Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and KoraSafe ("Processor") for the provision of the KoraSafe AI governance intelligence platform ("Services"). This DPA sets out the terms under which KoraSafe processes personal data on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.
1. Definitions
- Controller: The Customer, being the entity that determines the purposes and means of the processing of personal data through its use of the KoraSafe platform.
- Processor: KoraSafe, being the entity that processes personal data on behalf of the Controller in connection with providing the Services.
- Data Subject: An identified or identifiable natural person whose personal data is processed under this DPA.
- Personal Data: Any information relating to a Data Subject that is processed by KoraSafe in the course of providing the Services.
- Sub-processor: A third party engaged by KoraSafe to process personal data on behalf of the Controller.
- Processing: Any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
2. Scope and purpose
This DPA applies to the processing of personal data by KoraSafe in connection with providing the Services as described in the applicable service agreement. KoraSafe processes personal data solely for the purpose of delivering the Services, including:
- Authenticating and managing user accounts
- Processing compliance assessment queries through the regulatory intelligence pipeline
- Generating AI risk assessments and governance reports
- Providing audit trails and compliance monitoring
- Delivering platform analytics and usage reporting
3. Processing details
3.1 Types of personal data
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Name, email address, job title | Account management, access control |
| Authentication data | Hashed passwords, session tokens, MFA tokens | Secure platform access |
| Usage data | Pages visited, features used, queries submitted | Service delivery, platform improvement |
| Organizational data | Organization name, role assignments, team membership | Multi-tenant isolation, RBAC |
| Assessment inputs | AI system descriptions, risk context, compliance status | Regulatory intelligence, gap analysis |
| Technical data | IP address, browser type, device information | Security monitoring, rate limiting |
3.2 Categories of data subjects
- Employees and contractors of the Controller who access the platform
- Administrators and compliance officers managing AI governance
- Individuals whose personal data may be referenced in assessment inputs provided by the Controller
4. Obligations of the processor
KoraSafe shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
- Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Not engage another processor without prior specific or general written authorisation of the Controller
- Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR
- Assist the Controller in ensuring compliance with obligations relating to security of processing, data protection impact assessments, and prior consultation with supervisory authorities
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA
5. Sub-processors
The Controller provides general authorisation for KoraSafe to engage sub-processors. KoraSafe shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database infrastructure, authentication, row-level security | United States (AWS us-east-1) |
| Anthropic | AI synthesis for regulatory intelligence pipeline | United States |
| Vercel | Platform hosting, serverless functions, edge network | Global (edge), United States (compute) |
| Voyage AI | Vector embedding generation for semantic search | United States |
KoraSafe shall impose data protection obligations no less onerous than those set out in this DPA on each sub-processor by way of a contract. KoraSafe shall remain fully liable to the Controller for the performance of each sub-processor's obligations.
6. International data transfers
Where personal data is transferred outside the European Economic Area ("EEA"), KoraSafe shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Transfers to countries benefiting from an adequacy decision
- The EU-U.S. Data Privacy Framework, where the recipient is a certified participant
KoraSafe shall promptly inform the Controller if it becomes aware that a transfer mechanism is invalidated or no longer provides adequate protection.
7. Security measures
KoraSafe implements the following technical and organizational measures:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access control: Role-based access control with principle of least privilege
- Multi-tenant isolation: Row-level security ensuring complete data separation between tenants
- Authentication: Support for SSO (SAML/OIDC), MFA, and enterprise identity providers
- Audit logging: Comprehensive, immutable audit trails for all data access and modifications
- Infrastructure security: Managed cloud infrastructure with automated patching and vulnerability scanning
- Rate limiting: API rate limiting and anomaly detection to prevent abuse
- Incident response: Documented incident response procedures with defined escalation paths
8. Data subject rights
KoraSafe shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. KoraSafe shall promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request except on the Controller's documented instructions.
9. Breach notification
KoraSafe shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records concerned
- The name and contact details of the data protection point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects
KoraSafe shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any such breach.
10. Audit rights
KoraSafe shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. KoraSafe shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt KoraSafe's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by KoraSafe.
11. Term and termination
This DPA shall remain in effect for the duration of the service agreement between the Controller and KoraSafe. Upon termination of the service agreement:
- KoraSafe shall, at the Controller's election, return or delete all personal data processed on behalf of the Controller within 30 days
- KoraSafe shall provide certification of deletion upon request
- Obligations relating to confidentiality and data protection shall survive termination
- KoraSafe may retain personal data to the extent required by applicable law, subject to the confidentiality and security obligations of this DPA
12. Contact
For questions or requests relating to this DPA, please contact:
KoraSafe Data Protection
Email: privacy@korasafe.ai
Last updated: April 2026