Data Processing Agreement
Effective: April 2026 · Version 1.0
This Data Processing Agreement ("DPA") forms part of the Keptt Terms of Service and governs the processing of personal data by Keptt Limited ("Processor") on behalf of the Customer ("Controller"), pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data-protection law.
1. Definitions
- "Personal Data" — Any information relating to an identified or identifiable natural person (GDPR Art. 4(1))
- "Processing" — Any operation performed on Personal Data (GDPR Art. 4(2))
- "Data Controller" — The Customer who determines purposes and means of processing
- "Data Processor" — Keptt, which processes data on behalf of the Controller
- "Sub-processor" — A third party engaged to process data on behalf of the Controller
2. Subject Matter & Duration
The Data Processor processes Personal Data to provide digital HACCP compliance services including record-keeping, AI-assisted data extraction, team management, and compliance reporting. This DPA remains in effect for the duration of the Customer's subscription.
3. Nature & Purpose of Processing
| Purpose | Description |
|---|---|
| Service delivery | Storing and displaying HACCP compliance records |
| AI data extraction | Processing label images through AI to extract product information |
| AI chat assistant | Processing natural language queries for HACCP actions |
| Team management | Managing user accounts, roles, permissions, and tasks |
| Email communications | Sending invitations and password resets via Resend |
| Payment processing | Managing subscriptions and payments via Stripe |
| Audit logging | Immutable records of all data changes |
4. Types of Personal Data
Identity data (name, email), authentication data (hashed password, sessions), organizational data (org name, country, role), operational HACCP data (records attributed to users), AI interaction data (label images, chat messages), communication data (email), technical data (IP, user agent), and audit data (user ID, timestamps, change snapshots).
5. Categories of Data Subjects
Organization owners, managers, and staff members — all employees or authorized representatives of the Customer's food service business.
6. Data Processor Obligations
- Process data only on documented instructions of the Controller
- Ensure authorized persons are bound by confidentiality
- Implement appropriate security measures (see Appendix)
- Not engage Sub-processors without prior authorization
- Assist with Data Subject rights requests
- Notify Controller of data breaches within 72 hours
- Assist with data protection impact assessments
- Allow for compliance audits by the Controller
- Return or delete data upon subscription termination
7. Sub-processors
The Controller authorizes the following Sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI label extraction and chat (ephemeral) | United States | SCCs |
| Stripe | Payment processing | United States / EU | SCCs, PCI-DSS Level 1 |
| Resend | Transactional email | United States | SCCs |
| OAuth authentication (optional) | United States | SCCs | |
| DigitalOcean | Server infrastructure, database hosting | Amsterdam, Netherlands (EU) | EU data residency, encryption in transit (TLS 1.3) and at rest |
The Processor will notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object; unresolved objections permit subscription termination.
8. International Data Transfers
Personal Data may be transferred to Sub-processors located in the United States and other third countries. All transfers are protected by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and supplementary technical/organisational measures where required, ensuring compliance with GDPR Chapter V. A copy of the SCCs is available on request.
9. Data Controller Obligations
The Controller shall ensure lawful basis for processing, provide accurate data, inform Data Subjects per GDPR Articles 13/14, respond to Data Subject requests, and notify the Processor of instruction changes.
10. Liability
Each party's liability is subject to the limitations in the Terms of Service.
11. Term & Termination
This DPA is effective from service start through subscription duration. Upon termination, data will be returned or deleted within 90 days at the Controller's choice, unless retention is required by law.
Appendix: Technical & Organizational Security Measures
TLS 1.3 in transit, database encryption at rest, cryptographic password hashing.
Email/password with hashed credentials, HTTP-only session cookies, three-role RBAC, multi-tenant isolation via tenantId on every query.
Zod input validation, Prisma parameterized queries, Better Auth CSRF protection, Stripe webhook verification, Next.js XSS protections.
Immutable append-only audit trail, PostgreSQL 16 transactional integrity.
Label images processed ephemerally, chat processed ephemerally (not retained for training), client-side image resizing, explicit user approval for AI write actions.
Confidentiality obligations, 72-hour breach notification, data processing agreements with all Sub-processors.
Contact
For DPA-related enquiries, contact our data-protection team at [email protected]. Service operated by Keptt Limited (CRO registration pending), Registered office: 56 Boroimhe Aspen, Fosterstown North, Swords, Co. Dublin, K67 Y381, Ireland.