Attorney Review Required: This document was drafted as a starting template. Have it reviewed by a licensed attorney before publishing or executing.
Data Processing Agreement
Last updated: June 22, 2026
This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement (“MSA”) between Krauvix LLC (“Krauvix” or “Processor”) and the Customer (“Controller”). This DPA is designed to comply with Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
1. Definitions
Unless otherwise defined, capitalized terms in this DPA have the meanings given below. Terms not defined here have the meanings given in the MSA or applicable data protection law.
- “Controller” means the entity that determines the purposes and means of Processing Personal Data (the Customer).
- “Processor” means the entity that Processes Personal Data on behalf of the Controller (Krauvix).
- “Personal Data” means any information relating to an identified or identifiable natural person that is included in Customer Data and Processed by Krauvix on behalf of Customer.
- “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.
- “Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Sub-processor” means any Processor engaged by Krauvix to Process Personal Data on behalf of Customer.
- “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission.
2. Appointment of Processor
2.1 Roles
Customer (Controller) appoints Krauvix (Processor) to Process Personal Data on Customer's behalf for the purpose of providing the Service as described in the MSA.
2.2 Nature and Purpose of Processing
Krauvix will Process Personal Data solely to: (a) provide the Krauvix procurement ERP platform and its features; (b) maintain and improve security and reliability; and (c) comply with applicable legal obligations.
2.3 Categories of Personal Data
The Personal Data Processed may include: name, email address, job title, employer, business contact information, user activity data, and any other personal data included in Customer Data (such as supplier contacts, employee approver data, or invoice recipients).
2.4 Categories of Data Subjects
Data Subjects may include: Customer's employees, contractors, and administrators; supplier contacts and representatives; and other third parties whose personal data appears in Customer Data.
3. Processing Instructions
Krauvix shall Process Personal Data only on Customer's documented instructions, including as set out in this DPA and the MSA. Krauvix shall not Process Personal Data for any other purpose, unless required by applicable EU or EU Member State law, in which case Krauvix shall inform Customer before Processing (unless legally prohibited from doing so).
Customer acknowledges that use of the Service constitutes an instruction to Krauvix to Process Personal Data as necessary to provide the Service.
If Krauvix believes an instruction from Customer violates applicable data protection law, Krauvix will promptly inform Customer and may suspend Processing of the relevant data until Customer provides revised instructions.
4. Confidentiality of Processing
Krauvix shall ensure that all persons authorized to Process Personal Data (employees, contractors, Sub-processors) are subject to appropriate confidentiality obligations — whether by contract, professional duty, or statutory requirement — and have received appropriate data protection training.
Krauvix maintains internal data handling policies restricting access to Personal Data to those employees with a legitimate need to access it in connection with the Service.
5. Security Measures
Krauvix shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encryption at rest: Personal Data stored in Supabase is encrypted using AES-256
- Encryption in transit: All data transmissions use TLS 1.2 or higher
- Access controls: Role-based access controls (RBAC), principle of least privilege, and mandatory multi-factor authentication (MFA) for Krauvix personnel accessing production systems
- Logging and monitoring: Audit logs of access to Personal Data and security monitoring for anomalous activity
- Incident response: Documented incident detection and response procedures
- Vendor assessments: Security due diligence for all Sub-processors
- SOC 2: SOC 2 Type II certification in progress; reports will be made available to Enterprise customers upon completion
Krauvix will review and, where necessary, update security measures to reflect changes in technology and risk, in accordance with Article 32 of the GDPR.
6. Sub-processors
6.1 Authorized Sub-processors
Customer provides general authorization for Krauvix to engage Sub-processors as part of delivering the Service. The following Sub-processors are currently authorized:
| Sub-processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Anthropic PBC | AI/ML processing — contract analysis, risk scoring, procurement recommendations | USA | View |
| Supabase Inc. | Database hosting and storage for Customer Data | USA / EU | View |
| Stripe Inc. | Payment processing and subscription management | USA | View |
| Vercel Inc. | Application hosting and content delivery | USA | View |
6.2 Sub-processor Changes
Krauvix will notify Customer at least thirty (30) days before adding or replacing a Sub-processor that Processes Personal Data. Customer may object in writing within ten (10) days of such notice; if Krauvix cannot accommodate the objection, Customer may terminate the affected Service with a pro-rata refund for the unused portion of the Subscription Term.
