Customer data
Data Processing Addendum
This addendum describes the conditions under which Kadryn may process personal data on behalf of a customer organization when providing the service.
Last updated : 2026-07-03
- Service
- Kadryn
- Trade name
- Web Novation
- Legal identity of the publisher
- GONFO Nicolas EI
- Privacy contact
- contact@kadryn.com
- Governing law
- France
Purpose and scope
This addendum applies where Kadryn processes personal data on behalf of a customer organization in connection with the use of the service.
It supplements the terms of service, privacy policy and, where applicable, any specific commercial terms agreed with the customer.
This document is an operational DPA template for Kadryn. It should be reviewed by legal counsel before formal contractual use with sensitive or enterprise customers.
Roles of the parties
The customer organization generally acts as controller for the data it decides to import, connect, transmit or process through Kadryn.
Kadryn acts as processor where the service processes such data on behalf of the customer, based on documented instructions and within the scope necessary to provide the service.
Description of processing
The subject matter of processing is the provision of a SaaS service for observing, governing, controlling and optimizing artificial intelligence usage.
The duration of processing corresponds to the customer’s use of the service, extended by periods necessary for export, deletion, security, evidence, billing or compliance with legal obligations.
- Nature of operations: collection, receipt, hosting, organization, consultation, analysis, logging, aggregation, retrieval, export and deletion.
- Purposes: service provision, AI cost measurement, alerts, governance, reporting, audit, support, security and maintenance.
- Data subjects: authorized customer users, administrators, team members, customer contractors and individuals potentially included in metadata transmitted by the customer.
- Categories of data: account data, professional emails, roles, technical logs, audit logs, AI usage metadata, cost information, projects, integrations, alerts and workspace settings.
Customer instructions
Kadryn processes customer data only to provide the service, perform requested features, ensure security, provide support, comply with applicable obligations or follow the customer’s documented instructions.
The customer is responsible for the lawfulness, relevance, quality and minimization of the data it transmits to Kadryn.
Sensitive data and secrets
Kadryn is not designed to intentionally receive sensitive data, unprotected secrets, exposed access keys, passwords, health data, complete payment card data or content the customer is not authorized to process.
The customer must configure integrations, projects, prompts, payloads and free-text fields to limit transmitted data to what is strictly necessary.
Confidentiality
Kadryn ensures that persons authorized to process customer data are subject to an appropriate confidentiality obligation or equivalent legal obligation.
Access to customer data is limited to persons and systems that need it to provide, maintain, secure or support the service.
Security
Kadryn implements technical and organizational measures intended to protect data against unauthorized access, loss, alteration, disclosure or accidental destruction.
These measures may include access control, logical environment separation, logging, encryption where relevant, secrets management, privilege limitation, error monitoring and incident response procedures.
Subprocessors
Kadryn may use subprocessors for hosting, databases, transactional email, billing, observability, job orchestration, storage and customer-enabled integrations.
The list of subprocessors is published on the dedicated page. Kadryn imposes data protection obligations on subprocessors appropriate to the nature of the services provided.
International transfers
Where processing involves a transfer of data outside the European Economic Area, Kadryn implements appropriate safeguards where required by applicable rules.
Such safeguards may include standard contractual clauses, contractual, technical or organizational measures, or any other mechanism recognized by applicable rules.
Customer assistance
To the extent reasonably possible, Kadryn helps the customer respond to data subject rights requests where such requests relate to data processed in the service.
Kadryn may also provide reasonable assistance regarding security, data breaches, impact assessments and compliance obligations related to the service.
Personal data breach
In the event of a personal data breach affecting customer data processed by Kadryn as processor, Kadryn informs the customer without undue delay after becoming aware of it.
The notification includes, where available, the nature of the incident, affected categories of data, likely consequences and measures taken or proposed.
Return and deletion
At the end of the contractual relationship, Kadryn deletes or returns customer data according to available features, applicable instructions and legal or evidentiary obligations.
Certain data may be temporarily retained in backups, security logs, accounting archives or records necessary for evidence, and then deleted according to applicable retention cycles.
Audit and documentation
Kadryn makes available reasonable information allowing the customer to evaluate the security and compliance measures applicable to the service.
Audits must remain reasonable, proportionate, governed by confidentiality obligations and must not compromise the security, availability or confidentiality of other customers.