Data Processing Agreement

    Last updated: 25 June 2025

    This Data Processing Agreement (“DPA”) is between:

    1. Kong (“Processor”), and
    2. Subscriber (“Controller”),

    each a “Party” and together the “Parties.”

    Background:

    • The Parties have entered into an agreement (“Agreement”) under which Kong provides services (“Services”) to Subscriber.
    • This DPA forms part of the Agreement and prevails over any conflicting terms in the Agreement with respect to data processing and protection.
    • Kong agrees that it, at the time of concluding this DPA, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from Subscriber and its obligations under the Standard Contractual Clauses. In the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, Kong agrees to notify the change to Subscriber as soon as it is aware, in which case Subscriber is entitled to suspend the transfer of data and / or terminate the Agreement.

    1. Purpose and Scope

    • This DPA sets out the terms under which Kong, as Processor, will process personal data (“Personal Data”) on behalf of Subscriber, as Controller.
    • Personal Data is processed solely to provide the Services under the Agreement.

    2. Definitions

    • “Applicable Data Protection Laws” means all data protection laws and regulations applicable to the processing, including the GDPR and EU/EEA data protection laws.
    • Other capitalized terms used in this DPA shall have the meanings given in the Agreement or Applicable Data Protection Laws.

    3. Controller’s Instructions

    • Kong shall process Personal Data only on documented instructions from Subscriber, as set out in this DPA, the Agreement, and any lawful written instructions subsequently provided by Subscriber.
    • If Kong believes an instruction violates Applicable Data Protection Laws, it shall promptly inform Subscriber.

    4. Processor’s Obligations

    Kong shall:

    • Comply with Applicable Data Protection Laws.
    • Process Personal Data only for the agreed purposes and in accordance with Subscriber’s instructions.
    • Ensure that persons authorized to process Personal Data are subject to confidentiality.
    • Implement appropriate technical and organizational measures to protect Personal Data.
    • Assist Subscriber with data subject requests and other legal obligations where possible.
    • Notify Subscriber without undue delay if it becomes aware of a Personal Data breach.
    • At Subscriber’s choice, securely delete or return all Personal Data at the end of the Services, unless required by law to retain it.

    5. Subscriber’s Obligations

    Subscriber shall:

    • Ensure that it has all necessary rights and consents to provide Personal Data to Kong.
    • Comply with Applicable Data Protection Laws and provide clear, lawful instructions.
    • Provide Personal Data to Kong only through agreed secure methods.

    6. Confidentiality and Disclosure

    • Kong shall not disclose Personal Data to third parties without Subscriber’s prior written consent, except as required by law.
    • If compelled by law to disclose Personal Data, Kong shall (where legally permitted) inform Subscriber before disclosure and seek confidentiality to the extent possible.

    7. Sub-Processors and International Transfers

    • Kong may engage sub-processors to assist with processing, subject to written agreements ensuring the same level of data protection as this DPA. Kong is fully responsible towards the Subscriber for any sub-processor’s fulfilment of their obligations with regards to data protection in the same way and to the extent as if Kong had performed such processing.
    • Kong will inform Subscriber of any intended changes to its sub-processors. Where the Subscriber shows reasonable, documented grounds that the new sub-processor does not fulfil GDPR it has 30 days to object to such changes.
    • If Personal Data is transferred outside the EU/EEA, Kong will ensure appropriate safeguards (e.g., Standard Contractual Clauses).

    8. Audits and Assistance

    • Subscriber may conduct one audit per year to verify Kong’s compliance with this DPA, in which case any costs relating to such audit will be borne by the Subscriber (incl external auditor costs).
    • Kong shall cooperate with Subscriber to provide relevant information and assistance.

    9. Data Subject Rights

    • Kong shall assist Subscriber in responding to data subjects’ rights requests.
    • If Kong receives such a request directly, it will promptly forward it to Subscriber.

    10. Personal Data Breach Notification

    • Kong shall inform Subscriber without undue delay (no later than 24 hours after becoming aware) of any ongoing and/or suspected Personal Data breach and shall take all reasonable steps to resolve the breach without undue delay.

    11. Term and Termination

    • This DPA applies as long as Kong processes Personal Data under the Agreement.
    • Upon termination of the Services, Kong shall, at Subscriber’s choice, delete or return all Personal Data unless legally required to retain it. Upon termination of the Services, Kong shall also ensure that any sub-processors of Kong deletes or returns all Personal Data (at the choice of the Subscriber), unless such sub-processor is legally required to retain it.

    12. Other

    • Any changes and/or additions to the DPA shall be in writing and signed by both parties to be valid.
    • Each party shall indemnify and hold the other party harmless against any and all costs, expenses, damages or sanctions incurred as a result of such party’s breach of the DPA or Applicable Data Protection Laws, subject to the Limitation of Liability and Indemnification terms applicable between the parties set out in the Agreement.

    13. Governing Law and Dispute Resolution

    • This DPA is governed by Swedish law.
    • Disputes shall be resolved as set forth in the Agreement.

    Appendix A – Specification of Data Processing

    Purposes: Providing and managing the Services

    Data Subjects: Subscriber’s employees, contractors, end-users, or similar authorized individuals.

    Categories of Data:

    • User data (e.g., name, email)
    • Content (e.g., text, audio, video, chat)
    • Performance metrics (e.g., progress)
    • Device data (e.g., IP address)
    • Activity data (e.g., event logs)
    • Support data (e.g., troubleshooting tickets)

    Processing Operations: Collection, storage, retrieval, analysis, and deletion as required to provide the Services.

    Appendix B – Pre-Approved Sub-Processors

    For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfill its purpose.

    Sub-processorPurposeCategoriesLocationLegal Entity
    VercelHosting infrastructureContent, Device, ActivityEEA/EUVercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
    NeonDatabaseContent, UserEEA/EUNeon Inc. Orange Street 209 Wilmington, DE 19801, USA
    GoogleVideo transcoding, File storage, Queues, Auth, AI processingContent, User, Device, ActivityEEA/EUGoogle Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
    RecallVideo recording and transcriptionUser, ContentEEA/EUHyperdoc Inc., 2261 Market Street #4339, San Francisco, CA 94114, USA
    ResendEmailsUserEEA/EUResend, 108 W 13th St, Wilmington, DE 19801, USA
    Microsoft AzureAuthenticationUserEEA/EUMicrosoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
    OpenAIAI processingContentEEA/EU, USAOpenAI Ireland Ltd., 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
    IntercomSupportUser, SupportUSAIntercom R&D Unlimited Co., Stephen Court, 18-21 St., Dublin 2, Ireland
    Sentry.ioLogs, Error trackingPerformance, Activity, DeviceEEA/EUFunctional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105
    GladiaTranscriptionUser, ContentEEA/EUGLADIA SAS, 38 rue de la Tremblaie. 35510 Cesson-Sévigné (France)
    StripePaymentsUserEEA/EUStripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
    xAIAI processingContentUSAxAI LLC., 1450 Page Mill Rd., Palo Alto, CA 94304, USA
    LangChainAI evaluation & monitoringContentEEA/EULangChain Inc.
    SlackMessagingUserUSASlack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland
    DeepgramTranscriptionUserEUDeepgram, Inc., 548 Market St, Suite 25104, San Francisco, CA 94104-5401, USA