Data Processing Agreement
Last updated: April 10, 2026
Between:
GrowthX Group LLC, operating as Kontractually ("Processor"), a limited liability company incorporated under the laws of Wyoming, USA, with its principal place of business in the United States, operating the Kontractually platform at https://www.kontractually.com
And:
The subscribing business entity identified in the account registration ("Controller")
Effective Date: The date on which the Controller accepts this Agreement during account registration or plan upgrade.
Version: 2026-04-10
1. Background and Purpose
1.1 The Controller wishes to use the Kontractually platform, an AI-powered contract review and analysis service operated by the Processor.
1.2 In providing the Service, the Processor will process personal data on behalf of the Controller. The parties wish to record the terms on which such processing will take place, in accordance with Article 28 of the UK GDPR, EU GDPR 2016/679, the Australian Privacy Act 1988 (Cth), PIPEDA (Canada), and other applicable data protection legislation.
1.3 This Agreement supplements and forms part of the Kontractually Terms of Service. In the event of any conflict between this Agreement and the Terms of Service on matters relating to data protection, this Agreement takes precedence.
2. Definitions
"Applicable Data Protection Law" means, as applicable to a given processing activity:
- EU GDPR 2016/679 and any national implementing legislation;
- UK GDPR (as defined in the UK Data Protection Act 2018);
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation including Quebec Law 25 (Law 25);
- The California Consumer Privacy Act (CCPA) as amended by CPRA; and
- Any other data protection or privacy law applicable to the processing under this Agreement.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data (i.e., the Kontractually subscriber).
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this Agreement.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processing" has the meaning given to it under Applicable Data Protection Law and includes any operation performed on Personal Data.
"Processor" means GrowthX Group LLC (operating as Kontractually), which processes Personal Data on behalf of the Controller.
"Service" means the Kontractually AI-powered contract review platform made available to the Controller under the Terms of Service.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on the Processor's behalf in connection with the Service.
3. Subject Matter, Duration, Nature, and Purpose of Processing
3.1 Subject Matter: The Processor shall process Personal Data solely to provide the Service as described in the Terms of Service and as further instructed by the Controller in writing.
3.2 Duration: The Processor shall process Personal Data for the duration of the Controller's active subscription and shall cease processing (except as required by law) promptly upon termination or expiry of the subscription.
3.3 Nature of Processing: The Processor will receive, store, transmit to AI sub-processors, analyse, and return to the Controller the contents of documents uploaded by the Controller. Processing is performed on instruction from the Controller via the Service interface.
3.4 Purpose of Processing: To provide AI-powered contract review and analysis, playbook matching, risk identification, and redline suggestion services, strictly as directed by the Controller. The Processor does not use Personal Data for any other purpose, including AI model training, profiling, or marketing.
4. Categories of Personal Data and Data Subjects
4.1 Types of Personal Data processed:
- Names and contact details of individuals mentioned in or party to uploaded contract documents
- Job titles, signatures, and professional identifiers appearing in contracts
- Employment terms and conditions (in employment contract uploads)
- Financial information appearing in commercial agreements
- Email addresses and account credentials of the Controller's platform users
- Usage metadata (access logs, session data, timestamps)
4.2 Categories of Data Subjects:
- Employees, contractors, and workers named in employment or contractor agreements
- Counterparties to commercial contracts
- Officers, directors, and signatories named in uploaded documents
- The Controller's authorised platform users (account holders)
5. Obligations of the Controller
5.1 The Controller warrants and represents that:
(a) It has a valid lawful basis under Applicable Data Protection Law for transferring Personal Data to the Processor and for instructing the Processor to process it on its behalf;
(b) It has provided all required notices to, and obtained all required consents from, Data Subjects whose Personal Data will be submitted to the Service;
(c) All instructions given to the Processor comply with Applicable Data Protection Law;
(d) It is responsible for the accuracy and lawfulness of Personal Data it uploads to the Service.
5.2 The Controller shall notify the Processor promptly if it becomes aware of any instruction that would require the Processor to act in breach of Applicable Data Protection Law.
