Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the customer using the KILN platform ("Controller") and Hephaistos Systems, represented by André Bäcker, Gießen, Germany ("Processor"), in accordance with Art. 28 of the General Data Protection Regulation (GDPR / DSGVO).

Dieser Auftragsverarbeitungsvertrag ("AVV") wird geschlossen zwischen dem Kunden der KILN-Plattform ("Verantwortlicher") und Hephaistos Systems, vertreten durch André Bäcker, Gießen, Deutschland ("Auftragsverarbeiter"), gemäß Art. 28 der Datenschutz-Grundverordnung (DSGVO).

Subject: The Processor processes personal data on behalf of the Controller in connection with the provision of the KILN AI Creation Platform. This includes hosting AI agents, processing chat conversations, storing knowledge base content, managing leads and analytics, and handling email and webhook communications.

Gegenstand: Der Auftragsverarbeiter verarbeitet personenbezogene Daten im Auftrag des Verantwortlichen im Rahmen der Bereitstellung der KILN AI Creation Platform. Dies umfasst das Hosting von AI Agents, die Verarbeitung von Chat-Konversationen, die Speicherung von Knowledge-Base-Inhalten, die Verwaltung von Leads und Analytics sowie die Abwicklung von E-Mail- und Webhook-Kommunikation.

Duration: This DPA is effective for the duration of the Controller's use of the KILN platform and terminates upon deletion of the Controller's account and completion of all data deletion obligations.

Dauer: Dieser AVV gilt für die Dauer der Nutzung der KILN-Plattform durch den Verantwortlichen und endet mit der Löschung des Kontos und Erfüllung aller Datenlöschungspflichten.

The Processor processes personal data for the following purposes:

• Processing and storing chat conversations between end-users and the Controller's AI agents
• Storing and indexing knowledge base content (documents, URLs, FAQs) for retrieval-augmented generation (RAG)
• Collecting and managing lead data (names, emails, scores) generated through agent interactions
• Generating analytics and usage metrics for the Controller's dashboard
• Sending transactional emails on behalf of the Controller's agents
• Processing webhook events from connected third-party services (GitHub, Telegram, etc.)
• Authenticating and managing user accounts
• Processing payments and managing subscriptions

The following categories of personal data may be processed:

• Identification data — names, email addresses, usernames
• Communication data — chat messages, conversation history, email content
• Technical data — IP addresses, browser user agent strings, session identifiers
• Usage data — interaction timestamps, conversation metadata, lead scores, sentiment analysis
• Payment data — billing details (processed and stored exclusively by Stripe)
• Content data — knowledge base uploads, documents, and any personal data contained therein

• Website visitors — individuals who interact with the Controller's AI agents via web chat, embedded widgets, or public agent pages
• Leads — individuals whose contact information is collected through agent interactions (e.g., email capture, appointment booking)
• Customers of the Controller — existing customers who use the Controller's AI agents for support, information, or transactions
• Team members — employees or collaborators of the Controller who access internal agents

• Instruction-bound processing: The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law.
• Confidentiality: All persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: The Processor implements appropriate technical and organizational measures as described in Section 7.
• Sub-processor management: The Processor shall not engage another processor without prior specific or general written authorization of the Controller. A list of approved sub-processors is provided in Section 6.
• Data subject rights: The Processor assists the Controller in fulfilling obligations to respond to requests for exercising data subject rights (access, rectification, erasure, portability).
• Breach notification: The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
• Data Protection Impact Assessment: The Processor assists the Controller with DPIAs and prior consultations with supervisory authorities where required.

The Controller grants general authorization for the use of the following sub-processors. The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

For US-based sub-processors, data transfers are governed by the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as applicable.

The Processor implements the following measures to ensure an appropriate level of security (Art. 32 GDPR):

Encryption:

• Encryption at rest: AES-256 for all database storage (Supabase managed encryption)
• Encryption in transit: TLS 1.3 for all data transmission between clients, servers, and sub-processors
• API keys and sensitive credentials are encrypted before storage using application-level encryption

Access Control:

• User authentication managed via Clerk with support for multi-factor authentication (MFA)
• Role-based access control: data isolation per user account, agents are scoped to their owner
• API access controlled via per-user API keys with revocation capability
• Internal agent access restricted to authorized team members with configurable roles (Admin, Editor, Viewer)

Infrastructure Security:

• Application hosted on Vercel with automatic security patches and DDoS protection
• Database hosted on Supabase with automated backups, point-in-time recovery, and network isolation
• All secrets and environment variables stored securely, never committed to version control

Monitoring and Incident Response:

• Application error monitoring and logging
• Rate limiting on all public API endpoints to prevent abuse
• Webhook signature verification for inbound integrations

Account deletion: Upon deletion of the Controller's account, all personal data processed on behalf of the Controller — including agent configurations, conversations, leads, knowledge base content, and analytics — will be permanently deleted within 30 calendar days.

Data export: The Controller may export agent configurations as JSON files at any time via the platform's Export Config feature. Conversation logs and lead data can be accessed via the KILN API.

Kontolöschung: Nach Löschung des Kontos des Verantwortlichen werden alle in seinem Auftrag verarbeiteten personenbezogenen Daten — einschließlich Agent-Konfigurationen, Konversationen, Leads, Knowledge-Base-Inhalte und Analytics — innerhalb von 30 Kalendertagen endgültig gelöscht.

Backup retention: Automated database backups that may contain Controller data are retained for a maximum of 7 days and are then automatically purged.

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

Audits shall be conducted with reasonable prior notice (at least 14 calendar days) and during normal business hours. The Controller may engage a qualified, independent third-party auditor bound by confidentiality obligations.

Der Verantwortliche hat das Recht, Audits durchzuführen, um die Einhaltung dieses AVV durch den Auftragsverarbeiter zu überprüfen. Der Auftragsverarbeiter stellt dem Verantwortlichen alle erforderlichen Informationen zur Verfügung, um die Einhaltung der in Art. 28 DSGVO festgelegten Pflichten nachzuweisen.

The liability of the parties is governed by the applicable provisions of the GDPR, in particular Art. 82 GDPR. Each party is liable for the damage caused by processing that infringes the GDPR in accordance with Art. 82(2) and (3) GDPR.

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.

Die Haftung der Parteien richtet sich nach den anwendbaren Bestimmungen der DSGVO, insbesondere Art. 82 DSGVO. Jede Partei haftet für den Schaden, der durch eine Verarbeitung verursacht wird, die gegen die DSGVO verstößt, gemäß Art. 82 Abs. 2 und 3 DSGVO.

Processor / Auftragsverarbeiter:
Hephaistos Systems
André Bäcker
Gießen, Germany
E-Mail: info@hephaistos-systems.de