Data Processing Agreement

Effective date: April 4, 2026

1. Definitions

For the purposes of this Data Processing Agreement (DPA):

  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by Kitchen Sink (the "Processor") on behalf of the customer (the "Controller") in connection with the use of our services.

The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex A to this DPA.

3. Processor's Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure data security
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller without undue delay upon becoming aware of a data breach
  • Delete or return all Personal Data upon termination of services
  • Make available all information necessary to demonstrate compliance

4. Controller's Obligations

The Controller shall:

  • Ensure it has a lawful basis for processing Personal Data
  • Provide clear instructions for processing Personal Data
  • Ensure compliance with applicable data protection laws
  • Inform Data Subjects about the processing of their data

5. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident response and breach notification procedures
  • Data backup and disaster recovery plans
  • Employee training on data protection
  • Physical security of data centers

6. Sub-Processors

The Controller grants general authorization for the Processor to engage sub-processors. Current sub-processors include:

  • Cloud Infrastructure Providers: For hosting and data storage
  • Payment Processors: For handling subscription payments
  • Analytics Services: For usage monitoring and improvement

The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object to such changes.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject rights requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object

8. Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include all relevant information about the breach, its likely consequences, and measures taken to address it.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). The Processor ensures that such transfers are subject to appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission.

10. Audits and Inspections

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

11. Data Retention and Deletion

Upon termination of the services or upon Controller's request, the Processor will delete or return all Personal Data to the Controller within 30 days, unless required by law to retain certain data.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set forth in the main service agreement. The Processor will indemnify the Controller against claims arising from the Processor's breach of this DPA.

13. Duration and Termination

This DPA remains in effect for the duration of the service agreement and will automatically terminate upon termination of the service agreement.

Annex A: Description of Processing

Subject Matter: Provision of SaaS platform services
Duration: Term of the service agreement
Nature and Purpose: Processing necessary to provide platform services, including user authentication, data storage, and subscription management
Types of Personal Data: Name, email address, authentication credentials, payment information, usage data, uploaded files
Categories of Data Subjects: Platform users, customers, and their authorized users

Contact Information

For questions about this DPA, please contact:

Email: [email protected]
Data Protection Officer: [email protected]