Skip to main content
Last Modified: August 19, 2025 This Data Processing Addendum (“DPA”) forms part of and is subject to the agreement, whether written or electronic, between the Customer and Kernel Technologies, Inc. (“Kernel”) for the Services (as defined in Section 1 below) (collectively, the “Agreement”). For the purposes of this DPA, “Customer” means the entity or individual registered on onkernel.com to use the services provided by Kernel. This DPA describes the commitments of Kernel and the Customer (each a “party” and together, the “parties”) concerning the processing of Personal Data in connection with the provision of one or more Kernel offerings contemplated by the applicable Agreement.

1. Definitions

1.1 “Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq (“CCPA”) as the same may be amended, superseded or replaced. 1.2 “Customer Personal Data” means any Personal Data processed by Kernel on behalf of Customer as a service provider or processor (as applicable) in connection with any Kernel software-as-a-service offering, as more particularly described in Section 3.5 of this DPA. 1.3 “EEA” means any countries that are parties to the European Economic Area and Switzerland. 1.4 “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and (vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy, in each case as the same may be amended, superseded or replaced. 1.5 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en 1.6 “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws. 1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. 1.8 “Services” means any Kernel software-as-a-service offering made available by Kernel to Customer under an Agreement, and any other services provided by Kernel to Customer under such Agreement, including but not limited to support and technical service. 1.9 “Sub-Processor” means any processor engaged by Kernel or its Affiliates to process Customer Data. Sub-processors may include third parties or Kernel Affiliates. 1.10 “UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 and supplemented by the Data Protection Act of 2018. 1.11 The terms “controller”, GDPR, and “process”, “business”, “service provider”, “processor” and “processing” shall have the meanings given to them in the “processes” and “processed” shall be interpreted accordingly; and the terms “sell” and “share” shall have the meanings given to them in the CCPA.

2. Scope and Applicability of this DPA

This DPA applies where and only to the extent that Kernel processes Customer Personal Data on behalf of Customer as a processor in the course of providing the Services.

3. Roles and Scope of Processing

3.1 Role of the Parties. As between Kernel and Customer, Kernel shall process Customer Personal Data only as a processor (or sub-processor) acting on behalf Customer and, with respect to CCPA, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Customer Personal Data. For purposes of European Data Protection Laws, the parties acknowledge and agree that Customer is the Controller and Kernel is the Processor of Customer Personal Data processed under this DPA. 3.2 Scope of Processing. Kernel certifies that it will not (i) “sell” or “share” Customer Personal Data; (ii) retain, use or disclose Customer Personal Data outside of the direct business relationship between Customer and Kernel or for any purpose other than as permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA; or (iii) combine Customer Personal Data with Personal Data that Kernel collects or receives from another person. Kernel and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to Kernel does not constitute a “sale. ” Customer agrees that Kernel may de-identify or aggregate Customer Personal Data in the course of providing the Service to Customer. 3.3 Customer Instructions. Kernel shall process Customer Personal Data only for the purposes described in the Agreement and in accordance with Customer’s documented lawful instructions and Applicable Data Protection Laws. The parties agree that the Agreement and applicable Order Form (including this DPA) sets out the Customer’s complete and final instructions to Kernel in relation to the processing of Customer Personal Data. Without prejudice to Section 3.4 (Customer Responsibilities), Kernel shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws or if Kernel determines that it can no longer meet its obligations under Applicable Data Protection Laws. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Kernel’s unauthorized use of Customer Personal Data. 3.4 Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Kernel to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; (iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to Kernel and its Sub-processors; and (iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and Kernel a sub-processor). 3.5 Details of Processing. Details of processing by Kernel are set forth below: 3.5.1 Subject Matter of Processing. Customer Personal Data that Customer elects to transfer to Kernel to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. 3.5.2 Frequency and Duration of Processing. For duration of the Services or for so long as Customer grants Kernel access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the applicable Order Form or the Agreement, Kernel shall continue to process Customer Personal Data until such Customer Personal Data is deleted or Customer removes Kernel’s access to process such Customer Personal Data. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Kernel within thirty (30) upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement. 3.5.3 Nature of Processing. Customer Personal Data that Customer elects to transfer to Kernel to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. 3.5.4 Purpose of Processing. The operation, support, use or provisioning of the Services as set out in the Agreement and compliance with applicable laws. 3.5.5 Categories of Data Subjects. Categories of data subjects is as determined by Customer. Includes natural persons whose Personal Data Customer elects to transfer to Kernel for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or (iii) employees, agents, advisors, freelancers of Customer (who are natural persons). 3.5.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to Kernel for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) credit card details, account details, payment information, (iii) employer, job title, geographic location, area of responsibility; and/or (iv) IP addresses, usage data, cookie data, location data.

