Data Processing Addendum (“DPA”)

1. DEFINITIONS

Unless otherwise stated, capitalised terms used in this Addendum— including “UK GDPR”, “EU GDPR”, “Personal Data”, “Processing”, “Controller”, and “Processor”—shall bear the meanings ascribed to them in (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “EU GDPR”), and (ii) the UK Data Protection Act 2018 together with the UK GDPR as defined therein (collectively, the “Data-Protection Laws”).

2. SUBJECT-MATTER AND DURATION

2.1 The subject-matter of the Processing is the Personal Data supplied or generated through the Client’s use of Kenneth’s cloud-based onboarding form (the “Service”).

2.2 Processing shall commence on the date the Service enters the Pilot Term and shall continue for the duration of that Pilot Term.

2.3 Upon expiry or termination of the Pilot Term the Processor shall, at the Controller’s written election, either (a) securely erase or (b) return to the Controller all Personal Data (including any copies thereof) within thirty (30) calendar days, save to the extent that the Processor is required by applicable law to retain such Personal Data.

3. NATURE AND PURPOSE OF PROCESSING

The Processing shall comprise:

• (a) the collection, structuring, storage, consultation, and export of insolvency-case information provided by or on behalf of the Controller;
• (b) the read-only aggregation of directors’ bank-transaction data obtained via an authorised Open-Banking application programming interface; and
• (c) ancillary activities strictly necessary for the operation, maintenance, and security of the Service.

No automated decision-making or profiling, as contemplated by Article 22 EU/UK GDPR, shall be undertaken pursuant to this Addendum.

4. CATEGORIES OF DATA AND DATA SUBJECTS

Details are set out in Annex 1 hereto and form an integral part of this Addendum.

5. PROCESSOR OBLIGATIONS

The Processor shall:

• (a) Process Personal Data solely on the documented instructions of the Controller, unless otherwise required by law (in which case, the Processor shall notify the Controller before Processing, unless the law prohibits such notice);
• (b) ensure that all persons authorised to Process Personal Data are subject to a written duty of confidentiality;
• (c) implement and maintain the technical and organisational measures described in Annex 2;
• (d) provide reasonable assistance to the Controller in responding to Data-Subject requests, carrying out data-protection impact assessments, and consulting with supervisory authorities, in each case to the extent required by Data-Protection Laws;
• (e) notify the Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal-Data Breach; and
• (f) upon termination of the Processing, delete or return Personal Data as set out in Clause 2.3 above.

6. SUB-PROCESSORS

6.1 The Controller provides a general written authorisation for Kenneth AI to engage third-party sub-processors to Process Personal Data in connection with the provision of the Service. A current list of all sub-processors engaged by Kenneth AI is maintained at https://kenneth.chat/legal/subprocessors (the “Sub-processor List”).

6.2 Kenneth AI shall provide the Controller with at least ten (10) days’ prior written notice of any new sub-processor appointment by updating the Sub-processor List. The Controller may object to the appointment of a new sub-processor on reasonable, data-protection-related grounds by notifying Kenneth AI in writing within ten (10) days of the notice. If the parties cannot resolve the objection, the Controller may terminate the Agreement in accordance with its terms.

6.3 Kenneth AI shall impose data-protection obligations on each sub-processor that are no less protective than those set out in this DPA. Kenneth AI remains liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing the services of each sub-processor directly under the terms of this DPA.

7. INTERNATIONAL TRANSFERS

7.1 The Processor shall, by default, host and store all Personal Data within the United Kingdom.

7.2 Where the Processor or any authorised sub-processor engages in a transfer of Personal Data to a country or territory outside the United Kingdom not deemed adequate under UK Data Protection Laws (a "Restricted Transfer"), such transfer shall be governed by the appropriate safeguards as set out in Annex 3 of this DPA, which is hereby incorporated by reference. The parties agree that by entering into this DPA, they are also entering into the transfer mechanisms described in Annex 3 as required.

8. SECURITY AND AUDIT RIGHTS

8.1 The Processor shall maintain an information-security programme aligned with ISO 27001 and shall host the Service on infrastructure that holds a current SOC 2 (Type II) certification.

8.2 Once in any twelve-month period, and upon at least fourteen (14) days’ prior written notice, the Controller may audit the Processor’s compliance with this Addendum, either (a) by reviewing a summary of the Processor’s most recent penetration-test report or SOC 2 attestation, or (b) by conducting (or appointing an independent auditor to conduct) an on-site or remote audit, subject to the Processor’s reasonable security and confidentiality procedures.

9. LIABILITY AND GOVERNING LAW

9.1 The liability of each party under this Addendum shall be subject to the limitations and exclusions of liability set out in the Agreement.

9.2 This Addendum (and any dispute or claim arising out of or in connection with it) shall be governed by, and construed in accordance with, the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any such dispute or claim.

10. KENNETH AI's ROLE AS A CONTROLLER

10.1 The parties acknowledge and agree that, in addition to acting as a Processor for Personal Data within User Data, Kenneth AI also acts as an independent Controller for certain categories of data related to the management and operation of the Service. This includes:

• (a) Account Data: Personal Data relating to the Customer’s relationship with Kenneth AI, including the names, job titles, and contact information (such as email and phone number) of individuals authorised by the Customer to access the Service, as well as billing and administrative contact information.
• (b) Usage Data: Technical and operational data generated from the use of the Service, such as service usage statistics, activity logs, IP addresses, browser and device information, and diagnostic data used to monitor the security, performance, and stability of the Service.

10.2 Kenneth AI, as an independent Controller, will Process Account Data and Usage Data for the following purposes:

• (a) To manage the customer relationship, administer accounts, and provide customer support;
• (b) For billing, accounting, and other core business operations;
• (c) To monitor, investigate, prevent, and detect fraud, security incidents, and other misuse of the Service;
• (d) To improve and optimise the Service and develop new features; and
• (e) To comply with legal or regulatory obligations.

10.3 Any processing by Kenneth AI as a Controller shall be in accordance with its public-facing Privacy Policy.