Get in Touch
Application
WELL certification Achieve WELL Certification Meet WELL's requirements and earn up to 9 points with Kaiterra workplace experience Enhance Workplace Experience Deliver elevated workplace experiences with better air building performance Improve HVAC & Building Performance Make data-driven decisions in building design and operations healthy schools Create Healthy Schools Create safer and healthier school environments Achieve LEED Certifications LEED Projects Support LEED certification for healthier, sustainable buildings Achieve Fitwel Certification Fitwel Projects Earn Fitwel points and support occupant health and wellness Achieve RESET Certification RESET Projects Achieve RESET standards with continuous monitoring and reporting
Role
For Building Owners & Landlords For Corporate Occupiers & Building Occupants
Hardware
Indoor Air Quality Monitors
Outdoor Air Quality Monitors
In-Duct Air Quality Monitors
Compare Hardware
Software
Kaiterra Data Platform
Pricing
blog Better Building Blog Insights and perspectives on healthy buildings and IAQ Downloads Technical Downloads Download technical documentation for Kaiterra products support Support Knowledge base, how-to articles and troubleshooting Security Icon Security Security measures we've put in place to keep your data safe resources Learning Center Educational resources crafted by air quality experts compare Events Upcoming and on-demand Kaiterra events
WELL Compliance Report - Menu
DASHBOARD FEATURE WELL Compliance Report Learn More
ebook - Business Case for IAQ
eBook The Business Case for
Indoor Air Quality Download
about About Learn how we transform the human experience through healthy, smart, and sustainable buildings. career Careers Ready to make an impact? Explore our open positions. contact@2x Contact Get in touch to discuss a project, a partnership, or get fast and dedicated support.

Data Processing Agreement

Last Updated May 25, 2026

This Data Processing Agreement ("DPA") forms part of the Kaiterra Master Subscription Agreement, Kaiterra Terms of Service, Kaiterra Terms of Purchase, or other written agreement referencing this DPA (the "Agreement") between Origins Technology Limited ("Kaiterra") and the customer that is party to the Agreement ("Customer"). The term of this DPA is co-terminous with the term of the Agreement. Terms not defined in this DPA have the meaning given in the Agreement.

Customers who require a counter-signed copy of this DPA may request one at privacy@kaiterra.com.

1. Definitions

For the purposes of this DPA:

  • "Applicable Data Protection Law" means all data protection and privacy laws applicable to a Party's processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), the Swiss Federal Act on Data Protection (the "FADP"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the "CCPA") and the other comprehensive US state privacy laws as enacted and in force from time to time, and any other applicable national, federal, state, or sub-national law concerning the processing of Personal Data.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" (and its cognates), and "Special Categories of Personal Data" each have the meaning given in the GDPR. Equivalent terms under other Applicable Data Protection Laws (including "Business", "Service Provider", "Sale", "Share", "Consumer", and "Sensitive Personal Information" under the CCPA) are construed accordingly.
  • "Customer Personal Data" means Personal Data that Kaiterra Processes on behalf of Customer in connection with Customer's use of the Kaiterra Products.
  • "Derived Data" means data that is aggregated, de-identified, or anonymised in a manner that prevents re-identification of any Data Subject, Customer, or end user, including statistical, technical, performance, and benchmarking data derived from Customer's use of the Kaiterra Products.
  • "EU SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, available at http://data.europa.eu/eli/dec_impl/2021/914/oj, as updated from time to time.
  • "Kaiterra Products" means the Kaiterra hardware, software, cloud services, and other products and associated services made available by Kaiterra to Customer under the Agreement.
  • "Sub-Processor" means any Processor engaged by Kaiterra to Process Customer Personal Data.
  • "Sub-Processor Page" means the list of Sub-Processors maintained by Kaiterra at https://www.kaiterra.com/legal/subprocessors, as updated from time to time.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner under section 119A of the Data Protection Act 2018 and laid before Parliament on 2 February 2022, version B1.0, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/, as revised from time to time under Section 18 of the mandatory clauses (the "UK Addendum Mandatory Clauses").

2. Roles of the Parties

2.1 Customer Personal Data. Customer is the Controller and Kaiterra is the Processor of Customer Personal Data. Where Customer Processes Customer Personal Data as a Processor on behalf of a third-party Controller, Kaiterra Processes that Customer Personal Data as a Sub-Processor.

