Data Processing Agreement

Our default DPA, suitable for most customers under GDPR Art. 28.

Laatst bijgewerkt: 2026-05-08

This Data Processing Agreement (“DPA”) is entered into between the customer identified in the order form or self-service signup (the “Controller”) and Kiavi, operated by Kiavi B.V., registered in the Netherlands under Chamber of Commerce (KvK) number 42042433 (the “Processor” or “Kiavi”). The Controller and Kiavi are each a “Party” and together the “Parties”. This DPA forms an integral part of the Terms of Service (the “Agreement”) between the Parties and applies whenever Kiavi processes Personal Data on behalf of the Controller in connection with the Service. By accepting the Agreement or using the Service, the Controller accepts this DPA.

1. Definitions

Capitalised terms used and not otherwise defined in this DPA have the meaning given to them in the GDPR. For the purposes of this DPA:

  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as supplemented or amended by national implementing law applicable to either Party.
  • “Service” means the hosted, multi-tenant authentication infrastructure that Kiavi makes available under the Agreement, including the per-tenant authentication instances, the management dashboard, the public SDKs, and supporting infrastructure components.
  • “End User” means a natural person who interacts with the Controller’s application and whose Personal Data is processed by Kiavi as part of the Service.
  • “Personal Data” means Personal Data (as defined in Art. 4(1) GDPR) that Kiavi processes on behalf of the Controller in connection with the Service. Annex 1 sets out the categories of Personal Data and Data Subjects.
  • “Subprocessor” means any third party engaged by Kiavi to process Personal Data on behalf of the Controller. The current list is published on the subprocessors page.
  • “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Art. 46 GDPR, as set out in Commission Implementing Decision (EU) 2021/914.

2. Roles and scope

For Personal Data relating to End Users that Kiavi processes through the Service, the Controller acts as the controller and Kiavi acts as the processor within the meaning of Art. 4 and Art. 28 GDPR. For Personal Data that Kiavi processes about the Controller’s own personnel (account holders, billing contacts, support contacts), Kiavi is an independent controller and that processing is governed by the Kiavi privacy policy. This DPA applies for the duration of the Agreement and survives termination for as long as Kiavi processes Personal Data on behalf of the Controller.

3. Documented instructions

Kiavi processes Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or an international organisation, unless required to do so by Union or Member State law applicable to Kiavi. The Agreement, this DPA (including its annexes), the configuration choices made by the Controller in the management dashboard, and the operations performed through the public APIs together constitute the Controller’s complete and final documented instructions to Kiavi. Any additional or conflicting instruction must be agreed in writing.

If Kiavi is required by Union or Member State law to process Personal Data outside these instructions, Kiavi will inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest. Kiavi will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Confidentiality of personnel

Kiavi ensures that persons authorised to process Personal Data (including employees, contractors, and authorised Subprocessors’ personnel acting under Kiavi’s authority) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is granted on a need-to-know basis and is logged.

5. Security of processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, Kiavi implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. The measures in place at the Effective Date are described in Annex 2. Kiavi may update these measures from time to time, provided that the level of protection is not reduced.

6. Subprocessors

The Controller grants Kiavi a general written authorisation to engage Subprocessors, subject to the conditions in this section. The current list of authorised Subprocessors, including the location and purpose of each engagement, is published on the subprocessors page.

Kiavi will provide the Controller with at least 30 days’ prior notice of any intended addition or replacement of a Subprocessor that processes Personal Data, either by updating the subprocessors page (with notification by email to the primary contact registered in the management dashboard, or by an in-product notice), or by direct email. The Controller may object to the change in good faith and on reasonable data protection grounds, in writing, within those 30 days. The Parties will discuss in good faith. If the Parties cannot agree on a resolution within a reasonable period, the Controller may terminate the Agreement, with respect to the affected portion of the Service, by written notice to Kiavi, with a pro-rata refund of any pre-paid fees attributable to the unused portion of the affected Service.

