Data Processing Agreement

Controller: The entity that determines the purposes and means of processing Personal Data.

Processor: The entity that processes Personal Data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person processed by Kozo Pulse on behalf of Customer, including contact information, professional information, and usage data tied to identifiable individuals.

Data Protection Laws: All applicable data protection laws including GDPR, UK GDPR, CCPA/CPRA, and similar legislation.

Sub-processor: Any Processor engaged by Kozo Pulse to process Personal Data on behalf of Customer.

Standard Contractual Clauses (SCCs): Standard contractual clauses approved by the European Commission (Decision 2021/914) or UK ICO.

Customer is the Controller that determines the purposes and means of processing Personal Data.

Kozo Pulse is the Processor that processes Personal Data on behalf of Customer in accordance with Customer's documented instructions.

Details of processing are set forth in Annex 1 below.

Kozo Pulse will process Personal Data only in accordance with Customer's documented instructions, as necessary to provide the Services, and as required by applicable law.

If Kozo Pulse believes an instruction violates Data Protection Laws, Kozo Pulse will inform Customer and may suspend performance until the instruction is confirmed or modified.

Customer warrants that its instructions comply with all applicable Data Protection Laws and that necessary consents have been obtained.

Kozo Pulse has implemented appropriate technical and organizational measures to protect Personal Data (detailed in Annex 2), including:

Technical Measures

• Encryption in transit (TLS 1.2+) and at rest
• Access controls and authentication
• Network security and firewalls
• Regular security assessments and penetration testing
• Automated vulnerability scanning
• Secure backup and disaster recovery

Organizational Measures

• Security policies and procedures
• Employee training and background checks
• Confidentiality agreements
• Incident response procedures
• Regular security audits

Customer is responsible for using strong authentication, properly configuring security settings, protecting Login Credentials, and securing their own systems.

Customer authorizes Kozo Pulse to engage Sub-processors. Current Sub-processors are listed below:

Kozo Pulse will provide 30 days' advance notice of new Sub-processors and allow Customer to object on reasonable data protection grounds.

Personal Data is primarily processed in the EU (Google Cloud Platform - europe-west2 region, London).

For transfers from the EEA or UK to countries without adequate protection, Kozo Pulse relies on Standard Contractual Clauses and implements supplementary measures.

Kozo Pulse will notify Customer without undue delay (and within 72 hours where feasible) after becoming aware of any Personal Data breach affecting Customer Data.

Notification will include:

• The nature of the breach
• Affected categories and approximate numbers of Data Subjects
• Contact point for information
• Likely consequences
• Measures taken or proposed

Customer is responsible for notifying supervisory authorities and Data Subjects as required by Data Protection Laws.

Kozo Pulse will, to the extent legally permitted, promptly notify Customer if it receives a Data Subject request relating to Customer's Personal Data.

Kozo Pulse will provide reasonable assistance to enable Customer to respond to Data Subject requests, including access, rectification, erasure, data portability, restriction of processing, and objection to processing.

Kozo Pulse will process Personal Data for the duration of the Agreement unless otherwise instructed by Customer.

Upon termination or expiration:

• Customer has 30 days to export Personal Data
• After 30 days, Kozo Pulse will delete or anonymize all Personal Data
• Backup copies will be deleted within 90 days
• Kozo Pulse may retain data as required by law

Customer may audit Kozo Pulse's compliance with this DPA once per year upon reasonable notice. Kozo Pulse will provide:

• Relevant documentation and records
• Responses to audit questionnaires
• Copies of third-party audit reports (SOC 2, ISO 27001)
• Access to facilities for on-site audits (subject to confidentiality and reasonable limitations)

Audits must not unreasonably interfere with Kozo Pulse's business operations.

Each Party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.

Kozo Pulse's total liability for all claims under this DPA will not exceed the liability cap in the Agreement.

This DPA takes effect on the Effective Date of the Agreement and continues until the Agreement expires or terminates.

Obligations regarding data deletion and confidentiality survive termination.

To the extent required by Data Protection Laws, the Standard Contractual Clauses are incorporated into this DPA by reference. The parties agree to execute the SCCs upon Customer's request.

For DPA questions:
Email: contact@kozopulse.com
Subject: Data Processing Agreement

For data breaches:
Email: contact@kozopulse.com

Last updated: January 4, 2026
DPA Version: 1.0