Get started freeSign in

Legal

Data Processing Agreement

Effective date: March 20, 2026

This Data Processing Agreement ("DPA") supplements and is incorporated into the Kybra Terms of Service. It applies when Kybra processes personal data on your behalf as a data processor under the GDPR, CCPA, or equivalent legislation. For enterprise DPA execution, contact [email protected].

1. Definitions

  • "Controller" means you, the customer, who determines the purposes and means of processing personal data.
  • "Processor" means Kybra, Inc., which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Service.
  • "Processing" has the meaning given in applicable data protection law.

2. Scope of Processing

Kybra processes personal data solely to provide the Service as described in the Terms of Service and as directed by the Controller. Kybra will not process personal data for any other purpose, including for Kybra's own commercial benefit, without explicit written authorization.

The subject matter, duration, nature, and purpose of processing, as well as the types of personal data and categories of data subjects, are determined by the Controller's use of the Service.

3. Processor Obligations

Kybra will:

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the Service, at the Controller's choice
  • Make available information necessary to demonstrate compliance with this DPA
  • Notify the Controller without undue delay upon becoming aware of a personal data breach

4. Sub-processors

Kybra uses sub-processors to deliver the Service, including cloud infrastructure, payment processing, and monitoring providers. A current list of sub-processors is available upon request.

Kybra will provide at least 30 days' notice before engaging a new sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, Kybra will work in good faith to find an alternative. If no alternative is available, the Controller may terminate the affected Service.

5. Security Measures

Kybra implements technical and organizational measures appropriate to the risk of processing, including encryption in transit and at rest, access controls, audit logging, and regular security assessments. See our Security page for details.

6. International Transfers

Personal data is processed in the United States. For transfers of personal data from the European Economic Area, UK, or Switzerland, Kybra relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Executed SCCs are available upon request.

7. Data Subject Rights

Kybra will assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by applicable law, to the extent technically feasible.

8. Audits

Upon reasonable advance written notice, Kybra will cooperate with the Controller's audits of Kybra's data processing activities, either directly or through an independent third-party auditor bound by confidentiality obligations.

9. Enterprise DPA Execution

Enterprise customers requiring a countersigned DPA should contact [email protected]. Custom DPA terms are available for customers with specific regulatory requirements.

10. Contact

Data protection inquiries: [email protected]
Kybra, Inc., TODO: Add registered company address