Data Processing Agreement
Data Processing Agreement
Katharos Technologies, Inc.
Last Updated: March 6, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Katharos Technologies, Inc. ("Katharos," "Processor," "we," or "us") and the entity agreeing to these terms ("Customer," "Controller," or "you") for the provision of the Katharos platform and services (the "Agreement").
This DPA applies to the extent Katharos processes Personal Data on behalf of Customer in connection with the Services.
1. Definitions
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any implementing or supplementary legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that Katharos processes on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-processor" means any third party engaged by Katharos to process Personal Data on behalf of Customer.
"Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of, Personal Data.
"Services" means the Katharos platform and any related services provided under the Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.
2. Scope and Roles
2.1 Roles of the Parties
- Customer is the Controller of Personal Data and determines the purposes and means of Processing.
- Katharos is the Processor and processes Personal Data on behalf of Customer in accordance with Customer's documented instructions.
2.2 Scope of Processing
Katharos will process Personal Data solely:
- To provide the Services as described in the Agreement
- In accordance with Customer's documented instructions
- As required by applicable law
2.3 Categories of Data
| Category | Examples |
|---|---|
| Account Data | Customer user email addresses, names, company names |
| Screening Data | Entity names, individual names, addresses, dates of birth, nationality, identification numbers |
| Document Data | Contents of documents uploaded by Customer |
| Query Data | Search queries, chat messages, investigation notes |
2.4 Data Subjects
Data Subjects may include:
- Customer's employees and users
- Individuals screened by Customer through the Services
- Individuals mentioned in documents uploaded by Customer
2.5 Duration
Processing will continue for the duration of the Agreement plus any retention period specified herein or required by law.
3. Customer Obligations
3.1 Lawful Basis
Customer represents and warrants that:
- It has a lawful basis for Processing Personal Data through the Services
- It has provided all required notices and obtained all required consents
- The Personal Data was collected in compliance with Data Protection Laws
3.2 Instructions
Customer will provide documented instructions for Processing. The Agreement, this DPA, and Customer's use of the Services constitute Customer's complete instructions, unless Customer provides additional written instructions.
3.3 Compliance
Customer is responsible for ensuring that its use of the Services complies with Data Protection Laws and does not cause Katharos to violate any applicable law.
4. Katharos Obligations
4.1 Processing Limitations
Katharos will:
- Process Personal Data only in accordance with Customer's documented instructions
- Not process Personal Data for any purpose other than providing the Services
- Inform Customer if, in Katharos's opinion, an instruction violates Data Protection Laws
4.2 Confidentiality
Katharos will:
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Not disclose Personal Data to third parties except as permitted by this DPA or required by law
4.3 Security Measures
Katharos will implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
Technical Measures
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Logging and monitoring of access to Personal Data
Organizational Measures
- Security policies and procedures
- Employee training on data protection
- Incident response procedures
- Regular security reviews
A detailed description of security measures is available at https://katharos.co/security.
4.4 Sub-processors
4.4.1 Authorization
Customer grants Katharos general authorization to engage Sub-processors to process Personal Data, subject to the requirements of this Section 4.4.
4.4.2 Current Sub-processors
The following Sub-processors are authorized as of the Effective Date:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI processing (Claude) | United States |
| Supabase, Inc. | Database hosting | United States |
| Pinecone Systems, Inc. | Vector database | United States |
| Vercel, Inc. | Application hosting | United States |
| Stripe, Inc. | Payment processing | United States |
| PostHog, Inc. | Product analytics | United States |
4.4.3 New Sub-processors
Katharos will:
- Maintain a list of Sub-processors at https://katharos.co/subprocessors
- Notify Customer of any intended changes to Sub-processors at least 14 days in advance
- Provide Customer an opportunity to object to new Sub-processors
If Customer objects on reasonable data protection grounds, the parties will discuss the concerns in good faith. If the parties cannot reach resolution, Customer may terminate the affected Services.
4.4.4 Sub-processor Obligations
Katharos will:
- Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
- Remain liable for Sub-processors' compliance with this DPA
4.5 Data Subject Rights
Katharos will:
- Promptly notify Customer of any Data Subject request received directly
- Assist Customer in responding to Data Subject requests, to the extent legally permitted and technically feasible
- Not respond directly to Data Subject requests except to direct them to Customer, unless legally required
4.6 Data Protection Impact Assessments
Upon Customer's request, Katharos will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Data Protection Laws and relating to the Services.