2.2 Account and administrative data. Kaiterra Processes a limited set of Personal Data concerning Customer's authorised users (including names, email addresses, job titles, and authentication and access logs) as an independent Controller for the purposes of account administration, security, fraud prevention, billing, support, and service communications. The terms of the Kaiterra Privacy Notice apply to such Processing.

2.3 Derived Data. The Parties acknowledge that Derived Data does not identify, and is not reasonably capable of being used to identify, Customer, any of Customer's end users, or any Data Subject, and accordingly does not constitute Personal Data under Applicable Data Protection Law. Kaiterra owns all right, title, and interest in Derived Data and may Process Derived Data for any purpose, including research and development, machine-learning model training, benchmarking, and statistical analysis, including following termination of the Agreement.

2.4 Scope of Customer Personal Data. The Kaiterra Products are designed to Process indoor air quality and environmental measurements. Such measurements, in themselves, do not identify any natural person and are not Personal Data. Personal Data is processed under this DPA only where it is incidental to the operation of the Kaiterra Products (such as authorised-user account information) or where Customer elects to associate Personal Data with environmental measurements (such as room, occupant, or visitor metadata).

3. Kaiterra's Processing Obligations

3.1 Instructions

Kaiterra will Process Customer Personal Data only on Customer's documented instructions, which are set out in the Agreement, the applicable Order Form or Statement of Work, and this DPA. Kaiterra will inform Customer if, in Kaiterra's opinion, an instruction infringes Applicable Data Protection Law, and may suspend Processing (other than storage and security measures) until Customer issues a compliant instruction. Where a legal obligation requires Kaiterra to Process Customer Personal Data otherwise than in accordance with Customer's instructions, Kaiterra will, where permitted, notify Customer before such Processing.

3.2 Confidentiality

Kaiterra will ensure that personnel authorised to Process Customer Personal Data are subject to written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access to Customer Personal Data is granted on a need-to-know basis.

3.3 Security

Kaiterra will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data. The measures Kaiterra implements are set out in Schedule 2 and on Kaiterra's security page at https://www.kaiterra.com/security. Kaiterra may update its security measures from time to time, provided that any update will not materially reduce the overall level of protection afforded to Customer Personal Data.

3.4 Personal Data Breaches

Kaiterra will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of Kaiterra's confirmed awareness of the Personal Data Breach. The notification will describe the nature of the Personal Data Breach (to the extent then known), the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, the measures taken or proposed to address the Personal Data Breach, and a point of contact at Kaiterra. Where it is not possible to provide all such information at the same time, the information may be provided in stages without further undue delay. Kaiterra will assist Customer, taking into account the nature of the Processing and the information available to Kaiterra, in meeting Customer's notification obligations under Applicable Data Protection Law.

3.5 Data Subject Requests

Kaiterra will provide reasonable assistance, taking into account the nature of the Processing, to enable Customer to respond to Data Subject requests under Applicable Data Protection Law. If Kaiterra receives a Data Subject request directly, Kaiterra will inform the Data Subject to direct the request to Customer and will notify Customer of the request without undue delay. Customer is solely responsible for responding to Data Subject requests concerning Customer Personal Data.

3.6 Data Protection Impact Assessments and Consultation

Taking into account the nature of the Processing and the information available to Kaiterra, Kaiterra will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities required by Applicable Data Protection Law in respect of Customer Personal Data. Kaiterra may charge a reasonable fee for assistance that materially exceeds Kaiterra's standard documentation.

3.7 Return or Deletion

On termination or expiry of the Agreement, and at Customer's written election, Kaiterra will return or delete Customer Personal Data Processed under this DPA within 30 days, subject to (i) backup-system rotation, after which residual copies will be securely overwritten in the ordinary course; and (ii) any retention required by law or to establish, exercise, or defend legal claims. Kaiterra will continue to apply the security and confidentiality obligations of this DPA to any such retained data for so long as it is retained.

4. Audits

4.1 Kaiterra will make available to Customer, on reasonable written request, the information necessary to demonstrate Kaiterra's compliance with its obligations under Applicable Data Protection Law and this DPA. Kaiterra's then-current security documentation, third-party audit reports (if any), and completed security questionnaires will satisfy this obligation in the first instance.

