Data Processing Agreement
Last updated: 7 May 2026 · Pursuant to Art. 28 GDPRThis Data Processing Agreement ("DPA") is entered into between you as the data controller ("Controller") and Kukuda Labs GmbH ("Kukuda", "Processor") and forms an integral part of the Terms of Service. This DPA governs the processing of personal data by Kukuda on behalf of the Controller in connection with the Kukuda AI visibility services.
1. Subject Matter and Duration
Kukuda processes personal data on behalf of the Controller to deliver the services described in the Terms of Service, including AI visibility tracking, schema generation, and analytics. This DPA is effective for the duration of the service subscription and terminates automatically upon expiry or termination of the underlying agreement.
2. Nature and Purpose of Processing
Processing activities include: storing and retrieving business profile data, running scheduled AI engine sweeps, generating structured data (JSON-LD, llms.txt), syncing with the Google Business Profile API, and producing analytics reports. Processing takes place exclusively within the EU/EEA.
3. Categories of Data and Data Subjects
The Controller may submit personal data of the following categories to the Kukuda platform:
- Business contact data (names, email addresses of staff or end-customers)
- Business location and profile data
- Website content and structured data
- Google Business Profile data (where the Controller has authorized access)
Data subjects may include the Controller's employees, customers, and website visitors.
4. Obligations of the Processor
Kukuda undertakes to:
- Process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures (TOMs) as required by Art. 32 GDPR.
- Assist the Controller in fulfilling data subject rights requests (Arts. 15–22 GDPR) within the timescales required by applicable law.
- Assist the Controller in ensuring compliance with obligations under Arts. 32–36 GDPR regarding security, breach notification, data protection impact assessments, and prior consultation.
- Upon termination of the agreement, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage.
- Make available all information necessary to demonstrate compliance with Art. 28 GDPR obligations.
5. Sub-processors
The Controller grants general authorization to engage the following sub-processors. Kukuda will inform the Controller of any intended changes concerning addition or replacement of sub-processors, thereby giving the Controller the opportunity to object within 14 days.
| Sub-processor | Service | Location |
|---|---|---|
| Supabase Inc. | Database and authentication hosting | EU (Frankfurt, Germany) |
| Stripe Inc. | Payment processing | EU (Ireland) |
| PostHog Inc. | Product analytics | EU |
| Resend Inc. | Transactional email delivery | EU |
6. Technical and Organizational Measures (Art. 32 GDPR)
Kukuda implements the following security measures:
- Encryption in transit: TLS 1.3 for all data transmissions.
- Encryption at rest: AES-256 for all stored data.
- Access controls: role-based access with principle of least privilege; MFA required for administrative access.
- Audit logging: all administrative actions are logged with timestamps.
- Vulnerability management: regular security assessments and dependency updates.
- Physical security: data processed exclusively in EU data centers with certified physical access controls (Supabase Frankfurt).
7. Audit Rights
The Controller may audit Kukuda's compliance with this DPA up to once per calendar year, with at least 30 days' prior written notice, during normal business hours, and at the Controller's expense. Kukuda may satisfy audit requests by providing relevant third-party certifications, SOC 2 reports, or equivalent assurance documentation in lieu of an on-site audit.
8. Data Breach Notification
Kukuda will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting the Controller's data. The notification will include, to the extent available: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
9. International Transfers
All processing takes place within the EU/EEA. In the event that any sub-processor requires a transfer of personal data outside the EU/EEA, Kukuda will ensure that appropriate safeguards are in place as required by Chapter V GDPR (e.g., EU Standard Contractual Clauses).
10. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany. The courts of Berlin have exclusive jurisdiction over any disputes arising from this DPA.
Contact
Questions regarding this DPA: privacy@kukuda.ai