19  Data Processing Agreement (DPA) — Notes

Audience: client legal/privacy. Purpose: the data-processing terms that sit alongside the MSA (PRD App H). Reference: IAPP DPA templates; GDPR Art. 28 structure. This is a notes/structure doc — the executable DPA comes from legal counsel.

19.1 Points to cover

  • Roles — operator = controller; Kav AI = processor.
  • Scope & purpose — process facility/inspection data solely to provide the service.
  • Data types — inspection imagery, SCADA reads, asset metadata (note: not personal data heavy, but confirm any operator personnel data in logs/accounts).
  • Sub-processors — list + approval rights (cloud, LLM API); on-prem eliminates these.
  • Security measures — reference the Security & Trust Whitepaper / PRD App F.7.
  • Data residency — customer-cloud and on-prem options keep data in operator perimeter.
  • Retention & deletion — deletion within 30 days of termination, backups purged 90 days (PRD App H.1).
  • Model-training consent — no training on operator data without explicit written opt-in (PRD App H.1).
  • Breach notification — 72 hours.
  • International transfer — SCCs if applicable.

Align with PRD App H so the DPA and MSA never contradict.