Skip to content
Kaito
Legal

Data Processing Agreement

Effective 2026-05-01 · Version 1.0 · Pre-signed by Kaito

This is the public DPA. Customers may either click-accept inside the dashboard (auto-binds to the org) or download the counter-signable PDF from legal@kaito.io.

1. Subject matter, duration, nature, purpose

This DPA governs the processing of personal data by Kaito (Processor) on behalf of the Customer (Controller) for the duration of the Service, in support of the use cases described in our Terms of Service.

2. Data subjects and data categories

Data subjects: Customer's authorized users and the senders of inbound SMS messages. Categories: account information, authentication metadata, audit log entries, encrypted TOTP seeds, SMS message contents, and related metadata.

3. Sub-processing

Customer authorizes Kaito to engage the subprocessors listed at /legal/subprocessors. Customer will be notified of additions or material changes at least 30 days in advance.

4. International transfers

Where Customer Personal Data is transferred outside the EEA/UK, the EU Standard Contractual Clauses (SCCs, 2021/914) and the UK Addendum apply, and are incorporated by reference.

5. Security measures

Kaito implements the technical and organizational measures described in the security overview at /security, including AES-256-GCM encryption at rest, argon2id password hashing, multi-factor authentication, role-based access control, and tamper-evident audit logging.

6. Audit rights

Kaito will respond in good faith to reasonable audit requests by providing the latest SOC 2 report, security whitepaper, and pen test summary under NDA. On-site audits are available for Enterprise customers under reasonable conditions.

7. Personal data breach notification

Kaito will notify Customer without undue delay and no later than 24 hours after becoming aware of a personal data breach affecting Customer Personal Data, including the nature of the breach, likely consequences, and measures taken.

8. Return or deletion at end of services

On termination of the Service, Customer may export their data for 30 days. After that, all Customer Personal Data is cryptographically shredded, and any backups containing it are also shredded within 30 additional days.

9. Liability and conflicts

The terms of the Master Subscription Agreement (Terms of Service) apply to liability under this DPA. In the event of conflict, the DPA prevails for matters of personal data processing.