Where Kiavi engages a Subprocessor for carrying out specific processing activities on behalf of the Controller, Kiavi imposes on that Subprocessor, by way of a contract or other legal act under Union or Member State law, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where the Subprocessor fails to fulfil its data protection obligations, Kiavi remains fully liable to the Controller for the performance of that Subprocessor’s obligations.

7. International data transfers

Kiavi processes Personal Data exclusively within the European Economic Area (“EEA”). Authentication instances, databases, and signing keys are hosted in Scaleway data centres in Paris (fr-par). Static assets are served by Bunny.net edge locations within the EEA only.

Kiavi will not transfer Personal Data to a country outside the EEA, nor permit any Subprocessor to do so, without first putting in place an appropriate transfer mechanism under Chapter V of the GDPR (in particular an adequacy decision under Art. 45 GDPR or appropriate safeguards under Art. 46 GDPR, including the EU SCCs). Where the EU SCCs apply, Annex 4 of this DPA records the modules, parties, and annex content for the relevant transfer.

8. Assistance with data subject rights

Taking into account the nature of the processing, Kiavi assists the Controller, by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

The management dashboard and the public APIs allow the Controller to view, export, correct, and delete End User records, revoke active sessions, list authentication events from the audit log, and force re-authentication. The Controller is responsible for receiving, validating, and responding to Data Subject requests. Where Kiavi receives a request directly from a Data Subject identifying the Controller, Kiavi will not respond on the merits, will inform the Data Subject that the Controller is the relevant controller, and will forward the request to the Controller without undue delay.

9. Personal data breach notification

Kiavi notifies the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Personal Data processed on behalf of the Controller. The notification will be sent to the primary contact registered in the management dashboard and will, to the extent then known and without prejudice to subsequent updates, include:

  • a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
  • the name and contact details of the Kiavi contact point from whom further information can be obtained;
  • a description of the likely consequences of the breach; and
  • a description of the measures taken or proposed by Kiavi to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Kiavi does not notify Data Subjects directly. Notification of supervisory authorities and Data Subjects under Art. 33 and Art. 34 GDPR remains the responsibility of the Controller. Kiavi’s notification under this section is not an admission of fault or liability.

10. Data protection impact assessments and prior consultation

Taking into account the nature of the processing and the information available to Kiavi, Kiavi provides the Controller with reasonable assistance, at the Controller’s cost (except where the assistance is required because of a deficiency in Kiavi’s own performance of this DPA), to enable the Controller to comply with its obligations under Art. 32 to 36 GDPR, including data protection impact assessments and prior consultation with supervisory authorities. The security page, this DPA, and the published Subprocessor list are intended to provide the Controller with the principal information needed for these purposes.

11. Audits and information rights

Kiavi makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and with this DPA, in particular by providing the security page, this DPA, the Subprocessor list, and, where available, summary reports of independent third-party assessments.

The Controller may, at its own cost, audit Kiavi’s compliance with this DPA no more than once per calendar year, except where (a) a Personal Data breach affecting the Controller has occurred in the preceding 12 months, or (b) a competent supervisory authority requires an additional audit. The Controller will give Kiavi at least 30 days’ prior written notice, and the audit will be conducted during normal business hours, in a manner that does not unreasonably interfere with Kiavi’s operations, and subject to confidentiality obligations equivalent to those in the Agreement.

Where Kiavi makes available current independent third-party reports (for example ISO 27001, SOC 2 Type II, or equivalent) covering the scope of the proposed audit, the Controller will accept those reports as satisfying its audit right, unless they are insufficient to demonstrate compliance with this DPA. The Controller bears the reasonable costs of any on-site audit; if material non-compliance with this DPA is identified, Kiavi will bear those costs and remediate without undue delay.

