Kai

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (DPA) forms part of the Terms of Service between Kai and any customer (Controller) whose personal data is processed by Kai (Processor) in the course of providing the platform services.

Scope of Processing

Kai processes personal data solely for the purpose of providing the shared asset management platform as described in the Terms of Service. Processing includes storage, retrieval, display, and deletion of data as directed by the Controller through normal use of the platform.

Categories of Data Processed

The following categories of personal data are processed:

  • Identity data: name, email address, profile photo
  • Contact data: phone number, billing address
  • Financial data: IBAN, billing information, invoice records
  • Usage data: bookings, usage logs, expense records, maintenance logs
  • Communication data: messages, support tickets
  • Technical data: IP address, browser type, consent records

Security Measures

Kai implements the following technical and organizational measures to protect personal data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row-level security for data isolation between groups
  • Role-based access control with principle of least privilege
  • Automated daily backups with point-in-time recovery
  • Regular security audits and penetration testing
  • No personally identifiable information sent to error monitoring

Subprocessors

Kai engages the following subprocessors. The Controller will be notified of any changes to this list:

  • Supabase (AWS Frankfurt, EU) — Database and authentication
  • Stripe (EU/US, SCC) — Payment processing
  • Resend (US, SCC) — Email delivery
  • Sentry (EU) — Error monitoring (no PII)
  • Vercel (EU) — Application hosting
  • Google Analytics & Ads (US, DPF) — Analytics and advertising (consent-dependent)
  • Firebase / Google Cloud (EU) — File storage
  • Cloudinary (US, SCC) — Image optimization

Breach Notification

In the event of a personal data breach, Kai will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Data Subject Rights

Kai assists the Controller in fulfilling data subject requests including:

  • Right of access — users can view all their data in the platform
  • Right to rectification — users can update their profile and data
  • Right to erasure — account deletion removes all personal data
  • Right to data portability — users can export all their data as JSON
  • Right to withdraw consent — cookie preferences can be changed at any time

Data Return and Deletion

Upon termination of the agreement, Kai will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller may export their data at any time before termination using the platform's built-in export features.

Contact

For questions about this DPA or to request a signed copy, contact us at [email protected]

Data Processing Agreement | Kai | Kai