Data Processing Agreement

1. Parties and Purpose

This Data Processing Agreement (“DPA”) is entered into between Kase Industries LLC, an Arizona limited liability company (“Processor”), and the Customer who has accepted the Kase Agent Terms of Service (“Controller”).

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Kase Agent service (“Service”). This DPA is incorporated into and made part of the Kase Agent Terms of Service.

The purpose of the processing is to enable the Processor to operate and deliver the Service as described in the Terms of Service, including operating an AI agent configured for the Controller’s business workflows.

2. Definitions

• Personal Data means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under this DPA.
• Processing means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• Data Subject means any natural person whose Personal Data is processed under this DPA, which may include the Controller’s employees, clients, or contacts.
• Sub-Processor means any third-party that the Processor engages to process Personal Data on behalf of the Controller.
• Security Incident means any confirmed or reasonably suspected unauthorized access, use, disclosure, modification, or destruction of Personal Data.

3. Nature and Categories of Processing

The Processor processes Personal Data only to the extent necessary to deliver the Service and as instructed by the Controller. The nature of processing includes storing conversation data, operating the AI agent on behalf of the Controller, accessing authorized third-party services (such as Gmail and Google Calendar), and generating AI responses.

Categories of Personal Data that may be processed include:

• Contact and identification data (names, email addresses)
• Business communications (emails, messages processed through the agent)
• Calendar and scheduling data
• Document content uploaded to the Service
• Any other data the Controller chooses to process through the Service

The categories of Data Subjects include the Controller’s employees, customers, contacts, and any other individuals whose data appears in content processed through the Service.

4. Processor Obligations

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller, including instructions given through use of the Service, unless otherwise required by law. The Processor will inform the Controller if it believes an instruction infringes applicable data protection law.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 5.
• Assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law.
• Assist the Controller in ensuring compliance with obligations related to security of processing, notification of Security Incidents, and data protection impact assessments.
• Delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires otherwise.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.

5. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

6. Sub-Processors

The Controller provides general authorization for the Processor to engage the following Sub-Processors. The Processor will enter into written agreements with all Sub-Processors that impose data protection obligations no less protective than those in this DPA.

The Processor will notify the Controller of any intended changes to Sub-Processors by posting an updated list to the Kase Agent website at least 14 days before the change takes effect. The Controller may object to such changes in writing within 14 days of notice. If the Processor is unable to accommodate the objection, the Controller may terminate the Service without penalty.

7. Data Subject Rights

Upon receiving a request from a Data Subject exercising rights under applicable data protection law (such as the right to access, correct, or delete their personal data), the Processor will:

• Promptly notify the Controller if it receives a request directly from a Data Subject
• Not respond to such requests independently without Controller authorization, except to direct the Data Subject to contact the Controller
• Assist the Controller in responding to the request within 30 days of the Controller’s written instruction
• Provide the Controller with the technical means to fulfill deletion, access, and correction requests

8. Security Incident Notification

In the event that the Processor becomes aware of a confirmed or reasonably suspected Security Incident involving Personal Data processed under this DPA, the Processor will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident
• Provide in the notification: a description of the nature of the incident, the categories and approximate number of Data Subjects affected, the categories and approximate volume of records affected, the likely consequences of the incident, and the measures taken or proposed to address the incident
• Take immediate steps to contain and remediate the incident and to prevent further unauthorized access
• Cooperate fully with the Controller and provide additional information as it becomes available

Notification by the Processor to the Controller does not constitute an acknowledgment of fault or liability. The Controller is responsible for any notifications required to regulators or Data Subjects under applicable law.

9. Data Return and Deletion

Upon termination or expiration of the Service agreement, the Processor will, at the Controller’s election:

• Return all Personal Data to the Controller in a common, machine-readable format within 30 days of a written request; or
• Securely delete all Personal Data within 30 days of the termination date, and provide the Controller with written confirmation of deletion

If no election is made, the Processor will retain Personal Data for 12 months following termination and then permanently delete it. The Processor may retain Personal Data beyond this period only where required by applicable law, in which case the Processor will notify the Controller of such requirements.

10. Audit Rights

The Controller may, upon 30 days written notice, request an audit of the Processor’s data processing activities and security measures related to this DPA. Audits may be conducted by the Controller directly or through a mandated independent auditor. The Processor will cooperate reasonably with such audits without unreasonable disruption to its operations.

The Processor may satisfy audit obligations by providing current third-party security certifications or audit reports (such as SOC 2) in lieu of a direct inspection, where applicable.

11. Governing Law

This DPA is governed by the laws of the State of Arizona, without regard to conflict of law principles. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Kase Agent Terms of Service.

12. Contact

Questions or notices under this DPA should be directed to: