Data Processing Addendum

Keenduck — Data Processing Addendum (DPA)

Last updated: October 27, 2025

Parties:

Data Controller: Customer (the organization or person subscribing to Kadie)
Data Processor: Keenduck, operator of “Kadie” (the “Processor”)

Scope / Binding: This DPA governs Processor’s processing of Customer Data when Customer uses Kadie’s AI-powered features. By creating an account, subscribing to, or using Kadie, Customer accepts and agrees to this DPA; no separate signature is required for this DPA to apply.

References: This DPA is governed by and read together with Kadie’s AI Usage & Data Policy. For product details see Kadie. For general subscription terms, Token entitlements, and billing (including validity and expiry), see Kadie's Terms of Use. For website privacy and cookies, see the Privacy Policy and Cookie Policy.

1. Definitions

Capitalized terms used in this DPA have the following meanings:

“Customer Data” — all content, files, text, attachments, and other data submitted by or on behalf of Customer to Kadie for processing.
“Personal Data” — Customer Data that qualifies as personal data under applicable law.
“Subprocessor” — any third party engaged by Processor to process Customer Data on Processor’s behalf.
“AI Provider” — third-party provider(s) used for model inference (currently OpenAI).
“Token(s)” — the units used to measure AI input + output consumption.
“ZDR” — Zero Data Retention option offered by certain AI providers for eligible customers.

2. Roles & Purpose

Roles: Customer is Controller (or, if applicable, the Controller’s authorized agent). Keenduck (Processor) processes Customer Data on documented instructions from Customer and to provide Kadie services.
Purpose & legal basis: Processor will process Customer Data only to provide Kadie’s services and AI features expressly requested by Customer (examples: summarization, classification, content generation, extraction). Processing is performed on the Customer’s instructions and as permitted by the Customer’s subscription/contract with Processor.

3. Processing Instructions & Scope

Processor shall:

a) process Customer Data only for the purposes described in this DPA and Customer’s use of Kadie;
b) transmit to the AI Provider only the minimal data necessary to fulfill a requested AI operation (e.g., user prompt, selected document excerpts, system instructions and any context explicitly selected by the internal prompting mechanism);
c) apply reasonable minimization (redaction/pseudonymization/client-side pre-processing) when feasible; and
d) refrain from using Customer Data for any purpose other than as instructed by Customer or required by law.

Processor will not include unrelated Customer Data in AI requests and will not transmit secret credentials or measurement values (e.g., KPI numeric values) to the AI Provider unless Customer expressly requests and permits such transmission.

4. Subprocessors & updates

Initial Subprocessors:

OpenAI, Inc. — inference / model services (AI Provider). OpenAI documents that API inputs/outputs are not used by default to train models and provides enterprise data controls such as Zero Data Retention and Enterprise Key Management for eligible customers.
Amazon Web Services, Inc. (AWS) — cloud hosting and infrastructure. AWS publishes a global Data Processing Addendum and Service Terms that apply to customer data processed on AWS infrastructure.

Subprocessor updates & notice: Processor may engage other subprocessors (for analytics, backups, monitoring, etc.). Processor will maintain and publish the current list of subprocessors and will provide notice of material additions. Customers may object to a new Subprocessor for legitimate reasons by notifying Processor within 14 days; parties will in good faith seek to resolve objections. If resolution is not possible, Customers may terminate the affected service (to the extent such termination is permitted by the Agreement).

5. Retention & Deletion

Processor will implement the following default retention periods unless the parties agree otherwise in writing:

Category	What it contains	Retention period (default)
Token & billing logs	Token consumption metrics, invoking user identifier, function invoked (no full prompt/response)	24 months (aligned to customer lifecycle/accounting needs)
Audit & security logs	Auth/access logs, anonymized IA-call telemetry for security/compliance	12 months
Saved responses (Customer-saved content)	AI-generated content explicitly saved by Customer	Retained until deleted by Customer or per Customer’s subscription lifecycle
Transient caches	Short-term operational caches or ephemeral processing artifacts	up to 30 days
Backups (disaster recovery)	Backup copies of stored Customer Data	90 days standard backup retention (may vary per contract/regulatory need)
Aggregated/anonymized telemetry	Usage metrics, aggregated analytics	indefinite (only if non-identifiable; otherwise per above)

Deletion on request: On verified request by Customer, Processor will export and delete Customer-stored content from primary systems and will make reasonable efforts to remove the content from backups within standard recovery windows. Processor will confirm completion of deletion actions consistent with the Agreement.

