Data Processing Addendum

Last updated: April 28, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service between KCENAV.AI, operating as AISupplyNav ("Processor," "we"), and the subscribing entity ("Controller," "you"). This DPA addresses the requirements of GDPR Article 28 and applicable data protection legislation.

1. Definitions

2. Scope of Processing

Element	Details
Subject matter	Provision of AI-powered supply chain intelligence services
Duration	For the term of the subscription agreement plus 30 days for deletion
Nature & purpose	Storage, AI analysis, report generation, and advisory services for supply chain data
Categories of data subjects	Controller's employees, authorized users, and supply chain contacts referenced in uploaded data
Types of Personal Data	Email addresses, names, job titles, company information, supply chain data containing business contact details

3. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including transfers to third countries (unless required by law).
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
   • Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
   • Ability to ensure ongoing confidentiality, integrity, availability, and resilience
   • Ability to restore access to Personal Data in a timely manner after an incident
   • Regular testing of security measures
4. Respect the conditions for engaging Sub-processors (see Section 4).
5. Assist the Controller in responding to data subject rights requests.
6. Assist the Controller in ensuring compliance with data breach notification obligations.
7. Delete or return all Personal Data at the end of the processing term, at the Controller's choice.
8. Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. Current Sub-processors:

Sub-processor	Purpose	Location
Neon Tech, Inc.	PostgreSQL database hosting	United States
Render Services, Inc.	Application hosting & infrastructure	United States
Stripe, Inc.	Payment processing	United States
AI model providers (multi-model)	Natural language processing for supply chain analysis	United States

The Processor shall:

• Notify the Controller of any intended changes to Sub-processors at least 30 days before the change.
• Impose data protection obligations on Sub-processors that are no less protective than this DPA.
• Remain fully liable for the performance of each Sub-processor.

If the Controller objects to a new Sub-processor, the Controller may terminate the affected services within 30 days of notification.

5. International Transfers

All data is processed and stored in the United States. For transfers of Personal Data from the EEA/UK to the US, the parties agree to rely on the EU Standard Contractual Clauses (Module Two: Controller to Processor, Commission Implementing Decision 2021/914) incorporated by reference.

6. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of data subject requests including:

• Right of access (providing data export)
• Right to rectification (correcting inaccurate data)
• Right to erasure (deleting Personal Data)
• Right to data portability (machine-readable export)
• Right to restriction of processing
• Right to object to processing

The Processor shall respond to Controller requests for assistance within 10 business days.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Notification shall include:

• Description of the nature of the breach, including categories and approximate number of data subjects affected
• Contact point for further information
• Description of likely consequences
• Description of measures taken or proposed to address the breach

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, subject to:

• Reasonable advance notice (at least 30 days)
• Scope limited to compliance with this DPA
• No more than one audit per 12-month period unless triggered by a data breach
• Confidentiality of any information obtained during the audit

9. AI-Specific Provisions

Given that AISupplyNav uses AI models to process data:

• No third-party training: Controller's Personal Data is never used to train third-party AI models. All model providers are contracted under terms that prohibit training on customer data.
• Minimal data transmission: Only the minimum context necessary for each AI query is sent to model providers. Full database records are never transmitted.
• No data retention by AI providers: AI providers do not retain Controller's data after processing each request.

See our AI Use Policy for detailed practices.

10. Term and Termination

This DPA is effective for the duration of the subscription agreement. Upon termination:

• The Processor shall delete or return all Personal Data within 30 days, at the Controller's choice.
• The Processor shall certify in writing that all Personal Data has been deleted or returned.
• Obligations relating to confidentiality and data protection survive termination.

11. Governing Law

This DPA is governed by the laws of the State of Delaware, United States. For Controller's located in the EEA, the GDPR shall apply in addition.

12. Contact & Requests

To request a countersigned DPA, report a data issue, or exercise audit rights:

• Email: legal@kcenav.ai
• Company: KCENAV.AI — the operator of AISupplyNav