6.3 Sub-processor Obligations
Krauvix requires all Sub-processors to Process Personal Data only on Krauvix's instructions and to implement security measures equivalent to those required of Krauvix under this DPA. Krauvix remains responsible for Sub-processor compliance.
7. Data Subject Rights
Krauvix shall, taking into account the nature of the Processing, assist Customer in fulfilling its obligations to respond to Data Subject requests under applicable data protection law (including GDPR Articles 15–22).
If Krauvix receives a request directly from a Data Subject seeking to exercise their rights, Krauvix will promptly notify Customer and will not respond to the request except on Customer's instructions, unless required by applicable law.
Krauvix provides Customer with the ability to: (a) access and export Customer Data via platform tools; (b) delete specific records or entire Customer Data sets; and (c) correct data within the platform. For requests requiring Krauvix's direct assistance, contact privacy@krauvix.com.
8. Data Breach Notification
In the event of a confirmed or suspected Data Breach affecting Personal Data, Krauvix shall:
- Notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach
- Provide, to the extent then known: (a) a description of the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate volume of Personal Data records affected; (d) the likely consequences of the breach; and (e) measures taken or proposed to address the breach
- Reasonably cooperate with Customer's investigation and provide additional information as it becomes available
Notification to Customer does not constitute an acknowledgment by Krauvix of fault or liability.
Customer is responsible for making any required notifications to supervisory authorities and affected Data Subjects. Krauvix will assist Customer in meeting such obligations.
9. Data Protection Impact Assessment
Krauvix shall provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35, taking into account the nature of the Processing and information available to Krauvix.
Upon Customer's request, Krauvix will provide relevant documentation about the Service's data flows, security measures, and sub-processors to support a DPIA. Contact privacy@krauvix.com to request DPIA support materials.
10. Return and Deletion of Data
Upon expiration or termination of the MSA, Krauvix shall, at Customer's election:
- Return: Export Customer Data in a standard machine-readable format (CSV, JSON) via the platform export tools, available for thirty (30) days after termination; or
- Delete: Securely delete all Personal Data and Customer Data, and provide written certification of deletion within forty-five (45) days
Krauvix may retain Personal Data beyond the above period where required by applicable EU or Member State law, subject to ongoing confidentiality and security obligations. Automated backup copies will be overwritten in the normal course of backup rotation.
11. Audit Rights
Krauvix shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including:
- Security documentation and certifications (SOC 2 reports, upon completion)
- Responses to written security questionnaires
- Sub-processor information as described in Section 6
Customer (or its designated auditor) may conduct an on-site audit of Krauvix's data processing facilities and practices relevant to this DPA, subject to:
- At least thirty (30) days' prior written notice
- Mutual agreement on scope, timing, and logistics
- Execution of a confidentiality agreement to protect Krauvix's proprietary and other customer information
- No more than once per calendar year (unless a Data Breach has occurred)
Customer shall bear the costs of any such audit unless the audit reveals a material non-compliance by Krauvix.
12. International Transfers
Krauvix processes and stores Personal Data in the United States and, in some cases, in other countries where Sub-processors operate.
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, Krauvix relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Regulation (EU) 2016/679), incorporated into this DPA by reference
- UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom, as applicable
The SCCs apply with Krauvix as the data importer and Customer as the data exporter for Controller-to-Processor transfers (Module Two). A copy of the applicable SCCs is available at privacy@krauvix.com.
13. Term
This DPA is effective from the date Customer first accepts the MSA (or executes an Order Form) and continues for the duration of the MSA, including any renewal periods.
Sections 5 (Security), 8 (Breach Notification), 10 (Return and Deletion), and 12 (International Transfers) survive termination of the MSA for the periods described therein.
In the event of any conflict between this DPA and the MSA regarding the processing of Personal Data, this DPA takes precedence.
For questions about this DPA, to request Sub-processor information, or to exercise data protection rights, contact: privacy@krauvix.com