Data Processing Agreement
Last updated: May 10, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Kartio ("Processor") and the Customer ("Controller"). It governs the processing of personal data by Kartio on behalf of the Customer.
2. Roles and Responsibilities
2.1 Controller
The Customer (merchant or agency) is the data controller for end-user personal data processed through the Service.
2.2 Processor
Kartio acts as a data processor, processing personal data only on documented instructions from the Controller.
3. Sub-processors
Kartio uses sub-processors to provide the Service. See our Sub-processors page for the current list. We will inform the Controller of any changes to sub-processors.
4. Security Measures
Kartio implements appropriate technical and organizational measures:
- Encryption in transit (TLS 1.2+)
- Encryption at rest
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
5. Data Subject Rights
Kartio will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) as required by applicable data protection law.
6. Breach Notification
Kartio will notify the Controller without undue delay (and in any case within 72 hours) upon becoming aware of a personal data breach.
7. Data Deletion and Return
Upon termination of services, Kartio will delete or return all personal data to the Controller, except where retention is required by law.
8. Audit Rights
The Controller has the right to audit Kartio's compliance with this DPA. Audits will be conducted at reasonable intervals and with reasonable notice.
9. International Transfers
Where personal data is transferred outside the EEA, Kartio uses Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework to ensure adequate protection.
10. Contact
For DPA-related inquiries, contact: privacy@kartio.ai