6. Security & technical measures

Processor will implement and maintain reasonable technical and organizational measures appropriate to the risk, including (as applicable): TLS for data in transit, industry-standard encryption at rest, least-privilege access controls, multi-factor authentication for production access, logging and monitoring, vulnerability management, and incident response procedures. See Kadie’s public policy for additional details.

7. AI Provider (OpenAI) specifics & business controls

Processor uses OpenAI for inference. OpenAI states publicly that API inputs and outputs are not used to train OpenAI models by default and that qualifying customers can apply enterprise data controls such as Zero Data Retention and Enterprise Key Management. Customers requiring specific retention/zero-retention controls should contact Processor to discuss enterprise arrangements and eligibility with OpenAI.
Where Customer requires ZDR or EKM and eligibility exists, Processor will, where commercially reasonable, assist Customer to obtain such configuration from the AI Provider. Such arrangements may require separate commercial terms between Customer and Processor and/or Customer and the AI Provider.

8. Data Subject Requests & Assistance

Processor will reasonably assist Customer with data subject access requests or other data-subject rights (access, rectification, deletion, portability) to the extent Processor holds or can access relevant data. Processor’s assistance will be provided according to the DPA and the Agreement; Customer remains responsible for exercising control and instructing Processor in accordance with applicable law.

9. Audit, certification & compliance evidence

Processor will make available to Customer, upon reasonable request and subject to an NDA and commercially reasonable notice, relevant compliance artifacts (e.g., SOC 2 report, penetration test summaries or other certification records) to demonstrate compliance with the security measures described in this DPA. Where Customer requires on-site audits, such rights shall be negotiated and documented in the Agreement.

10. Incident notification & breach handling

Processor will notify Customer without undue delay upon becoming aware of a confirmed security incident materially affecting Customer Data. Processor will provide details and reasonable remediation steps. Notification timelines and procedures shall follow the Agreement and applicable law.

11. Law enforcement & legal requests

Processor will comply with lawful government or regulatory requests for Customer Data only as required by law. Processor will inform Customer of such requests to the extent permitted by law and will reasonably assist Customer in responding to legal process, unless prohibited from doing so.

12. Liability, indemnities & limitations

Liability, warranties, indemnities and limitations related to data processing are governed by the Agreement and any executed DPA amendments. This DPA does not expand or create new liability beyond the Agreement except as explicitly provided herein.

13. Changes, notices & acceptance

Processor may update this DPA (for example to add subprocessors or change retention defaults). Material changes that affect data handling, retention, or security posture will be communicated to Customers in accordance with the Agreement; continued use of Kadie after notice constitutes acceptance of the updated DPA.

14. Governing law & dispute resolution

This DPA is governed by the governing law and dispute resolution provisions set forth in the Agreement between Customer and Processor. Where no such Agreement exists, the DPA will be governed by the laws of the Processor’s country of incorporation (Chile) and disputes shall be resolved as set in the Agreement or, if needed, by mutual agreement.

Appendix A — Processing details (summary)

Processing purpose: Provision of Kadie services and AI features; billing & reconciliation.
Categories of data processed: Text content, documents, configuration, metadata, authentication logs.
Categories of data subjects: Customer employees, end users, contractors, or other individuals whose data Customer inputs into Kadie.
Duration: As per retention table and Customer instructions.

Appendix B — Retention table

Category	What it contains	Retention period (default)
Token & billing logs	Token consumption metrics, invoking user identifier, function invoked (no full prompt/response)	24 months (aligned to customer lifecycle/accounting needs)
Audit & security logs	Auth/access logs, anonymized IA-call telemetry for security/compliance	12 months
Saved responses (Customer-saved content)	AI-generated content explicitly saved by Customer	Retained until deleted by Customer or per Customer’s subscription lifecycle
Transient caches	Short-term operational caches or ephemeral processing artifacts	up to 30 days
Backups (disaster recovery)	Backup copies of stored Customer Data	90 days standard backup retention (may vary per contract/regulatory need)
Aggregated/anonymized telemetry	Usage metrics, aggregated analytics	indefinite (only if non-identifiable; otherwise per above)

Appendix C — Initial Subprocessors

OpenAI, Inc. — model inference; public docs: OpenAI Business Data & Trust pages.
Amazon Web Services, Inc. — cloud hosting & infrastructure; public DPA and Service Terms.