6. Obligations of the Processor
The Processor shall:
(a) Process only on documented instructions. Process Personal Data only on the Controller's documented instructions as set out in this Agreement and the Terms of Service, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law).
(b) Ensure confidentiality. Ensure that persons authorised to process Personal Data are under appropriate obligations of confidentiality.
(c) Implement security measures. Implement and maintain appropriate technical and organisational security measures as described in Section 9 of this Agreement.
(d) Sub-processor obligations. Only engage Sub-processors in accordance with Section 8 of this Agreement.
(e) Assist with Data Subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
(f) Assist with compliance obligations. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, Data Protection Impact Assessments, and prior consultation, taking into account the nature of processing and information available to the Processor.
(g) Return or delete data. At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies, unless applicable law requires storage. Standard deletion occurs as set out in Section 10.
(h) Provide audit cooperation. Make available to the Controller all information necessary to demonstrate compliance with obligations in this Agreement and allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to Section 11.
7. International Data Transfers
7.1 The Kontractually platform and its Sub-processors are based primarily in the United States. Processing Personal Data from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions therefore involves an international transfer.
7.2 Transfer mechanism for EEA and UK data: Such transfers are made pursuant to the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) adopted by Commission Implementing Decision (EU) 2021/914 ("SCCs"), which are hereby incorporated by reference and form part of this Agreement. The Processor agrees to comply with the obligations of the "data importer" as set out in the applicable SCCs. For UK transfers, the International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs applies.
7.3 Australia and Canada: Data from Australian or Canadian Controllers processed on US-based infrastructure is subject to the obligations of this Agreement as a whole. The Processor implements equivalent contractual safeguards with Sub-processors handling such data.
7.4 Sub-processor transfers: The Processor ensures that any onward transfer to Sub-processors is subject to equivalent transfer mechanisms or that the Sub-processor is located in a country with an adequacy decision.
8. Sub-processors
8.1 The Controller grants general written authorisation for the Processor to engage the following approved Sub-processors:
| Sub-processor | Role | Location |
|---|---|---|
| Straico Inc. | AI processing gateway | United States |
| Anthropic PBC | AI model provider (via Straico) | United States |
| Neon Inc. | Database hosting | United States |
| Railway Corp. | Backend server hosting | United States |
| Supabase Inc. | File storage | United States |
| Vercel Inc. | Frontend hosting and CDN | United States / Global |
| Resend Inc. | Transactional email delivery | United States |
| Stripe Inc. | Payment processing | United States |
8.2 The Processor shall maintain an up-to-date list of Sub-processors at https://www.kontractually.com/dpa (or such other URL as notified to the Controller).
8.3 The Processor shall notify the Controller of any intended changes to Sub-processors (additions or replacements) by email or in-product notice at least 14 days before the change takes effect. The Controller may object to any new Sub-processor appointment within that period. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service on written notice without penalty.
8.4 The Processor shall impose data protection obligations on each Sub-processor at least equivalent to those in this Agreement and shall remain liable to the Controller for any failure by a Sub-processor to fulfil its obligations.
9. Security Measures
The Processor implements and maintains the following technical and organisational security measures:
Technical measures:
- Encryption of data in transit using TLS 1.2 or higher (HTTPS enforced)
- Encryption of data at rest using AES-256 or equivalent
- Access controls: role-based access with principle of least privilege
- Multi-factor authentication for privileged access
- Regular automated backups with tested restoration procedures
- Vulnerability monitoring and dependency scanning
Organisational measures:
- Confidentiality obligations for all personnel with access to Personal Data
- Access limited to personnel who require it to perform the Service
- Incident response procedures with defined escalation paths
- Sub-processor contracts incorporating equivalent security obligations
Infrastructure:
- Platform infrastructure hosted on SOC 2 Type II certified providers (Neon, Vercel, Supabase, Railway)
- Regular security reviews
10. Retention and Deletion
10.1 During the subscription: Personal Data is retained for the duration of the Controller's active subscription to enable the Service.
