Data Processing Addendum

Data Processing Addendum

Version draft · last updated 5 June 2026

This is a working draft provided for review. The executable version, including Standard Contractual Clauses, is issued and counter-signed on request — email legal@kerdour.com. It is pending final legal review and does not yet constitute a binding agreement.

1Roles of the parties

For Customer Content processed through the service, the Customer is the Controller and Kerdour is the Processor. Kerdour processes Customer Content only on the Customer’s documented instructions, including as set out in this Addendum and the underlying agreement.

2Subject-matter, duration, nature & purpose

Kerdour processes Customer Content to provide the operating-intelligence platform — storing, organising, analysing and surfacing the Customer’s deals, documents, communications and contacts — for the duration of the agreement. Categories of data subjects and personal data are those the Customer chooses to load into the platform.

3Customer instructions

Kerdour will not process Customer Content for any purpose other than providing the service and as instructed, and will inform the Customer if an instruction infringes applicable data-protection law. Customer Content is never used to train third-party models, and is not used to improve Kerdour across customers without the Customer’s explicit opt-in.

4Confidentiality

Personnel authorised to process Customer Content are bound by confidentiality. Routine operations expose metadata only; access to Customer Content requires a scoped, time-boxed, logged and Customer-visible break-glass grant.

5Security measures

Kerdour maintains appropriate technical and organisational measures, including: encryption in transit and at rest; per-organisation logical isolation; least-privilege, role-based access; append-only audit logging; secure software development and dependency hygiene; and tested backups. A current summary is on the Trust Center.

6Subprocessors

The Customer authorises Kerdour to engage the subprocessors listed on the Trust Center, each bound by data-protection terms no less protective than this Addendum. Kerdour will give notice of intended changes so the Customer may object.

7International transfers

Customer Content is hosted in the EU. Where processing by a subprocessor occurs outside the EEA/UK, it is covered by an adequacy decision or appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

8Assistance to the Controller

Taking into account the nature of processing, Kerdour assists the Customer with data-subject requests, security, breach notification and data-protection impact assessments. Customers can export their organisation’s data from within the platform at any time, and may request erasure on termination or otherwise.

9Personal-data breach

Kerdour will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Content, with the information reasonably available to assist the Customer’s own obligations.

10Return & deletion

On termination, Kerdour will, at the Customer’s choice, return or delete Customer Content within a reasonable period, save where retention is required by law.

11Audit

Kerdour will make available information reasonably necessary to demonstrate compliance with this Addendum and contribute to audits, subject to confidentiality and reasonable scheduling.

Need a counter-signed DPA?

We’ll issue the executable version with SCCs for signature.

Request a signed DPA