4. Sub-Processing

4.1 Authorized Sub-Processors. Customer provides Kernel with a general authorization to engage Sub-Processors. The Sub-Processors currently engaged by Kernel and authorized by Customer are available for external Sub-Processors as set forth at: https://trust.delve.co/kernel 4.2 Sub-Processor Obligations. Kernel shall: (i) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Personal Data than that those required by this DPA, to the extent applicable to the nature of the service provided by the Sub-Processor; and (ii) remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Kernel to breach any of its obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, Kernel shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-Processor agreements where required to satisfy Customer’s obligations under Data Protection Laws. 4.3 Changes to Sub-Processors. Kernel shall notify Customer if it changes its Sub-Processors in advance to any such changes for the applicable Services. Kernel’s notification shall be via the mechanisms set forth in the weblinks provided in Section 4.1. Customer may object in writing to Kernel’s appointment of a new Sub-Processor by notifying Kernel promptly in writing within fifteen (15) calendar days of notice of the change. Customer’s notification shall explain the reasonable grounds relating to data protection for the objection. The parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties are not able to reach resolution, Kernel will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer (as Customer’s sole and exclusive remedy) to suspend or terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

5. Security and Audits

5.1 Kernel Security Standards. Kernel shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Customer Personal Data from Personal Data Breach and to preserve the security and confidentiality of the Customer Personal Data, in each case in accordance with the Kernel’s then-current security standards as set forth at https://docs.onkernel.com/security (the “Kernel Security Addendum”). Kernel shall ensure that any person who is authorized by Kernel to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) 5.2 Customer Security Responsibilities. Customer shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Personal Data from a Personal Data Breach and to preserve the security and confidentiality of Customer Personal Data while in its dominion and control including, without limitation, those measures of the Service that can be selected or configured by Customer. Kernel shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify whether any data transferred to Kernel for processing is subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by Kernel relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. 5.3 Audit. Kernel shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA as set forth in this Section 5.3. The exercise of any audit rights under the SCCs shall be as described in this Section 5 and Customer agrees that these rights are carried out on behalf of Customer and any third-party controller for whom Customer is acting as a processor, in each case, subject to the confidentiality restrictions in the Agreement. 5.3.1 Third-Party Certifications and Audits. Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Kernel shall make available to Customer or Customer’s Third-Party Auditor (as defined in Section 5.3.2) information regarding Kernel’s compliance with the obligations set forth in this DPA in the form of a copy of Kernel’s then most recent third-party audits or certifications, if any, (“Kernel Audit Reports”) set forth in the Kernel Security Addendum. Such third-party audits or certifications may also be disclosed to Customer’s competent supervisory authority on its request. Upon request, Kernel shall also provide Customer with a report and/or confirmation of a report of any third-party auditors’ audits of external Sub-Processors that have been made available by those external Sub-Processors to Kernel, but solely to the extent that the external Sub-processor allows Kernel to disclose such reports or evidence to Customer (“External Sub-processor Audit Reports”). Customer acknowledges that (i) Kernel Audit Reports shall be the Confidential Information of Kernel; (ii) External Sub-processor Audit Reports shall be the Confidential Information of Kernel as well as the confidential information of the external Sub-processor and (iii) certain external Sub-processors may require Customer to execute a non-disclosure agreement with them in order to view an external Sub- processor Audit Report. 5.3.2 Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of Kernel. An On-Site Audit can be conducted through a Third-Party Auditor if: (i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Kernel’s and its customers’ proprietary and confidential information; and (ii) Customer bears the costs and expenses of the Third-Party Auditor. 5.4 Data Protection Impact Assessment. Upon Customer’s request, Kernel shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available.

