Data Processing Agreement
DPA
Last updated: April 2026
This Data Processing Agreement (hereinafter "DPA") is entered into between the Data Controller(hereinafter the "Client" or "Controller") and [COMPANY_NAME], with Tax ID [TAX_ID] and registered address at [COMPANY_ADDRESS] (hereinafter "Kerno" or the "Processor"), acting as the processor of personal data, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
This DPA supplements and forms an integral part of the Kerno Terms of Service.
1. Purpose of the Agreement
The purpose of this DPA is to regulate the conditions under which Kerno, as data processor, processes personal data on behalf of the Client in the context of providing the Kerno AI assistant service (accessible at https://kernoia.com).
Kerno will process personal data solely in accordance with the Client's documented instructions and for the purposes described in this DPA, unless required by European Union or Member State law to carry out other processing.
2. Nature and Purpose of Processing
- Nature: automated and non-automated processing of personal data through an AI-powered SaaS platform.
- Purpose: to provide the Client with AI assistant functionalities, including message processing, task management, administrative process automation, invoice and payroll management, tax data handling, and connection to third-party services via OAuth.
- Duration: processing will continue for the entire duration of the contractual relationship between the Client and Kerno.
3. Types of Personal Data and Categories of Data Subjects
3.1. Categories of Personal Data
- Identification data: first name, last name, email address, phone number.
- Tax identification data: tax ID (NIF/CIF), tax address, billing information.
- Economic and financial data: invoices issued and received, payroll data, amounts.
- Controller's client data: third-party information entered by the Client into the platform.
- Communication content: text messages, audio, and files shared through messaging channels.
- Technical data: IP address, session identifiers, connection metadata.
- Third-party access credentials: encrypted OAuth tokens.
3.2. Categories of Data Subjects
- Employees, contractors, and representatives of the Client.
- Clients and suppliers of the Client whose data is processed through the platform.
- Employees and contractors of the Client whose payroll data is managed.
- Any person whose personal data is entered into the platform by the Client.
3.3. Special Categories of Data
Kerno is not designed to process special categories of data (Article 9 GDPR: health data, ethnic origin, political opinions, etc.). The Client agrees not to enter such data into the platform. If such data is incidentally processed, the Client assumes responsibility for having the appropriate legal basis.
4. Obligations of the Processor (Kerno)
4.1. Processing According to Instructions
Kerno will process personal data solely in accordance with the Client's documented instructions, including those relating to international transfers, unless required by EU or Member State law to carry out other processing, in which case it will inform the Client before processing (unless legally prohibited).
4.2. Confidentiality
Kerno ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to data is limited to strictly necessary personnel.
4.3. Security Measures
Kerno implements the following technical and organizational measures (Article 32 GDPR):
- Encryption in transit: TLS 1.3 for all communications.
- Encryption at rest: AES-256 in the database (PostgreSQL/Supabase).
- Multi-tenant isolation: Row Level Security (RLS) with tenant_id-based isolation across all tables.
- Access control: JWT-based authentication, passwords hashed with bcrypt.
- Encrypted tokens: OAuth credentials stored encrypted in base64 with server keys.
- Backups: automatic daily backups with 30-day retention.
- Perimeter protection: Cloudflare as WAF and DDoS protection.
- Monitoring: access and activity logs with automatic alerts.
4.4. Subprocessors
The Client provides general authorization for Kerno to engage other data processors (subprocessors) for the provision of the service, pursuant to Article 28(2) GDPR. Kerno will inform the Client of any intended changes regarding the addition or replacement of subprocessors, giving the Client the opportunity to object within 15 days.
List of authorized subprocessors as of the date of this DPA:
| Subprocessor | Location | Purpose | Safeguards |
|---|---|---|---|
| Supabase Inc. | EU (Frankfurt) | Database, authentication | DPA + data in EU |
| Vercel Inc. | USA/Global | Hosting, CDN | SCCs + DPF |
| Anthropic PBC | USA | AI engine (Claude API) | SCCs |
| OpenAI LLC | USA | Audio transcription, images | SCCs + DPF |
| Groq Inc. | USA | Fast AI inference | SCCs |
| Cloudflare Inc. | USA/Global | DNS, WAF, CDN | SCCs + DPF |
| Evolution API (Railway) | USA/EU | WhatsApp gateway | SCCs |
| Stripe Inc. | USA/EU | Payments, billing | SCCs + DPF |
4.5. Data Breach Notification
Kerno will notify the Client without undue delay and in any event within 72 hours of becoming aware of any personal data breach (Article 33 GDPR). The notification will include:
- A description of the nature of the breach.
- The categories and approximate number of data subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to remedy the breach.
4.6. Assistance to the Controller
Kerno will assist the Client with:
- Responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection).
- Conducting data protection impact assessments (DPIAs) when necessary.
- Prior consultation with the supervisory authority (AEPD) when applicable.
- Ensuring compliance with the security obligations under Article 32 GDPR.
4.7. Data Return and Deletion
Upon termination of the contractual relationship, Kerno will, at the Client's choice:
- Return all personal data to the Client in a structured, commonly used format (JSON or CSV), and/or
- Delete all personal data and existing copies, unless EU or national law requires their retention.
Deletion will be completed within a maximum of 30 days after contract termination, except for data subject to legal retention obligations (tax data: 6 years under Article 30 of the Spanish Commercial Code).
5. Obligations of the Controller (Client)
The Client, as data controller, commits to:
- Ensuring that they have the appropriate legal basis for processing the personal data entered into the platform.
- Providing Kerno with documented instructions regarding data processing.
- Informing data subjects about the processing of their personal data, including the disclosure of Kerno as data processor.
- Not entering special categories of data (Article 9 GDPR) into the platform.
- Cooperating with Kerno in fulfilling obligations under the GDPR.
- Verifying that the security measures implemented by Kerno are adequate for the risk of the processing.
6. International Data Transfers
Primary data is stored in the European Union (Supabase, region eu-central-1, Frankfurt, Germany).
Processing through AI models (Anthropic, OpenAI, Groq) involves temporary data transfers to the United States. These transfers are carried out under:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914).
- EU-US Data Privacy Framework (DPF) where the provider is certified.
- Supplementary technical measures: TLS 1.3 encryption in transit, data minimization for external APIs, no data persistence by AI providers in API mode.
Kerno commits not to transfer data to countries outside the EEA without the appropriate safeguards under Chapter V of the GDPR.
7. Duration
This DPA will take effect on the date the Client accepts the Kerno Terms of Service and will remain in force for as long as Kerno processes personal data on behalf of the Client.
Confidentiality obligations and those relating to data deletion/return will survive the termination of this agreement.
8. Audits and Inspections
Kerno will make available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR, and will allow audits and inspections by the Client or an authorized auditor.
Audits will be conducted with a minimum of 30 days' notice, during business hours, without interfering with normal service operations, and with a maximum of one audit per 12-month period, unless an exceptional circumstance (such as a data breach) justifies an additional inspection.
9. Liability
Each party's liability in connection with this DPA will be governed by the liability provisions set out in the Kerno Terms of Service, without prejudice to each party's direct liability under the GDPR (Articles 82 and 83).
10. Governing Law and Dispute Resolution
This DPA is governed by Spanish law and, in particular, by Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD).
For any dispute arising from the interpretation or execution of this DPA, both parties submit to the jurisdiction of the Courts and Tribunals of Madrid, expressly waiving any other jurisdiction that may apply.
11. Contact
For any inquiries related to this DPA or the processing of personal data:
- Data Protection Officer (DPO): [DPO_EMAIL]
- Postal address: [COMPANY_ADDRESS]