4.2 Where the information made available under Section 4.1 is insufficient, Customer may, no more than once in any 12-month period and subject to at least 30 days' prior written notice, conduct an audit of Kaiterra's Processing of Customer Personal Data. Such audits will be conducted during regular business hours, will not unreasonably disrupt Kaiterra's business, will be conducted remotely where reasonably practicable, and will be subject to confidentiality obligations no less protective than those in the Agreement. Audits requiring physical access will be conducted by a mutually acceptable independent auditor at Customer's cost. A regulator with jurisdiction over the Processing may exercise the audit right at any reasonable time.

5. Sub-Processors

5.1 General authorisation. Customer authorises Kaiterra to engage Sub-Processors to Process Customer Personal Data, subject to the requirements of this Section 5.

5.2 Current list. The current list of Sub-Processors is maintained on the Sub-Processor Page at https://www.kaiterra.com/legal/subprocessors. Customer may subscribe to update notifications on that page.

5.3 Notice of changes. Kaiterra will give Customer at least 30 days' prior notice of any intended addition or replacement of a Sub-Processor by updating the Sub-Processor Page and sending notice to Customer's designated privacy contact (or, if none is designated, to Customer's primary account contact). Where the 14-day minimum notice period in Clause 9(a) of the EU SCCs applies, Kaiterra exercises its right under that Clause to provide the longer notice period set out in this Section.

5.4 Objection. Customer may object to a new Sub-Processor on reasonable data-protection grounds by giving written notice to Kaiterra within the notice period. The Parties will work together in good faith to address the objection. If the Parties cannot resolve the objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Kaiterra Products on written notice with a pro-rated refund of pre-paid fees for the unused term.

5.5 Sub-Processor obligations. Kaiterra will enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA. Kaiterra remains fully liable to Customer for the performance of each Sub-Processor's obligations.

6. International Data Transfers

6.1 Hosting location

Customer Personal Data Processed under this DPA is hosted on Amazon Web Services infrastructure located in Frankfurt, Germany (eu-central-1), or in such other location as Kaiterra may notify to Customer in advance, provided that any such change will not materially reduce the overall level of protection afforded to Customer Personal Data.

6.2 Access by globally distributed personnel

Customer acknowledges that Kaiterra's personnel and Sub-Processors are located in multiple jurisdictions and that access by such personnel and Sub-Processors to Customer Personal Data for the purposes of providing, supporting, and operating the Kaiterra Products may constitute a transfer of Personal Data under Applicable Data Protection Law. Such transfers are subject to the safeguards set out in this Section 6.

6.3 EU SCCs

To the extent that Customer's transfer of Customer Personal Data to Kaiterra requires a transfer mechanism under the GDPR, the EU SCCs are hereby incorporated into this DPA by reference and apply as follows:

  • Where Customer is a Controller and Kaiterra is a Processor of Customer Personal Data, Module Two (Controller to Processor) applies.
  • Where Customer is a Processor and Kaiterra is a Sub-Processor of Customer Personal Data, Module Three (Processor to Processor) applies.
  • For purposes of Clause 7 (docking clause): the optional docking clause applies.
  • For purposes of Clause 9(a) (general written authorisation): Option 2 applies, with the notice period set in Section 5.3 of this DPA.
  • For purposes of Clause 11 (redress): the optional independent dispute resolution body does not apply.
  • For purposes of Clause 17 (governing law): the EU SCCs are governed by the laws of Ireland.
  • For purposes of Clause 18 (choice of forum and jurisdiction): disputes arising from the EU SCCs are resolved before the courts of Ireland.
  • Annexes I, II, and III to the EU SCCs are completed as set out in Schedule 1 (transfer details), Schedule 2 (technical and organisational measures), and Section 5 (sub-processors) of this DPA.
  • In the event of any conflict between the EU SCCs and the body of this DPA, the EU SCCs prevail.

6.4 UK Addendum

To the extent that Customer's transfer of Customer Personal Data to Kaiterra requires a transfer mechanism under the UK GDPR, the UK Addendum is hereby incorporated into this DPA by reference. The Parties agree as follows for the purposes of the UK Addendum:

  • The UK Addendum is incorporated by reference using the Alternative Part 2 Mandatory Clauses: "Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses."
  • Tables 1, 2, 3, and 4 of the UK Addendum are completed as follows:
    • Table 1 (Parties): as set out in Schedule 1.A of this DPA.
    • Table 2 (Selected SCCs, Modules and selected clauses): the EU SCCs incorporated under Section 6.3 of this DPA, with the module selections, optional clauses, and choices made there.
    • Table 3 (Appendix Information): Annex 1A — as set out in Schedule 1.A; Annex 1B — as set out in Schedule 1.B; Annex 2 — as set out in Schedule 2; Annex 3 — as set out in Section 5 of this DPA.
    • Table 4 (Ending the Addendum when the Approved Addendum changes): the Importer (Kaiterra) may end the Addendum where the approved version changes, in accordance with Section 19 of the Mandatory Clauses.