6. Hosting and Processing Locations

For Kernel’s cloud services, Kernel will only host Customer Personal Data in the specified region(s) disclosed to Customer. Kernel will not Process Customer Personal Data from outside the disclosed hosting region(s) except as reasonably necessary to provide the Services or as necessary to comply with the law or binding order of a governmental body. As between Customer and Kernel, Customer is solely responsible for any access granted to Kernel to Customer Personal Data hosted by Customer. 6.1 Schrems II and Standard Contractual Clauses. Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to Kernel in the United States, the parties agree that such transfers shall be governed by the EU Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference. (a) The parties agree that Module Two (Controller-to-Processor) shall apply where Customer is a Controller and Kernel is a Processor, and Module Three (Processor-to-Processor) shall apply where Customer is a Processor and Kernel is a Sub-Processor. (b) For purposes of the SCCs: (i) the data exporter is Customer and the data importer is Kernel; (ii) the parties elect Option 2 of Clause 9 (general authorization of subprocessors), and the time period for notice of changes shall be as set forth in Section 4.3 of this DPA; (iii) the optional docking clause in Clause 7 shall apply; (iv) for Clause 17, the parties select the law of Ireland; and (v) for Clause 18, the courts of Ireland shall have jurisdiction. (c) Kernel shall implement and maintain supplementary measures to ensure a level of protection essentially equivalent to that under European Data Protection Laws, including encryption in transit and at rest, strict access controls, policies for handling government access requests, and transparency commitments, in accordance with Schrems II. (d) For transfers from the UK, the parties agree that the International Data Transfer Addendum (issued by the UK Information Commissioner’s Office) shall apply, incorporating the SCCs as modified by that Addendum. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

7. Personal Data Breach Management and Notification

If Kernel becomes aware of a Personal Data Breach, Kernel shall notify Customer without undue delay and in any event within twenty-four (24) hours: (i) the discovery of the Personal Data Breach, which shall include a summary of the known circumstances of the Personal Data Breach and the corrective action taken or to be taken by Kernel; (ii) conduct an investigation of the circumstances of the Personal Data Breach; (iii) use commercially reasonable efforts to mitigate the effects of the Personal Data Breach; and (iv) use commercially reasonable efforts to communicate and cooperate with Customer concerning its responses to the Personal Data Breach. Customer acknowledges that Kernel personnel do not have visibility into data ingested by Customer into the Service. Accordingly, it would be unlikely that the notice provided by Kernel would include information concerning the categories and approximate number of data subjects concerned and/or the categories and approximate number of personal data records concerned. Kernel’s notification of a Personal Data Breach and its communication and cooperation with Customer concerning an Personal Data Breach shall not be construed as an acknowledgment of fault or liability by Kernel.

8. Rights of Individuals and Cooperation

8.1 Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Service, Kernel shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. If any such request is made to Kernel directly, Kernel shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Kernel is required to respond to such a request, Kernel shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. 8.2 Data Impact Assessments. To the extent Kernel is required under applicable European Data Protection Law, Kernel shall provide reasonably requested information regarding Kernel’s processing of Customer Personal Data under the Agreement to assist the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law. 8.3 Third Party Demands. If Kernel receives a demand from a third party (including, without limitation, any governmental, regulatory or supervisory authority) to retain, disclose or transfer Customer Personal Data, Kernel shall use commercially reasonable efforts to direct the demanding party to Customer and Customer authorizes Kernel to disclose such information to such third party as may be reasonably necessary to direct the third party to Customer. Where Kernel is unable to direct the demanding party to Customer, Kernel shall, to the extent legally permitted, provide Customer notice of the demand and cooperate with Customer, at the Customer’s cost and expense, in seeking a protective order, or confidential treatment, or taking other measures to oppose or limit such demand.

9. Relationship to the Agreement; Limitation of Liability

9.1 Relationship to the Agreement. Except for the changes made by this DPA as applicable to the Service, the Agreement remains unchanged and in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws. 9.2 Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the SCCs (including any SCCs between Authorized Affiliates and Kernel), whether in contract, tort or under any other theory of liability is subject to the liability restrictions set forth in the Agreement, including the damages disclaimer and any aggregate limitation of liability.