Legal · effective January 1, 2026
Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the Terms of Service between Kabinet AI Ltd. ("Processor") and the customer ("Controller") and governs how we process personal data on your behalf under GDPR / UK GDPR / equivalent laws.
1. Roles
For Customer Content that is personal data, Customer is the Controller and Kabinet is the Processor. For account and billing data we collect directly from Customer, Kabinet is a Controller.
2. Subject matter and duration
Kabinet processes personal data to provide the Service for the duration of the Customer's subscription, and as required by law thereafter.
3. Nature, purpose, and types of data
- Nature — hosting, analyzing, and generating content based on inputs Customer provides.
- Purpose — to provide the Service and produce AI-generated outputs on Customer's instructions.
- Categories of data subjects — Customer's employees, contractors, prospects, customers — anyone whose data Customer chooses to feed into the platform.
- Types of personal data — names, emails, role titles, business contact information, content of business communications, metadata.
4. Processor obligations
Kabinet will:
- Process personal data only on Customer's documented instructions.
- Ensure personnel processing data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (Annex II).
- Notify Customer without undue delay (and within 72 hours) of becoming aware of a personal-data breach.
- Assist Customer in responding to data-subject requests and DPIAs.
- Delete or return all personal data at the end of the engagement.
- Make available all information necessary to demonstrate compliance and allow audits.
5. Sub-processors
Customer authorizes Kabinet to engage the sub-processors listed at /legal/sub-processors. Kabinet imposes equivalent data-protection obligations on every sub-processor and remains liable for their acts and omissions. Customer will be notified at least 30 days before any new sub-processor is added.
6. International transfers
Where data is transferred outside the EEA / UK to a country that does not have an adequacy decision, Kabinet relies on the European Commission's Standard Contractual Clauses (2021/914) or the UK Addendum, plus supplementary measures (encryption in transit and at rest, key management).
7. Annex I — Description of processing
See Privacy Policy and the "Information we collect" section for the full description.
8. Annex II — Security measures
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
- Role-based access control with mandatory multi-factor authentication for all production access.
- Encrypted, geographically redundant backups with documented recovery procedures.
- Continuous monitoring, anomaly detection, and audit logging.
- Annual penetration tests and quarterly vulnerability scans.
- Regular employee security training and least-privilege provisioning.
9. Liability
The liability provisions of the Terms of Service apply to this DPA and are not increased by it.
10. Signing this DPA
This DPA is incorporated into the Terms of Service. By using the Service you accept it. Customers requiring a counter-signed copy can request one at legal@kabinet-ai.com.