6.5 Switzerland

To the extent that transfers of Customer Personal Data are subject to the FADP, the EU SCCs apply with the following adaptations: (i) the term "Member State" is interpreted to include Switzerland; (ii) references to the GDPR are read as references to the FADP, as applicable; (iii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (iv) where the FADP protects Personal Data of legal persons until such protection is removed, the EU SCCs also apply to such Personal Data.

6.6 Onward transfers

Where Kaiterra transfers Customer Personal Data to a Sub-Processor in a third country, Kaiterra will ensure that the transfer is governed by an appropriate transfer mechanism under Applicable Data Protection Law, including (where applicable) the EU SCCs, the UK Addendum, the EU-US Data Privacy Framework, or other recognised safeguards.

6.7 Regional supplements

Where the deployment of the Kaiterra Products to Customer involves Processing in a jurisdiction with region-specific data residency, transfer, or registration requirements, the Parties will enter into supplementary terms as reasonably required for compliance with Applicable Data Protection Law in that jurisdiction. Customers with such requirements should contact privacy@kaiterra.com.

7. US State Privacy Laws

7.1 The terms of this Section 7 apply to the extent Customer Personal Data includes Personal Data of consumers, residents, or households subject to the CCPA or any other US state comprehensive privacy law.

7.2 Kaiterra is a "service provider", "processor", or analogous role under the CCPA and other US state comprehensive privacy laws in respect of Customer Personal Data. Kaiterra will:

(a) Process Customer Personal Data only for the limited and specified business purposes set out in the Agreement and on Customer's documented instructions;

(b) not Sell or Share Customer Personal Data, and not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, including not retaining, using, or disclosing Customer Personal Data outside the direct business relationship between the Parties or for any commercial purpose other than providing the Kaiterra Products;

(c) not combine Customer Personal Data with Personal Data Kaiterra receives from or on behalf of another person or that Kaiterra collects directly from a consumer, except as permitted by Applicable Data Protection Law;

(d) provide reasonable assistance to Customer to respond to consumer requests for access, deletion, correction, opt-out, or other rights under Applicable Data Protection Law;

(e) notify Customer if Kaiterra determines that it can no longer meet its obligations under Applicable Data Protection Law;

(f) on Customer's reasonable written request, certify Kaiterra's compliance with this Section 7; and

(g) permit Customer, on written notice to Kaiterra, to take reasonable and appropriate steps to stop and remediate unauthorised use of Customer Personal Data, including by exercising the audit rights set out in Section 4.

7.3 Customer grants Kaiterra a limited right to (i) compile aggregated and de-identified statistical information as Derived Data under Section 2.3, and (ii) detect security incidents and prevent fraud, in each case to the extent permitted by Applicable Data Protection Law.

8. Country of Concern Compliance

8.1 Kaiterra complies with applicable laws restricting transfers of bulk US sensitive personal data to "countries of concern" or "covered persons", including the rule promulgated by the US Department of Justice at 28 CFR Part 202 implementing Executive Order 14117 (the "Final Rule").

8.2 Customer Personal Data Processed under this DPA consists primarily of indoor environmental measurements and limited identification and contact data for authorised users. Such data does not constitute "bulk US sensitive personal data" as defined in the Final Rule, and the Processing of Customer Personal Data under this DPA is not a "covered data transaction" within the meaning of the Final Rule.

8.3 If Kaiterra determines that any Processing of Customer Personal Data under the Agreement may be or become a covered data transaction, Kaiterra will notify Customer without undue delay and the Parties will negotiate in good faith such additional safeguards as may be required.

8.4 Access to Customer Personal Data by Kaiterra personnel is restricted to personnel whose roles require access, is governed by role-based access controls, and is logged.

9. Liability

This DPA is subject to, and the liability of each Party under this DPA is governed by, the limitations and exclusions of liability set out in the Agreement. Nothing in this Section limits a Party's liability to the extent such liability cannot be limited by Applicable Data Protection Law, including a Data Subject's right to compensation under Article 82 of the GDPR.

