Customer data

Data Processing Addendum

This addendum describes the conditions under which Kadryn may process personal data on behalf of a customer organization when providing the service.

Last updated : 2026-07-03

Service
Kadryn
Trade name
Web Novation
Legal identity of the publisher
GONFO Nicolas EI
Privacy contact
contact@kadryn.com
Governing law
France

Purpose and scope

This addendum applies where Kadryn processes personal data on behalf of a customer organization in connection with the use of the service.

It supplements the terms of service, privacy policy and, where applicable, any specific commercial terms agreed with the customer.

This document is an operational DPA template for Kadryn. It should be reviewed by legal counsel before formal contractual use with sensitive or enterprise customers.

Roles of the parties

The customer organization generally acts as controller for the data it decides to import, connect, transmit or process through Kadryn.

Kadryn acts as processor where the service processes such data on behalf of the customer, based on documented instructions and within the scope necessary to provide the service.

Description of processing

The subject matter of processing is the provision of a SaaS service for observing, governing, controlling and optimizing artificial intelligence usage.

The duration of processing corresponds to the customer’s use of the service, extended by periods necessary for export, deletion, security, evidence, billing or compliance with legal obligations.

  • Nature of operations: collection, receipt, hosting, organization, consultation, analysis, logging, aggregation, retrieval, export and deletion.
  • Purposes: service provision, AI cost measurement, alerts, governance, reporting, audit, support, security and maintenance.
  • Data subjects: authorized customer users, administrators, team members, customer contractors and individuals potentially included in metadata transmitted by the customer.
  • Categories of data: account data, professional emails, roles, technical logs, audit logs, AI usage metadata, cost information, projects, integrations, alerts and workspace settings.

Customer instructions

Kadryn processes customer data only to provide the service, perform requested features, ensure security, provide support, comply with applicable obligations or follow the customer’s documented instructions.

The customer is responsible for the lawfulness, relevance, quality and minimization of the data it transmits to Kadryn.

Sensitive data and secrets

Kadryn is not designed to intentionally receive sensitive data, unprotected secrets, exposed access keys, passwords, health data, complete payment card data or content the customer is not authorized to process.

The customer must configure integrations, projects, prompts, payloads and free-text fields to limit transmitted data to what is strictly necessary.

Confidentiality

Kadryn ensures that persons authorized to process customer data are subject to an appropriate confidentiality obligation or equivalent legal obligation.

Access to customer data is limited to persons and systems that need it to provide, maintain, secure or support the service.

Security

Kadryn implements technical and organizational measures intended to protect data against unauthorized access, loss, alteration, disclosure or accidental destruction.

These measures may include access control, logical environment separation, logging, encryption where relevant, secrets management, privilege limitation, error monitoring and incident response procedures.

Subprocessors

Kadryn may use subprocessors for hosting, databases, transactional email, billing, observability, job orchestration, storage and customer-enabled integrations.

The list of subprocessors is published on the dedicated page. Kadryn imposes data protection obligations on subprocessors appropriate to the nature of the services provided.

International transfers

Where processing involves a transfer of data outside the European Economic Area, Kadryn implements appropriate safeguards where required by applicable rules.

Such safeguards may include standard contractual clauses, contractual, technical or organizational measures, or any other mechanism recognized by applicable rules.

Customer assistance

To the extent reasonably possible, Kadryn helps the customer respond to data subject rights requests where such requests relate to data processed in the service.

Kadryn may also provide reasonable assistance regarding security, data breaches, impact assessments and compliance obligations related to the service.

Personal data breach

In the event of a personal data breach affecting customer data processed by Kadryn as processor, Kadryn informs the customer without undue delay after becoming aware of it.

The notification includes, where available, the nature of the incident, affected categories of data, likely consequences and measures taken or proposed.

Return and deletion

At the end of the contractual relationship, Kadryn deletes or returns customer data according to available features, applicable instructions and legal or evidentiary obligations.

Certain data may be temporarily retained in backups, security logs, accounting archives or records necessary for evidence, and then deleted according to applicable retention cycles.

Audit and documentation

Kadryn makes available reasonable information allowing the customer to evaluate the security and compliance measures applicable to the service.

Audits must remain reasonable, proportionate, governed by confidentiality obligations and must not compromise the security, availability or confidentiality of other customers.