Legal
Data Processing Addendum
Last updated 2026-06-29
Data Processing Addendum (DPA)
Effective date: 2026-06-29
This page describes our approach to data processing agreements for business customers who need a signed DPA for GDPR, UK GDPR, or similar data-protection regulation compliance.
For most users: our Privacy Policy describes everything Kalmantic does with your data. You don't need a separate DPA. The Privacy Policy covers lawful basis, retention, subprocessors, your rights, international transfers, and security measures.
For business customers processing personal data of EU/UK/Swiss data subjects: contact legal@kalmantic.com for a Kalmantic-issued DPA. We can sign yours if it doesn't materially conflict with our Terms of Service and Privacy Policy, or you can countersign ours.
What our DPA covers
When signed, our DPA includes:
- Standard Contractual Clauses (EU 2021/914) for transfers from the EEA to non-adequate countries
- The UK Addendum to the SCCs (for UK GDPR)
- A list of subprocessors with contact information
- Security measures we apply (TLS in transit, encryption at rest, key hashing, principle of least privilege, breach notification within 72 hours)
- Customer audit rights — you can request an audit summary annually
- Subprocessor notification — 30 days' advance notice before we add or change a material subprocessor
- Data subject request handling — we will assist your fulfillment of GDPR Articles 15-22 requests within reasonable time
Subprocessors we use
Current as of 2026-06-29. Notification of additions or changes will go to your account contact email at least 30 days in advance.
| Subprocessor | Service | Data processed | Region |
|---|---|---|---|
| Cloudflare / Vercel | DNS, CDN, hosting, edge compute | Request metadata, content (transit + storage) | Global edge |
| Google / Microsoft / Firebase | Authentication | Email, display name, UID | US / global |
| Paddle, Lemon Squeezy | Payment processing (merchant of record — handles VAT/GST/sales-tax remittance globally) | Billing data, billing address (collected by them, not us) | Global |
| Resend | Transactional email | Recipient email + message body | US, EU |
Product-specific providers
Some Kalmantic products (for example, inference products) route requests to third-party providers such as large-language-model providers. The set of providers a given product may route to is disclosed in that product's own documentation and is subject to the same 30-day notification for material additions. Customers needing data residency or provider-pinning can scope a custom arrangement — email legal@kalmantic.com.
How to request a DPA
Email legal@kalmantic.com with:
- Your legal entity name and registered address
- The jurisdiction(s) of the data subjects whose personal data you'll process via Kalmantic
- Whether you need our standard DPA, the UK Addendum, the Swiss adaptation, or all three
- Any custom terms you need
We aim to return a signed DPA within 5 business days for standard requests.
Contact
- legal@kalmantic.com — DPA requests, subprocessor notifications, audit requests
- privacy@kalmantic.com — data subject requests (access, deletion, portability)
- security@kalmantic.com — security incident reports
Kalmantic Inc operates the Kalmantic website and products. This page was last updated on 2026-06-29.