10. Changes to this DPA

10.1 Kaiterra may update this DPA from time to time to reflect changes to Applicable Data Protection Law, regulatory guidance, the Kaiterra Products, or Kaiterra's Sub-Processors and security measures. Non-material updates take effect on publication of the revised DPA at the URL set out in the Agreement.

10.2 Where an update materially reduces the protections afforded to Customer Personal Data or imposes a material new obligation on Customer, Kaiterra will give Customer at least 30 days' prior notice. If Customer reasonably objects to the update, the Parties will negotiate in good faith. If the Parties cannot agree within 30 days of Customer's objection, Customer may terminate the affected portion of the Agreement on written notice with a pro-rated refund of pre-paid fees for the unused term.

11. General

11.1 Order of precedence. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the EU SCCs or UK Addendum (where incorporated), the EU SCCs or UK Addendum prevail.

11.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

11.3 Governing law. Except where Applicable Data Protection Law, the EU SCCs, or the UK Addendum require otherwise, this DPA is governed by the law specified in the Agreement.

11.4 Notices. Notices to Kaiterra under this DPA are sent to privacy@kaiterra.com. Notices to Customer are sent to the privacy or primary account contact on file with Kaiterra.

Schedule 1 — Transfer Details

1.A List of Parties

Data exporter. The Customer that is party to the Agreement. Contact details, role (Controller or Processor), and activities relevant to the transfer are as set out in the Agreement and the applicable Order Form or Statement of Work. Where this DPA is executed as part of Customer's acceptance of Kaiterra's standard terms, the Data Exporter is identified by the account record associated with the Agreement.

Data importer.

Name Origins Technology Limited (trading as Kaiterra)
Address Flat/Room 603, 6/F, Laws Commercial Plaza, 788 Cheung Sha Wan Road, Cheung Sha Wan, Kowloon, Hong Kong SAR
Contact privacy@kaiterra.com
Role Processor (Module Two) or Sub-Processor (Module Three) of Customer Personal Data; independent Controller of account/administrative data and Derived Data as set out in Sections 2.2 and 2.3
Activities relevant to the transfer Provision, operation, and support of the Kaiterra Products

1.B Description of Transfer

Categories of Data Subjects Customer's authorised users (including employees, contractors, and administrators); where Customer elects to associate Personal Data with environmental measurements, occupants and visitors of Customer's premises.
Categories of Personal Data Identification and contact data (name, email, title, contact information); employment details (employer, employee or user identifier, job title, department); usage data (technical, statistical, and performance data relating to use of the Kaiterra Products); authentication and access logs; and other electronic data that Customer elects to submit, store, send, or receive through the Kaiterra Products, which may include room, occupant, or visitor metadata associated with environmental measurements.
Special Categories of Personal Data None. Customer will not submit Special Categories of Personal Data to the Kaiterra Products without Kaiterra's prior written consent.
Frequency of transfer Continuous for the duration of the Agreement.
Nature of the Processing Hosting, storage, transmission, access, analysis, support, and operation of the Kaiterra Products.
Purpose of the Processing Provision of the Kaiterra Products to Customer in accordance with the Agreement and Customer's documented instructions.
Retention period Duration of the Agreement, plus up to 30 days for return or deletion, plus residual retention in backup systems until rotation (not exceeding 12 months from termination), plus any retention required by law or to establish, exercise, or defend legal claims.
Sub-Processors As set out on the Sub-Processor Page and Section 5 of this DPA. The subject matter, nature, and duration of Sub-Processor Processing are as described on the Sub-Processor Page.

1.C Competent Supervisory Authority

For Processing subject to the GDPR, the competent supervisory authority is the Irish Data Protection Commission, unless a different supervisory authority is competent under Article 56 of the GDPR.

For Processing subject to the UK GDPR, the competent supervisory authority is the United Kingdom Information Commissioner's Office.

For Processing subject to the FADP, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Schedule 2 — Technical and Organisational Measures

This Schedule sets out the technical and organisational measures implemented by Kaiterra to protect Customer Personal Data, in accordance with Article 32 of the GDPR, Clause 8.6 of the EU SCCs, and equivalent requirements under Applicable Data Protection Law. Kaiterra may update these measures from time to time, provided that any update will not materially reduce the overall level of protection afforded to Customer Personal Data.

