GDPR Art. 28
Data Processing Agreement
Effective date: 1 April 2026
Processor: Kardu Technologies S.L.(“Kardu”)
Controller:The Customer who has accepted Kardu's Terms of Service and uses the Kardu platform (“Customer”).
This DPA forms part of and is incorporated into Kardu's Terms of Service. By accepting the Terms, the Customer enters into this DPA on behalf of their organisation.
1. Subject matter and duration
Kardu processes personal data on behalf of the Customer solely to provide the GRC platform services described in the Terms of Service (“Services”). Processing begins on account creation and continues until the Customer terminates their account or 30 days after termination (data deletion period).
2. Nature and purpose of processing
Kardu processes personal data to: (a) provide platform functionality including storing and displaying Customer-entered compliance data; (b) authenticate users; (c) deliver transactional emails; (d) collect anonymised product analytics; and (e) provide error monitoring and performance tracking.
3. Type of personal data processed
- User account information (name, work email, company details)
- Authentication credentials (hashed passwords, MFA data)
- Compliance content entered by users (which may include employee names, roles, contact details)
- Usage metadata (event timestamps, IP addresses for rate limiting)
- Audit log entries linked to user identifiers
4. Categories of data subjects
- Customer's employees and contractors who are granted platform access
- Individuals referenced in compliance content (e.g. task owners, risk owners, evidence custodians)
5. Processor obligations
5.1 Confidentiality
Kardu ensures that all personnel with access to Customer personal data are bound by confidentiality obligations. Access is restricted on a need-to-know basis.
5.2 Security measures
Kardu implements appropriate technical and organisational measures including: TLS 1.3 encryption in transit; AES-256 encryption at rest; row-level security (RLS) enforcing strict tenant isolation at the database level; multi-factor authentication; and immutable audit logging. See Security page for details.
5.3 Sub-processors
Kardu engages the sub-processors listed in Section 6. Kardu will provide 30 days' notice before adding or replacing sub-processors. The Customer may object in writing within that period.
5.4 Data subject rights
Kardu will assist the Customer in fulfilling data subject rights requests (access, rectification, erasure, portability) by providing appropriate technical capabilities in the platform. Where direct assistance is required, Kardu will respond within 5 business days.
5.5 Breach notification
Kardu will notify the Customer of a personal data breach without undue delay and in any event within 48 hours of becoming aware, providing sufficient information to enable the Customer to meet its notification obligations under GDPR Art. 33–34.
5.6 Audit rights
Kardu will provide information reasonably necessary to demonstrate compliance with this DPA upon written request. On-site audits may be conducted with 30 days' prior notice, no more than once per year, at the Customer's expense.
5.7 Instructions
Kardu processes personal data only on documented instructions from the Customer (as implemented through use of the platform). If Kardu is required by applicable law to process data for other purposes, it will inform the Customer unless prohibited.
6. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, storage, authentication | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU (Frankfurt, fra1) |
| Sendinblue SAS (Brevo) | Transactional email delivery | EU (GDPR DPA) |
| Stripe Inc. | Payment processing | Global (SCCs in place) |
| PostHog Inc. | Anonymous product analytics | EU (eu.posthog.com) |
| AppSignal B.V. | Error and performance monitoring | EU (Netherlands) |
7. Return and deletion of data
Upon termination of the Services, Kardu will: (a) allow the Customer to export their compliance data for 30 days; (b) after 30 days, delete all Customer personal data from production systems; (c) provide written confirmation of deletion upon request.
Kardu may retain anonymised, aggregated data that cannot identify the Customer or any individual for product improvement purposes.
8. Liability
Each party shall be liable to the other for any damages arising from a breach of this DPA. Kardu's total liability under this DPA shall not exceed the amounts paid by the Customer in the twelve months preceding the claim. Nothing in this DPA limits liability for wilful misconduct or fraud.
9. Governing law
This DPA is governed by the laws of Spain and subject to the jurisdiction of the courts of Barcelona, Spain.
For DPA enquiries or to request a signed copy: privacy@kardu.eu