19 Data Processing Agreement (DPA) — Notes
Audience: client legal/privacy. Purpose: the data-processing terms that sit alongside the MSA (PRD App H). Reference: IAPP DPA templates; GDPR Art. 28 structure. This is a notes/structure doc — the executable DPA comes from legal counsel.
19.1 Points to cover
- Roles — operator = controller; Kav AI = processor.
- Scope & purpose — process facility/inspection data solely to provide the service.
- Data types — inspection imagery, SCADA reads, asset metadata (note: not personal data heavy, but confirm any operator personnel data in logs/accounts).
- Sub-processors — list + approval rights (cloud, LLM API); on-prem eliminates these.
- Security measures — reference the Security & Trust Whitepaper / PRD App F.7.
- Data residency — customer-cloud and on-prem options keep data in operator perimeter.
- Retention & deletion — deletion within 30 days of termination, backups purged 90 days (PRD App H.1).
- Model-training consent — no training on operator data without explicit written opt-in (PRD App H.1).
- Breach notification — 72 hours.
- International transfer — SCCs if applicable.
Align with PRD App H so the DPA and MSA never contradict.