1. Information security programme

Kaiterra maintains a written information security programme that includes policies, procedures, and standards governing the security of Customer Personal Data. The programme is reviewed at least annually. Kaiterra implements security practices aligned with leading industry frameworks for the design and operation of its security programme.

2. Hosting and physical security

Customer Personal Data is hosted on Amazon Web Services infrastructure located in Frankfurt, Germany (eu-central-1). Physical and environmental security of the hosting infrastructure is provided by AWS in accordance with the AWS shared-responsibility model and the certifications and attestations published by AWS from time to time, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and SOC 1 and SOC 2 Type II.

Office facilities maintained by Kaiterra are secured by appropriate physical access controls (including badge access, locked doors, and visitor management) commensurate with the sensitivity of the activities conducted there.

3. Access control

(a) Access to systems Processing Customer Personal Data requires unique user identifiers and authentication.

(b) Multi-factor authentication is required for all administrative and production access.

(c) Access is granted on a least-privilege, role-based, and time-bound basis. Access is reviewed at least annually and revoked promptly on role change or termination.

(d) Production credentials are not shared. Privileged actions are logged.

(e) Session management includes appropriate inactivity timeouts and protection against credential-stuffing and brute-force attacks.

4. Encryption

(a) Customer Personal Data is encrypted at rest using AES-256 or an equivalent industry-standard algorithm.

(b) Customer Personal Data is encrypted in transit between Customer devices, Kaiterra devices, and Kaiterra systems using TLS 1.2 or higher, or an equivalent industry-standard protocol.

(c) Cryptographic key management follows established procedures, including restricted key access and key rotation.

5. Network and system security

(a) Network segregation, firewalls, and security groups isolate production environments from non-production environments.

(b) Vulnerability scanning is conducted on a regular basis, and identified vulnerabilities are remediated according to documented severity-based timelines.

(c) Independent penetration testing is conducted at least annually. Material findings are remediated and re-tested.

(d) Centralised logging and monitoring of security-relevant events is in place, with alerting and review procedures.

(e) Anti-malware controls are deployed on endpoints and systems where applicable.

6. Secure software development

(a) Software is developed using a documented secure development lifecycle that includes code review, dependency management, and testing.

(b) Production deployments are subject to change management procedures, including authorisation and traceability.

(c) Source code is stored in access-controlled repositories with branch protection.

7. Personnel

(a) Personnel with access to Customer Personal Data are subject to written confidentiality obligations.

(b) Background checks are conducted on new personnel where permitted by Applicable Data Protection Law.

(c) Personnel receive security and data protection training at hire and at least annually thereafter.

(d) Access to Customer Personal Data is revoked promptly on termination of employment or engagement.

8. Incident response and breach notification

(a) Kaiterra maintains a documented incident response plan that is reviewed and tested at least annually.

(b) Personal Data Breach notification to Customer is governed by Section 3.4 of the DPA.

9. Business continuity and disaster recovery

(a) Customer Personal Data is backed up on a regular basis. Backups are encrypted and stored in a manner that protects against loss.

(b) Kaiterra maintains documented business continuity and disaster recovery plans, including recovery time and recovery point objectives.

(c) Hosting is configured for multi-availability-zone redundancy within the primary hosting region.

10. Supplier and Sub-Processor management

(a) Kaiterra assesses Sub-Processors and other suppliers with access to Customer Personal Data prior to engagement against documented security and privacy criteria.

(b) Sub-Processors are bound by written agreements imposing data protection obligations no less protective than this DPA.

(c) Sub-Processors are listed on the Sub-Processor Page.

11. Data segregation

Customer Personal Data is logically segregated from data of other customers in shared infrastructure through tenant identifiers, access controls, and database-level separation.

12. Audit and assurance

Kaiterra maintains documentation sufficient to demonstrate compliance with this Schedule and the DPA, and makes such documentation available to Customer in accordance with Section 4 of the DPA.

Schedule 3 — Sub-Processors

The current list of Sub-Processors authorised under this DPA is maintained at https://www.kaiterra.com/legal/subprocessors. The Sub-Processor Page identifies, for each Sub-Processor, the Sub-Processor's name, location, the categories of Processing performed, and the categories of Customer Personal Data accessed. The Sub-Processor Page is incorporated into this DPA by reference and constitutes Annex III of the EU SCCs and the corresponding annex of the UK Addendum.