Data Processing Agreement

This DPA forms part of the Kuzy Terms of Service and applies when Kuzy processes Customer Personal Data on behalf of a customer through hosted Kuzy services. Kuzy means the trade name used for the product and services at kuzy.ai and the operator of those services.

This DPA is intended to meet Article 28 of the EU GDPR and UK GDPR. If a customer needs a countersigned copy or legal entity details for procurement, regulatory, payment, or data-protection reasons, contact legal@kuzy.ai.

If a signed enterprise agreement or order form includes a separate DPA, that signed DPA controls for the processing it covers. Otherwise, this online DPA applies to hosted services.

For Customer Personal Data submitted to the hosted gateway, task history, collaboration features, support channels, or connected cloud services, the customer is the controller and Kuzy is the processor.

Kuzy acts as an independent controller for account administration, billing, fraud prevention, security monitoring, product analytics that are not Customer Personal Data processed on the customer's behalf, legal compliance, and direct communications with users.

• Subject matter: providing a desktop coding agent and optional hosted services.
• Duration: the subscription term, plus deletion and backup periods.
• Nature and purpose: hosting account workspaces, routing authorised tasks, generating code or analysis, storing task metadata, debugging failures, securing the service, and providing support.
• Data subjects: customer users, employees, contractors, end users whose data appears in customer materials, and support contacts.
• Data categories: account identifiers, email addresses, workspace metadata, prompts, tool outputs, code snippets, logs, file names, error traces, and other content the customer chooses to send to hosted Kuzy services.
• Special categories: not intentionally requested. Customers must avoid submitting special-category data unless they have a lawful basis and appropriate safeguards.

Local-only desktop activity, local files, local sandbox state, and BYOK credentials are not processed by Kuzy unless the customer chooses to send related content to hosted services.

Kuzy processes Customer Personal Data only on documented customer instructions, including instructions in the Terms, DPA, product settings, support requests, and API calls. Kuzy will notify the customer if it believes an instruction violates applicable data-protection law, unless prohibited from doing so.

Kuzy personnel with access to Customer Personal Data are bound by confidentiality obligations and receive access only where needed for service operation, support, security, or legal compliance.

Kuzy may use sub-processors for hosting, payment, authentication, email delivery, security, monitoring, support, and model inference. Kuzy remains responsible for sub-processors' processing of Customer Personal Data under this DPA.

Sub-processor categories:

• Cloud infrastructure: hosting, storage, networking, backups. Typical providers: AWS, Cloudflare, or equivalent.
• Payments: checkout, invoices, subscription management. Typical provider: Stripe.
• Authentication and email: login, transactional notices, account security. Typical providers: OAuth and transactional email providers.
• Model providers: LLM inference for hosted tasks the customer chooses to send. Typical providers: OpenAI, Anthropic, OpenRouter, or selected model providers.
• Support and monitoring: ticket handling, error diagnostics, uptime monitoring.

Kuzy will provide notice before materially changing sub-processors where required by law or contract. Customers may object on reasonable data-protection grounds by contacting privacy@kuzy.ai. If the objection is not resolved, the customer may terminate the affected hosted service and receive a pro-rated refund for prepaid unused fees for that affected service, unless a signed agreement states a different remedy.

Customer Personal Data may be processed in the United Kingdom, European Economic Area, United States, and other locations where Kuzy or sub-processors operate. For restricted international transfers, Kuzy relies on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum or equivalent transfer mechanism, and supplementary security measures.

Where the Standard Contractual Clauses apply, the relevant module is generally Module Two (controller to processor) for Customer Personal Data. For onward processor transfers, Kuzy requires substantially similar safeguards from sub-processors.

Baseline measures:

• TLS encryption in transit and encryption at rest for primary hosted stores.
• Least-privilege access controls for production systems.
• Separate production and development environments.
• Audit logging for administrative access and security-relevant actions.
• Secret handling designed to avoid storing customer BYOK keys unless explicitly required for a hosted feature.
• Dependency updates, vulnerability monitoring, and incident-response procedures.
• Backups protected by access controls and retained only for operational recovery windows.

These measures may evolve as Kuzy changes infrastructure, vendors, or enterprise features. Kuzy will not materially reduce the overall security of hosted services during a paid term.

Taking into account the nature of processing and information available to Kuzy, Kuzy will reasonably assist customers with data-subject requests, security obligations, data-protection impact assessments, regulator consultations, and deletion or export requests related to Customer Personal Data.

Kuzy will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data. Where feasible, Kuzy aims to provide notice within 72 hours of confirmation and include the nature of the incident, affected data categories, likely consequences, mitigation steps, and a contact point for follow-up.

Kuzy will make available information reasonably necessary to demonstrate compliance with this DPA. Where required, customers may request an audit no more than once per year on at least 30 days' notice, subject to confidentiality, security, and operational limits. Audits must not expose other customers' data or Kuzy trade secrets.

Kuzy may satisfy routine audit requests by providing security summaries, policy excerpts, sub-processor information, certification reports where available, or written responses before permitting an on-site or invasive audit.

During the term, customers can request export or deletion of Customer Personal Data to the extent available through the product or by contacting privacy@kuzy.ai. On termination, Kuzy will delete or return Customer Personal Data according to the customer's written instruction, unless retention is required for law, security, dispute resolution, billing, fraud prevention, or backup integrity.

Deleted data may remain in encrypted backups until the normal backup cycle expires, but is isolated from active processing unless restored for security, continuity, or legal reasons.