawful transfer mechanism (including an adequacy decision or a successor to the EU SCCs), Kentro may, on notice to the Tenant, replace the transfer mechanism described above with that alternative mechanism, provided that the alternative mechanism provides an essentially equivalent level of protection.
12. Deletion and Return on Termination
Upon expiration or termination of the Terms, Kentro will, at the Tenant's choice, delete or return to the Tenant all Tenant Personal Data in Kentro's possession or control, and delete existing copies, in accordance with Section 12 of the Terms. The Tenant may exercise its choice by using export tools available in the Services during the export window described in the Documentation and, where required, by written notice to Kentro. Where the Tenant does not make a choice within the applicable export window, Kentro may delete Tenant Personal Data, subject to the exceptions in this Section 12.
Notwithstanding the foregoing, Kentro may retain Tenant Personal Data to the extent (a) required by applicable law; (b) required for the establishment, exercise, or defense of legal claims; (c) held in routine, cycled backups pending the expiry of standard backup retention periods, during which the data will remain isolated and protected in accordance with Kentro's security measures and will not be actively Processed; or (d) held in de-identified or aggregated form in accordance with the Terms and this DPA.
For clarity, the warehouseman's lien and payment-security provisions in Section 5.3 of the Terms secure obligations related to physical goods held by Kentro or its contracted third-party fulfillment providers on behalf of the Tenant. Tenant Personal Data is not subject to that lien and will be handled in accordance with this Section 12, without prejudice to Kentro's rights under Section 5.3 of the Terms with respect to physical inventory.
13. Audits
13.1 Reports First
To demonstrate compliance with Kentro's obligations under this DPA, Kentro will, on the Tenant's written request no more than once per twelve-month period (or more frequently where required by Data Protection Laws or by a Supervisory Authority), make available to the Tenant summary information about Kentro's most recent third-party audit reports, certifications, or attestations (where obtained), which may include SOC-style reports, penetration test summaries, and comparable materials. Such materials constitute Kentro's Confidential Information and are provided subject to the confidentiality obligations in the Terms.
13.2 On-Site Audit
If the summary information reasonably provided under Section 13.1 is not sufficient to demonstrate compliance, the Tenant may, on at least 60 days' prior written notice, conduct an on-site audit of Kentro's Processing of Tenant Personal Data under the following conditions: (a) the audit is conducted at the Tenant's cost during Kentro's normal business hours by an independent, mutually agreed auditor bound by written confidentiality obligations no less protective than those in the Terms; (b) the audit does not unreasonably interfere with Kentro's business operations, does not disclose Kentro's Confidential Information beyond what is necessary to demonstrate compliance, and does not access data or systems of other Kentro customers; (c) the audit is limited in scope to Kentro's obligations under this DPA and to Tenant Personal Data; and (d) the auditor delivers a copy of any audit report to Kentro. The parties will discuss and agree in advance on the scope and timing of the audit and on any restrictions necessary to protect Kentro's operational security, its other customers, and its third-party service providers.
13.3 Regulatory Audits
Nothing in this Section 13 limits the audit rights of a Supervisory Authority under Data Protection Laws.
14. CCPA / CPRA Service-Provider Certifications
With respect to Tenant Personal Data that is subject to the CCPA/CPRA, Kentro acts as a Service Provider to the Tenant as the Business, and Kentro certifies as follows:
- Kentro will not Sell or Share Tenant Personal Data.
- Kentro will not retain, use, or disclose Tenant Personal Data outside of the direct business relationship between Kentro and the Tenant, or for any purpose other than the Business Purposes specified in the Terms and this DPA, including retaining, using, or disclosing Tenant Personal Data for a commercial purpose other than the Business Purposes specified.
- Kentro will not combine Tenant Personal Data with personal information Kentro receives from or on behalf of any other person, or that Kentro collects from its own interactions with Consumers, except as expressly permitted by the CCPA/CPRA.
- Kentro will comply with the applicable obligations under the CCPA/CPRA and provide the same level of privacy protection as required of Businesses under the CCPA/CPRA.
- Kentro will notify the Tenant if Kentro determines that it can no longer meet its obligations under the CCPA/CPRA.
- The Tenant may, upon reasonable notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Tenant Personal Data by Kentro.
Kentro's engagement of Sub-processors to Process Tenant Personal Data does not constitute a Sale or Share under the CCPA/CPRA.
15. Liability
Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms. Any claim brought under this DPA (including under the EU SCCs) counts toward, and does not increase or duplicate, the aggregate liability caps set out in the Terms, except to the extent the caps cannot be limited under applicable Data Protection Law.
16. General
16.1 Order of Precedence
As between the Terms and this DPA, this DPA controls with respect to the Processing of Personal Data. As between this DPA and the EU SCCs, the EU SCCs control. As between this DPA and the UK Addendum, the UK Addendum controls with respect to the transfers to which it applies.
16.2 Term
This DPA takes effect on the earlier of the Tenant's acceptance of the Terms and the commencement of Kentro's Processing of Tenant Personal Data, and remains in effect until Kentro ceases to Process Tenant Personal Data in accordance with Section 12.
16.3 Changes
Kentro may modify this DPA from time to time in accordance with Section 16 of the Terms, provided that no such modification will reduce the level of protection provided to Tenant Personal Data below the level required by Data Protection Laws.
16.4 Notices
Notices under this DPA follow Section 18.3 of the Terms. Data protection notices may in addition be sent to [email protected].
16.5 Governing Law and Jurisdiction
Except as expressly modified by the EU SCCs, the UK Addendum, or Section 11.3 of this DPA, this DPA is governed by the laws that govern the Terms, and disputes are subject to the dispute resolution provisions of the Terms.