12. Return or deletion of Personal Data

Throughout the term of the Agreement, the Controller may export Personal Data at any time through the management dashboard and the public APIs. Upon expiry or termination of the Agreement, Kiavi will, at the Controller’s choice (expressed in writing within 30 days of termination), delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

If the Controller does not express a choice within those 30 days, Kiavi will delete the Personal Data. Personal Data held in encrypted backups is overwritten in the normal course of the backup rotation cycle (no later than 90 days after termination). Pseudonymous, aggregated, or statistical data that no longer identifies any natural person is excluded from this deletion obligation. Kiavi will, on request, confirm in writing that deletion has been performed.

13. Liability

Each Party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either Party’s liability where such limitation or exclusion is not permitted by applicable law, including under Art. 82 GDPR.

14. Term, precedence, and miscellaneous

This DPA enters into force when the Agreement enters into force and remains in effect for as long as Kiavi processes Personal Data on behalf of the Controller. Sections that, by their nature, are intended to survive termination (in particular sections 9, 11, 12, and 13) survive termination of the Agreement.

In the event of a conflict between this DPA and the Agreement (including any prior data protection terms), this DPA prevails with respect to the processing of Personal Data on behalf of the Controller. In the event of a conflict between this DPA and the EU SCCs (where they apply), the EU SCCs prevail.

Any notices under this DPA may be sent by email to legal@kiavi.eu (for notices to Kiavi) or to the primary contact email registered in the management dashboard (for notices to the Controller). This DPA, and any non-contractual obligations arising out of or in connection with it, are governed by the law specified in the Agreement and subject to the courts identified in the Agreement.

Annex 1: Description of the processing

Subject matter: The provision of hosted authentication infrastructure (sign-up, sign-in, session management, identity management, audit logging, and related operations) on behalf of the Controller for the Controller’s End Users.

Duration: The duration of the Agreement, plus the retention periods set out in section 12.

Nature and purpose: Authenticating End Users into the Controller’s application; issuing and verifying credentials and tokens (passkeys, email one-time codes, SMS one-time codes where enabled, OAuth social identities, JWTs); maintaining sessions; recording authentication events for security and abuse monitoring; assisting the Controller with user management (creation, deletion, role assignment, recovery); and providing usage analytics (Daily and Monthly Active Users) to the Controller.

Categories of Data Subjects:

  • End Users of the Controller’s application;
  • Administrators or staff of the Controller acting as End Users for the purpose of administering the Controller’s application.

Categories of Personal Data:

  • Identifiers: email address, phone number (where the Controller enables phone as an identifier method), display name, given and family name, OAuth provider identifiers and the access or refresh tokens issued by those providers, profile picture URL where supplied by an OAuth provider, internal user identifier;
  • Authentication credentials and verifiers: WebAuthn public keys and credential metadata for passkeys, email one-time codes, SMS one-time codes (where enabled), recovery codes (stored hashed), API keys (stored hashed), and JWTs issued by the per-tenant signing key. Kiavi does not collect, store, or accept user passwords;
  • Session and device metadata: session identifier, session creation and expiration timestamps, IP address of the client, user-agent string, and the country code derived from the IP address by an EU-hosted IP-to-country lookup;
  • Authentication event records: type of event (sign-in, sign-out, passkey registration or removal, OAuth connection, admin action, failed attempt), outcome, timestamp, IP address, user-agent, and country code;
  • Application-defined custom user fields configured by the Controller through the management dashboard or the public APIs.

Kiavi does not knowingly process special categories of Personal Data within the meaning of Art. 9 GDPR or Personal Data relating to criminal convictions and offences within the meaning of Art. 10 GDPR. The Controller will not configure custom fields, names, or any other input intended to collect such data.

Annex 2: Technical and organisational measures

The measures listed below describe Kiavi’s implementation as of the date at the top of this page. Kiavi may update individual measures over time, provided that the overall level of protection is not reduced. Further detail is available on the security page.