10.2 On account closure or termination: Contract files, uploaded documents, and extracted analysis data are hard deleted from the Processor's production systems immediately upon account closure or the Controller's written deletion request.
10.3 Backup purge: Backup copies are purged within 30 days of a deletion request.
10.4 Security and audit logs: Server security and access logs are retained for 90 days from creation and are then automatically deleted, unless retention is required by applicable law.
10.5 Legal hold: If the Processor is required by applicable law to retain Personal Data beyond the periods above, it will notify the Controller and restrict processing of that data to the minimum necessary to comply with the legal obligation.
11. Audit Rights
11.1 The Processor shall, upon the Controller's written request with at least 30 days' notice, provide all information reasonably necessary to demonstrate compliance with this Agreement.
11.2 The Processor shall permit the Controller, or a third-party auditor appointed by the Controller and subject to reasonable confidentiality obligations, to conduct audits or inspections of relevant processing activities and records no more than once per calendar year, unless a Personal Data Breach has occurred.
11.3 The costs of any audit shall be borne by the Controller unless the audit reveals a material breach of this Agreement, in which case the Processor shall bear reasonable audit costs.
11.4 The Processor may satisfy audit obligations through current third-party certifications (e.g., SOC 2 reports from Sub-processors) provided such documents adequately address the Controller's audit scope.
12. Personal Data Breach Notification
12.1 The Processor shall notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of a Personal Data Breach that affects the Controller's data.
12.2 Breach notifications shall include, to the extent known at the time:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) The name and contact details of the Data Protection contact point;
(c) A description of the likely consequences of the breach;
(d) A description of the measures taken or proposed to be taken to address the breach.
12.3 Notifications shall be sent to the email address associated with the Controller's account. The Controller is responsible for ensuring this email address is current.
13. Data Subject Rights Assistance
13.1 The Processor shall, where technically feasible, assist the Controller in responding to Data Subject requests. This includes:
- Providing the Controller with access to locate and export Personal Data held about a specific Data Subject
- Enabling deletion of a Data Subject's Personal Data from production systems upon the Controller's verified request
- Restricting processing of Personal Data where instructed by the Controller
13.2 The Processor shall forward to the Controller any Data Subject requests received directly, without acting on them unless instructed by the Controller.
14. Data Protection Impact Assessments
Where required by Applicable Data Protection Law, the Processor shall provide the Controller with such assistance and information as is reasonably necessary to enable the Controller to carry out a Data Protection Impact Assessment (DPIA) relating to the Service.
15. Liability
15.1 The liability of each party under this Agreement is subject to the limitations set out in the Kontractually Terms of Service.
15.2 Nothing in this Agreement limits either party's liability for:
(a) Death or personal injury caused by negligence;
(b) Fraud or fraudulent misrepresentation;
(c) Any liability that cannot be excluded or limited by applicable law.
16. Term and Termination
16.1 This Agreement takes effect on the date the Controller accepts it and remains in force for the duration of the Terms of Service.
16.2 This Agreement automatically terminates upon termination or expiry of the Terms of Service.
16.3 Obligations under this Agreement that by their nature should survive termination (including deletion obligations, confidentiality, and audit cooperation) will survive for a period of 12 months following termination, or such longer period as required by applicable law.
17. Governing Law
This Agreement is governed by the laws of the State of Wyoming, United States, without regard to conflict of law principles, subject to the mandatory application of Applicable Data Protection Law. For EEA-based Controllers, the SCCs incorporated by Section 7 are governed by the law specified therein.
18. Conflict
In the event of a conflict between the terms of this Agreement and the SCCs incorporated by reference under Section 7, the terms of the SCCs shall prevail in respect of the international transfer to which they apply.
19. Contact
For data protection queries under this Agreement, contact:
Data Protection Contact GrowthX Group LLC, operating as Kontractually Email: privacy@kontractually.com Website: https://www.kontractually.com
This Data Processing Agreement incorporates the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) adopted by Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum issued by the Information Commissioner's Office (version B.1.0).