Back to Home

Data Processing Agreement

Effective: April 26, 2026·Kyrospect Technologies·legal@kyrospect.com
Plain-language summary: When you (the Customer) deploy Kyrospect, you remain the controller of employee activity data. Kyrospect acts as a processor, follows your documented instructions, applies industry-standard security, and binds every sub-processor to equivalent obligations. Cross-border transfers use Standard Contractual Clauses where applicable.

1. Scope and Roles

This Data Processing Agreement ("DPA") supplements the Kyrospect Terms of Service. Customer is the data controller of Activity Data and Account Data; Kyrospect Technologiesis the data processor acting on Customer's documented instructions.

The DPA covers obligations under: EU/UK GDPR Article 28; India Digital Personal Data Protection Act 2023; US CCPA/CPRA; and equivalent local data-protection regimes. In case of conflict, the regime granting the data subject greater protection prevails.

2. Subject Matter, Duration, Nature, and Purpose

  • Subject matter: Processing of Activity Data and Account Data necessary to provide the Kyrospect Service.
  • Duration: Term of the underlying Subscription, plus retention windows in the Privacy Policy.
  • Nature and purpose: Workforce-analytics processing — verified time tracking, productivity insights, authenticity verification, proof-of-work generation.
  • Categories of data subjects: Customer's employees, contractors, managers, and workspace administrators.
  • Categories of personal data: See Section 2 of the Privacy Policy.

3. Customer Instructions

Kyrospect processes personal data only on Customer's documented instructions, including the configuration of workspace policies, retention windows, and integration choices. Where required by law, Kyrospect will inform Customer before complying with a legal obligation that requires processing beyond Customer's instructions.

4. Confidentiality

All Kyrospect personnel with access to systems are bound by written confidentiality obligations, which survive termination. Access is granted strictly on a least-privilege basis.

5. Security Measures

Kyrospect implements technical and organisational measures appropriate to the risk, including:

  • Encryption: AES-256 at rest in dedicated workspaces; TLS 1.3 in transit; on-device encryption of activity payloads before transmission.
  • On-device Smart Privacy Blur for sensitive screen content prior to capture.
  • Single-tenant workspace isolation. Cross-workspace data access is architecturally precluded.
  • Role-based access control with full administrative audit logging.
  • Regular vulnerability management, dependency scanning, and independent security review.
  • Documented incident response with 72-hour customer notification commitment.
  • Business-continuity controls including encrypted backups and disaster-recovery procedures.

6. Sub-Processors

Kyrospect engages sub-processors for infrastructure, payments, deliverability, and analytics. Each sub-processor is bound by data-protection obligations equivalent to those in this DPA. The current sub-processor list is provided to Customers on request and via the Trust Center. Customer will receive 30 days' notice of material additions and may object on reasonable grounds; if no acceptable resolution is reached, Customer may terminate the affected Subscription with pro-rata refund.

7. International Transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, transfers are governed by the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum where applicable. Customer authorises transfers necessary to deliver the Service.

For Indian data, transfers comply with the cross-border transfer regime under the DPDP Act 2023 and any restrictions notified by the central government in respect of restricted destinations.

8. Data Subject Rights

Kyrospect provides functionality enabling Customer to fulfil data-subject requests directly (access, rectification, erasure, restriction, portability, objection). Where Kyrospect receives such a request directly, it forwards the request to Customer without responding to the data subject, except as required by law.

9. Personal Data Breach

Kyrospect notifies Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, providing information sufficient to enable Customer to meet its own breach-notification obligations.

10. Audit Rights

Kyrospect makes available the information necessary to demonstrate compliance, including SOC 2 readiness summaries, ISO/IEC 27001 alignment statements, and security overviews. On reasonable advance notice and at Customer's expense, Customer or its independent third-party auditor (subject to confidentiality) may conduct an audit limited to verifying compliance with this DPA, no more than once per calendar year, except where required by law or following a substantiated security incident.

11. Deletion or Return

On termination of the Subscription, Kyrospect makes Customer Data available for export for 30 days, after which it is permanently deleted from primary systems within 30 days and from backups within 90 days, unless retention is required by law.

12. Liability and Indemnity

Liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law.

13. Conflict and Order of Precedence

In the event of conflict, the order of precedence is: (1) the SCCs and equivalent transfer mechanisms, (2) this DPA, (3) the Terms of Service.

14. Contact

For DPA queries, sub-processor lists, or to request a signed countersigned DPA package:
legal@kyrospect.com

Privacy Policy·Terms of Service·Security