Pseudonymisation and encryption (Art. 32(1)(a))

  • All inbound and outbound traffic is served over TLS, terminated by the EU-hosted CDN (Bunny.net) and re-established to origin services over TLS;
  • Per-tenant PostgreSQL databases on Scaleway have encryption-at-rest enabled by the platform;
  • Per-tenant JWT signing keys are stored in Scaleway Secret Manager and read on demand at runtime by the services that need them; they are never written to environment variables in plaintext or to source code;
  • Recovery codes and API keys are stored as hashes; passkey private keys never leave the user’s authenticator;
  • JWT issuance uses asymmetric per-tenant key pairs (RS256) with regular key rotation and a published key-discovery endpoint;
  • User passwords are not stored, hashed, or accepted by the Service.

Confidentiality, integrity, availability, and resilience (Art. 32(1)(b))

  • Strict per-tenant isolation: each Controller’s authentication instance runs in a dedicated container with a dedicated database and dedicated signing keys. There is no shared user table, no shared signing key, and no cross-tenant query path;
  • Row-level access controls are enforced on the management database, scoped per organisation;
  • Production secrets are managed in Scaleway Secret Manager with audit logging on access;
  • Public authentication endpoints are rate limited per identifier and per IP to mitigate credential stuffing and brute-force attempts; tenant API keys are rate limited independently;
  • A structured audit log captures every authentication event with identifier, IP, user-agent, country code, outcome, and timestamp, accessible to the Controller through the management dashboard;
  • Kiavi maintains structured application logs and error monitoring for the purpose of operating the Service.

Ability to restore availability and access (Art. 32(1)(c))

  • Per-tenant databases benefit from automated backups provided by the Scaleway database platform within the EEA;
  • Infrastructure is defined as code and deployments are reproducible;
  • Restoration procedures are tested as part of the operational lifecycle.

Process for testing and evaluating effectiveness (Art. 32(1)(d))

  • Code changes are reviewed and pass automated checks (format, lint, type checks, and tests, including end-to-end tests) before deployment;
  • Security review is part of the change-management process for changes affecting authentication, identity, or data handling;
  • Vulnerability reports may be submitted to security@kiavi.eu and are triaged within one business day;
  • Kiavi is at the start of its formal certification journey for ISO 27001 and SOC 2 Type II; the underlying controls are already in place.

Identity, access, and personnel measures

  • Production access requires authenticated Scaleway IAM identities provisioned per tenant;
  • Personnel access to Personal Data is granted on a need-to-know basis, logged, and reviewed periodically;
  • Personnel are bound by written confidentiality obligations and security training appropriate to their role.

Incident response

  • Kiavi maintains an internal incident response process covering detection, containment, eradication, recovery, and notification;
  • Personal Data breaches are notified to the Controller in accordance with section 9 of this DPA.

Annex 3: Subprocessors

The current list of authorised Subprocessors, including the location of processing and the purpose of each engagement, is published on the subprocessors page and is incorporated into this DPA by reference. The list is updated in accordance with section 6.

Annex 4: International data transfers

At the Effective Date, Kiavi processes Personal Data exclusively within the EEA and no transfers to third countries take place. If, at any future date, a transfer of Personal Data to a third country becomes necessary for the provision of the Service, the Parties agree that the EU SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference, with:

  • the Controller acting as data exporter and Kiavi (or the relevant Subprocessor) acting as data importer;
  • Clause 7 (docking clause) applicable;
  • Clause 9(a) Option 2 (general written authorisation), with the notice period specified in section 6 of this DPA;
  • Clause 11 optional language (independent dispute resolution body) not included;
  • Clause 17 governed by the law of the Member State identified in the Agreement (or, if none, by the laws of the Netherlands);
  • Clause 18 jurisdiction in the courts of the Member State identified in the Agreement (or, if none, in the courts of Amsterdam, the Netherlands);
  • Annexes I, II, and III of the EU SCCs populated by Annex 1, Annex 2, and Annex 3 of this DPA respectively.

Where applicable, Kiavi will, in addition, perform a transfer impact assessment and implement supplementary measures (technical, contractual, or organisational) to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.