4.7 Audit Rights
Katharos will:
- Make available information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits and inspections conducted by Customer or a third-party auditor mandated by Customer, subject to:
- Reasonable advance notice (at least 30 days)
- Confidentiality obligations
- Reasonable scope and timing
- Customer bearing audit costs
Katharos may satisfy audit requirements by providing:
- Third-party audit reports (e.g., SOC 2 Type II)
- Responses to security questionnaires
- Other documentation demonstrating compliance
5. Security Incidents
5.1 Notification
Katharos will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data.
5.2 Notification Contents
Notification will include, to the extent known:
- Nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
5.3 Cooperation
Katharos will:
- Cooperate with Customer's investigation of the Security Incident
- Take reasonable steps to mitigate the effects
- Assist Customer in meeting its notification obligations under Data Protection Laws
5.4 Limitations
Notification of a Security Incident does not constitute acknowledgment of fault or liability.
6. International Transfers
6.1 Transfer Mechanisms
To the extent Personal Data is transferred from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection:
- Standard Contractual Clauses: The SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply to such transfers.
- UK Addendum: For UK transfers, the UK Addendum to the SCCs applies.
- Swiss Addendum: For Swiss transfers, the Swiss modifications to the SCCs apply.
6.2 SCC Module Selection
For purposes of the SCCs:
- Module Two (Controller to Processor) applies when Customer is a Controller and Katharos is a Processor
- Module Three (Processor to Processor) applies when Customer is a Processor and Katharos is a Sub-processor
6.3 SCC Details
| Clause | Selection |
|---|---|
| Clause 7 (Docking clause) | Does not apply |
| Clause 9 (Use of sub-processors) | Option 2 (General authorization) |
| Clause 11 (Redress) | Optional language does not apply |
| Clause 17 (Governing law) | Laws of Ireland |
| Clause 18 (Forum) | Courts of Ireland |
6.4 Supplementary Measures
Katharos implements the following supplementary measures to protect transferred data:
- Encryption in transit and at rest
- Access controls and authentication
- Data minimization
- Regular security assessments
7. Data Retention and Deletion
7.1 Retention
Katharos will retain Personal Data for the duration of the Agreement, unless:
- Customer instructs earlier deletion
- Longer retention is required by applicable law
7.2 Deletion
Upon termination of the Agreement or upon Customer's request, Katharos will:
- Delete or return Personal Data to Customer within 30 days
- Delete existing copies, unless retention is required by law
7.3 Certification
Upon Customer's request, Katharos will certify in writing that it has complied with deletion obligations.
7.4 Exceptions
Katharos may retain Personal Data to the extent required by applicable law, provided that:
- Retention is limited to what is legally required
- Personal Data remains protected in accordance with this DPA
- Customer is informed of the retention requirement (to the extent permitted by law)
8. CCPA Provisions
To the extent the CCPA applies to Processing:
8.1 Katharos as Service Provider
Katharos is a "Service Provider" as defined in the CCPA. Katharos will:
- Process Personal Information only for the business purposes specified in the Agreement
- Not sell Personal Information
- Not retain, use, or disclose Personal Information for purposes other than providing the Services
- Not retain, use, or disclose Personal Information outside the direct business relationship with Customer
8.2 Certification
Katharos certifies that it understands the restrictions in this Section 8 and will comply with them.
8.3 Consumer Rights
Katharos will assist Customer in responding to verifiable consumer requests under the CCPA, including requests to know, delete, and opt-out.
9. Liability
9.1 Liability Cap
The total liability of each party arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.
9.2 Indemnification
Each party will indemnify the other for damages arising from its breach of this DPA, subject to the limitations in the Agreement.
10. General Provisions
10.1 Conflict
In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to data protection matters.
10.2 Amendments
This DPA may be amended only by written agreement signed by both parties, except that Katharos may update the list of Sub-processors as provided in Section 4.4.
10.3 Severability
If any provision of this DPA is found to be unenforceable, the remaining provisions will remain in full force and effect.
10.4 Governing Law
This DPA is governed by the laws specified in the Agreement, except that the SCCs are governed as specified therein.
11. Contact
Data Protection Inquiries: patrick@katharos.co
Legal Inquiries: patrick@katharos.co
Security Inquiries: patrick@katharos.co