Data Processing Agreement

1. Roles under GDPR

Under Article 4 of the GDPR, you are the controller of the personal data you upload to or generate through the Koji platform. You determine the purposes for which the data is processed (the research questions you ask, the audiences you target, the reports you generate) and the means by which it is processed (the configuration you choose).

Koji B.V. acts exclusively as a processor. Koji processes personal data only on your documented instructions, as recorded in this DPA and in the configuration of the platform. Koji does not determine the purposes of processing, does not combine your data with that of other customers, and does not use your data for any purpose beyond delivering the contracted service.

2. Subject matter, nature, and duration

• Subject matter. The delivery of the Koji AI-moderated customer-research platform under the Master Subscription Agreement between the parties.
• Nature and purpose. Collection, storage, structured analysis, and presentation of customer interview data for the purpose of producing research insights for the controller.
• Duration. For the term of the underlying subscription, plus any defined retention period after termination.

3. Categories of data subjects and personal data

The categories of data subjects whose personal data is processed depend on how the controller uses the platform. Typical categories include:

• End customers and prospects of the controller (interview respondents)
• Employees and contractors of the controller (platform users)
• Members of professional panels invited to participate in research

The categories of personal data processed typically include:

• Identifiers (name, email, contact details) provided by the controller or supplied during participant intake
• Audio recordings and transcripts of interview conversations
• Responses to structured and open-ended questions
• Optional demographic information collected via intake forms
• Technical data generated during platform use (device, IP, session)

The platform is not intended for the processing of special categories of personal data under Article 9 GDPR unless explicitly configured for that purpose by the controller, with appropriate safeguards.

4. Controller instructions

Koji processes personal data only on the documented instructions of the controller. The combination of (a) this DPA, (b) the Master Subscription Agreement, and (c) the controller's use and configuration of the platform constitutes the controller's complete and final instruction. Koji will not process personal data for any other purpose unless required to do so by EU or member state law, in which case Koji will inform the controller before processing, unless that law prohibits such notification on important grounds of public interest.

5. Confidentiality

Koji ensures that all personnel authorized to process personal data are bound by appropriate confidentiality obligations, either by written agreement or by statutory duty.

6. Security of processing (Article 32)

Koji implements and maintains the technical and organizational measures described in our Technical & Organizational Measures document. These measures are reviewed at least annually and updated as the threat landscape evolves. Highlights:

• AES-256 encryption at rest, TLS 1.2 or higher in transit
• Isolated databases per enterprise client
• Role-based access control and multi-factor authentication for all Koji personnel
• Comprehensive audit logging of administrative actions
• Annual third-party penetration testing
• Customer-configurable data retention with deletion within fifteen days of a verified request

7. Sub-processors

The controller provides general written authorization for Koji to engage the sub-processors listed in our sub-processor register. Koji enters into a written agreement with each sub-processor that imposes data-protection obligations no less protective than this DPA. Koji remains fully liable to the controller for the performance of each sub-processor's obligations.

Koji notifies the controller of any addition or replacement of sub-processors at least thirty days before the change takes effect. Controllers can subscribe to notifications on the sub-processor page. If the controller objects to a proposed change on reasonable data-protection grounds within the notice period, the parties will work in good faith to find a resolution; failing that, the controller may terminate the affected services without penalty.

8. Data subject rights

Koji provides functionality within the platform and operational support to enable the controller to respond to data subject requests under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Where Koji receives a data subject request directed at controller data, Koji will forward the request to the controller without responding to it directly.

9. Assistance to the controller

Taking into account the nature of the processing and the information available to Koji, Koji assists the controller with compliance obligations under Articles 32 to 36 GDPR, including security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

10. Personal data breach notification

Koji notifies the controller without undue delay, and in any event within seventy-two hours of becoming aware of a personal data breach affecting the controller's data. The notification includes the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

11. End of processing

Upon termination or expiry of the underlying subscription, and at the choice of the controller, Koji deletes or returns all personal data to the controller and deletes existing copies, unless EU or member-state law requires storage of the personal data. Default post-termination deletion occurs within thirty days; controllers can request earlier deletion in writing.

12. Audits and inspections

Koji makes available to the controller all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice (at least thirty days), no more than once per year (or more often if required by a supervisory authority or after a breach), the controller may conduct an audit, either by itself or through a mutually agreed independent third-party auditor. Audits are conducted during business hours, do not unreasonably interfere with Koji's operations, and respect the confidentiality of other customers and of Koji's own commercially sensitive information.

Koji satisfies its audit obligations primarily by providing the most recent independent attestation reports (such as the SOC 2 Type II report once available) and answers to standard security questionnaires (CAIQ Lite, SIG Lite).

13. International data transfers

Where the controller selects EU data residency, personal data is stored and processed in the European Union. Where Koji needs to transfer personal data to a country outside the European Economic Area that has not received an adequacy decision from the European Commission, the parties agree to the European Commission's Standard Contractual Clauses (Module Two: controller to processor) as adopted in Commission Implementing Decision (EU) 2021/914, incorporated by reference into this DPA. Where the controller selects US data residency, personal data may be transferred to the United States; for transfers of EU personal data to a US entity, the same SCCs apply.

Where applicable, Koji has completed and makes available a Transfer Impact Assessment documenting the safeguards in place and the local-law analysis for relevant destination countries.

14. Term and conflicts

This DPA is effective for the duration of the underlying subscription. In the event of any conflict between this DPA and the Master Subscription Agreement with respect to data protection, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

15. Get a signed copy

Email [email protected] with your company name and the entity that will be the controller. We send back a counter-signed PDF within one business day. If your legal team requires the DPA on your paper rather than ours, we accept reasonable counter-proposals as part of enterprise contract negotiation.