Data Processing Agreement

Effective from February 1, 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between the User ("Data Controller") and koncal studio s.r.o., with its registered office at Lýskova 2073, Prague 5, Czech Republic, ID No.: 03604071, Tax ID: CZ03604071 ("Data Processor"), pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR). This DPA forms an integral part of the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller when using the kansei.works service.

2. Definitions

Terms used in this DPA have the meanings defined in the GDPR, in particular:

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR
  • "Processing" means any operation or set of operations performed on personal data as defined in Article 4(2) GDPR
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data as defined in Article 4(12) GDPR

3. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the kansei.works service. The processing commences upon account creation and continues for the duration of the service agreement. Upon termination, data is handled according to the Data Return and Deletion provisions of this DPA. The nature of processing includes storage, organization, retrieval, use, and erasure of personal data entered into the Service by the Controller.

4. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Service, which includes:

  • Storage and management of client/supplier contact data (names, addresses, ICO, DIC, email addresses, phone numbers) for invoicing and communication purposes
  • Processing of financial data (invoice amounts, bank account numbers, expense records) for accounting and tax compliance purposes
  • Storage of project and task data, including assigned team members' information, for project management functionality
  • Processing of uploaded documents through OCR and AI features for data extraction and document management

5. Types of Personal Data and Data Subjects

The categories of personal data processed and data subjects concerned include:

  • Data subjects: the Controller's clients, suppliers, employees, contractors, and other business contacts whose data is entered into the Service
  • Data types: names, email addresses, postal addresses, phone numbers, business identification numbers (ICO, DIC), bank account numbers, personal identification numbers (encrypted), and any other personal data the Controller enters into the Service
  • Special categories: the Processor does not intentionally process special categories of personal data (Article 9 GDPR). The Controller shall not enter special category data into the Service unless legally required and with appropriate safeguards

6. Processor Obligations

The Processor undertakes to comply with the following obligations in accordance with Article 28(3) GDPR:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Czech law
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR
  • Assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, portability)
  • Assist the Controller in ensuring compliance with obligations relating to data breach notification (Articles 33-34 GDPR) and data protection impact assessments (Articles 35-36 GDPR)

7. Sub-processors

The Controller grants the Processor general written authorization to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days before the change, giving the Controller the opportunity to object within 30 days. If the Controller objects on reasonable data protection grounds, the parties shall negotiate in good faith. If no resolution is reached, the Controller may terminate the service in accordance with the Cancellation Policy. Current sub-processors include:

  • Neon Inc. (database hosting, EU region) — storage of all application data including personal data entered by the Controller
  • Vercel Inc. (application hosting and edge network) — processing of HTTP requests containing personal data, server-side rendering
  • Cloudflare Inc. (CDN, R2 storage, Stream video, Workers) — content delivery, file storage, and video streaming of uploaded content
  • Resend Inc. (email delivery) — processing of email addresses for transactional email delivery (password resets, portal invitations, automated client notifications)
  • Twilio Inc. (SMS gateway, USA) — processing of client phone numbers in E.164 format for SMS notification delivery when SMS notifications are enabled. Data transfer to the USA covered by Standard Contractual Clauses.
  • Meta Platforms Inc. (WhatsApp Cloud API, USA) — processing of client phone numbers for WhatsApp Business message delivery when WhatsApp notifications are enabled. Data transfer to the USA covered by Standard Contractual Clauses.
  • Upstash Inc. (Redis, real-time messaging infrastructure) — temporary in-transit processing of session identifiers and event payloads for Server-Sent Events (SSE) real-time updates. Data is not persistently stored; messages are trimmed after 30 seconds.

8. Security Measures

The Processor implements the following technical and organizational measures pursuant to Article 32 GDPR:

  • Encryption: TLS 1.2+ for all data in transit, AES-256-GCM encryption for sensitive data fields at rest (personal identification numbers, bank accounts)
  • Access control: role-based access with entity-level tenant isolation, JWT session tokens with version-based invalidation, bcrypt password hashing (12 rounds)
  • Monitoring: comprehensive audit logging of all data modification operations, rate limiting (login: 5/15min, API: varies by endpoint), account lockout after 10 failed attempts
  • Application security: Content Security Policy headers, file upload validation with magic byte verification, input validation with Zod schemas, XSS prevention through React auto-escaping and CSP

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 48 hours of becoming aware of the breach. The notification shall include: a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. The Processor shall cooperate with the Controller in fulfilling the Controller's obligation to notify the supervisory authority (UOOU) within 72 hours under Article 33 GDPR and to communicate the breach to affected data subjects under Article 34 GDPR where required.

10. Data Return and Deletion

Upon termination of the Service, the Controller may request export of all personal data in a structured, commonly used, machine-readable format (JSON/CSV). The Processor shall make the data available for export for 30 days following termination. After this period, the Processor shall delete all personal data from its systems, unless EU or Czech law requires longer retention (e.g., financial records under Act No. 563/1991 Sb.). The Processor shall provide written confirmation of deletion upon the Controller's request. Data stored in encrypted backups will be purged according to the backup rotation schedule, not exceeding 90 days.