Annex A: Details of Processing
A.1 Subject Matter
Kentro's provision of the Services to the Tenant under the Terms, including order management, inventory management, warehouse management, fulfillment orchestration, integrations, reporting, AI Services (Kentro Copilot), Kentro 3PL Services (where activated), support, and related functions.
A.2 Duration
For the duration of the Terms and thereafter to the extent permitted or required under Section 12 of this DPA.
A.3 Nature and Purpose
Processing operations reasonably necessary to provide, secure, monitor, support, and operate the Services on the Tenant's documented instructions, including collection, recording, organization, structuring, storage, retrieval, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Tenant Personal Data.
A.4 Types of Personal Data
Depending on the Tenant's configuration and use of the Services, Personal Data may include:
- Identifiers such as name, email address, telephone number, postal address, and account or customer identifiers;
- Commercial information such as order history, purchase details, product preferences, and returns;
- Payment-related information such as tokenized payment method identifiers and the last four digits of payment cards;
- Internet or other electronic network activity information such as authentication events, IP address, user agent, session identifiers, feature usage, and application logs;
- Communications with the Tenant, including chat, email, SMS, voice, and support interactions, and derived transcripts where applicable;
- Content of interactions with Kentro Copilot, including prompts, tool calls, and outputs; and
- Other categories of Personal Data that Tenants choose to submit to the Services.
A.5 Categories of Data Subjects
Tenants' end customers and prospective customers; Tenants' recipients of orders and shipments; Tenants' suppliers and vendors; and the Tenant's own personnel (including Users, administrators, and other Platform Users).
A.6 Frequency of Transfer
Continuous, for the duration of the Terms.
A.7 Retention
As described in the Terms, this DPA (including Section 12), and the Kentro Privacy Policy.
Annex B: Technical and Organizational Measures
Kentro maintains a written information security program that includes, at a minimum, the following measures, updated from time to time as described in Section 6:
B.1 Encryption
- Encryption of Tenant Personal Data in transit over public networks using industry-standard protocols (such as TLS 1.2 or later).
- Encryption of Tenant Personal Data at rest in supported data stores using industry-standard algorithms.
- Management of cryptographic keys using cloud key-management services with access controls and rotation.
B.2 Access Controls
- Role-based access controls and the principle of least privilege for Kentro personnel accessing Tenant Personal Data.
- Multi-factor authentication for administrative access to production systems.
- Centralized identity management with periodic access reviews.
- Prompt revocation of access on role change or separation.
B.3 Tenant Isolation
- Logical isolation of Tenant Personal Data within the multi-tenant platform through tenant identifiers, access control policies enforced at the application and data layers, and integration testing designed to prevent cross-tenant data leakage.
- Design controls intended to prevent one Tenant's data from being disclosed to another Tenant through the Services or through the AI Services.
B.4 Audit Logging and Monitoring
- Audit logging of authentication events, privileged actions, and other security-relevant events, retained for a period appropriate to the log type.
- Security monitoring and alerting for anomalous activity, unauthorized access attempts, and abuse.
- Regular review of logs and alerts by security personnel.
B.5 Vulnerability and Patch Management
- Vulnerability scanning of infrastructure and dependencies, prioritized remediation, and timely patching.
- Periodic penetration testing conducted by qualified internal or third-party personnel.
- Secure software development lifecycle practices, including peer review and automated testing.
B.6 Incident Response
- Documented incident response procedures, including detection, triage, containment, eradication, recovery, and post-incident review.
- Notification workflows aligned with the requirements of Section 9 of this DPA.
- Periodic testing and updating of incident response procedures.
B.7 Personnel
- Confidentiality obligations for personnel with access to Tenant Personal Data.
- Security and privacy awareness training for personnel, refreshed periodically.
- Background checks for personnel in security-sensitive roles, where permitted by applicable law.
B.8 Physical and Environmental Security
- Reliance on cloud infrastructure providers that maintain industry-recognized certifications (such as ISO 27001 and SOC 2) for their physical data centers.
- Access controls, environmental controls, and continuity measures maintained by those providers.
B.9 Business Continuity
- Regular backups of production data, with restoration testing.
- Disaster recovery planning designed to support timely restoration of the Services.
B.10 Vendor Management
- Security and privacy assessments of Sub-processors before engagement.
- Contractual flow-down of data protection obligations as required by Section 7.2.
- Periodic re-assessment of critical Sub-processors.
Annex C: Subprocessor Categories
Kentro engages Sub-processors in the categories set out below. A current list of specific Sub-processors is maintained by Kentro and made available to Tenants through the Services or on request, together with the notice-of-changes mechanism described in Section 7.3.
- Cloud hosting and storage. Google Cloud Platform (compute, storage, networking, key management, and related infrastructure services).
- Managed database services. MongoDB Atlas (managed database hosting).
- AI model providers. Anthropic and OpenAI, engaged under commercial terms that prohibit the use of Tenant Personal Data to train publicly available models.
- Telephony and messaging. Twilio (SMS and voice communications).
- Transactional email. SendGrid or a comparable email delivery provider.
- Payments. Stripe (payment processing).
- Shipping labels and postage. EasyPost (shipping label generation and carrier connectivity).
- Contracted third-party fulfillment providers. Providers engaged through Kentro to perform physical warehousing and fulfillment operations for Tenants that use the Kentro 3PL Services (where activated).
- Kentro affiliates and internal shared services. Affiliates of Kentro that provide internal shared services (such as engineering, security, support, and finance) under intra-group data protection arrangements consistent with this DPA.