Data Processing Agreement

Last updated: April 11, 2026

1. Definitions

"Data Controller" means the Customer (you), who determines the purposes and means of processing personal data using the Service.

"Data Processor" means Kiuei, which processes personal data on behalf of the Data Controller in connection with providing the Service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the General Data Protection Regulation (GDPR).

2. Purpose and Scope of Processing

The Data Processor shall process Personal Data only for the purposes of providing the Kiuei test management platform, including:

• User account management and authentication
• Test case management, execution, and reporting
• Collaboration features (comments, assignments, notifications)
• Billing and subscription management
• Service analytics and performance monitoring

Processing is limited to the data categories necessary to deliver the Service as described in our Terms of Service.

3. Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling obligations to respond to Data Subject requests, including:

• Right of Access: Data subjects may request a copy of their personal data.
• Right to Rectification: Data subjects may request correction of inaccurate data.
• Right to Erasure: Data subjects may request deletion of their personal data.
• Right to Restriction: Data subjects may request restriction of processing.
• Right to Data Portability: Data subjects may request their data in a structured, machine-readable format.
• Right to Object: Data subjects may object to processing of their personal data.

The Data Processor will respond to such requests within 30 days and notify the Data Controller without undue delay.

4. Security Measures

The Data Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• Multi-factor authentication support
• Automated backups with encryption
• Network-level security controls and monitoring
• Employee security training and confidentiality agreements

5. Sub-Processors

The Data Processor may engage sub-processors to assist in providing the Service. Current sub-processors include:

• Cloud Infrastructure: Hosting and data storage
• Stripe: Payment processing
• Email Service Provider: Transactional email delivery

The Data Processor shall notify the Data Controller of any intended changes to sub-processors, providing the Data Controller with an opportunity to object. Sub-processors are bound by data processing obligations no less protective than those in this agreement.

6. Data Breach Notification

In the event of a personal data breach, the Data Processor shall:

• Notify the Data Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
• Provide sufficient information to enable the Data Controller to meet its obligations under applicable data protection laws.
• Cooperate with the Data Controller in investigating and mitigating the breach.
• Document all breaches, including their effects and remedial actions taken.

7. Data Deletion Upon Termination

Upon termination or expiry of the Service agreement:

• The Data Processor shall, at the Data Controller's choice, delete or return all Personal Data within 30 days.
• The Data Controller may request a data export prior to account deletion.
• The Data Processor shall delete all existing copies of Personal Data unless applicable law requires retention.
• The Data Processor will provide written confirmation of data deletion upon request.

8. GDPR Compliance

Both parties agree to comply with their respective obligations under the General Data Protection Regulation (EU) 2016/679 and any applicable national implementing legislation. The Data Processor shall:

• Process Personal Data only on documented instructions from the Data Controller.
• Ensure that persons authorized to process Personal Data have committed to confidentiality.
• Make available all information necessary to demonstrate compliance with GDPR obligations.
• Allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller.

9. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Data Processor shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other valid transfer mechanisms under GDPR.

10. Contact Information

For any questions or requests related to this Data Processing Agreement, please contact us at:

dpa@kiuei.com