KAK Cortex Services Case Studies Blog About Contact FAQ Partners Portal ↗
Book a Call →

Data Processing Agreement

Last updated: 2026-04-21 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the Service Agreement between the Customer ("Controller") and KAK Digital LLC ("Processor"), and governs the Processor's processing of personal data on behalf of the Controller. It is drafted to satisfy Article 28 of the GDPR, the equivalent provisions of the UK GDPR, and the Digital Personal Data Protection Act, 2023 (India).

1. Scope

Processor provides the Customer with one or more of: (a) KAK Cortex visitor intelligence and Meta CAPI integration; (b) custom AI engineering services; (c) Meta ad management; and (d) Shopify development and optimization (the "Services"). In the course of providing the Services, Processor may process personal data on behalf of the Controller (the Customer's end visitors and customers).

2. Processing details

  • Subject-matter: Visitor behavior signals, order events, and ad-optimization metadata for the purpose of the Services.
  • Duration: For the term of the Service Agreement, plus up to 30 days post-termination for deletion and export.
  • Nature and purpose: Collection, aggregation, scoring, and transmission of event signals to Meta Marketing API (CAPI) for the Controller's ad-optimization purposes.
  • Categories of data: IP address (hashed), visitor UUID, user-agent, device metadata, page URLs, scroll/click events, product IDs, order IDs, hashed email (for matching quality), hashed phone (when present).
  • Categories of data subjects: End visitors of the Controller's Shopify store(s).

3. Processor obligations

The Processor shall:

  • (a) process personal data only on documented instructions from the Controller, including transfers outside the EEA/UK/India, unless required by Union, Member State, or Indian law;
  • (b) ensure persons authorized to process the personal data are under a duty of confidentiality;
  • (c) implement the technical and organizational security measures described in Annex II (AES-256 at rest, TLS 1.3 in transit, per-tenant isolation, role-based access, full audit log, encrypted at-rest tokens, Supabase RLS on all tables);
  • (d) not engage sub-processors without prior written (email is sufficient) authorization — the current list is maintained at kakdigital.com/subprocessors;
  • (e) assist the Controller with responding to data subject requests (access, erasure, rectification, portability) within 30 days;
  • (f) notify the Controller without undue delay (within 48 hours) of becoming aware of a personal data breach;
  • (g) delete or return all personal data after the end of the provision of Services, unless retention is required by law;
  • (h) make available to the Controller all information necessary to demonstrate compliance.

4. International transfers

Where personal data is transferred from the EEA/UK to a third country, the parties rely on the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and, for UK transfers, the UK International Data Transfer Addendum, both deemed incorporated into this DPA by reference. For Indian data, we comply with the DPDP Act's significant data fiduciary rules when applicable.

5. Sub-processors

A live list of all active sub-processors with their processing locations, purposes, and certifications is maintained at kakdigital.com/subprocessors. Controllers may object to new sub-processors within 15 days of notification.

6. Audit rights

The Controller may audit the Processor's compliance with this DPA once per calendar year upon 30 days' prior written notice. Audits are conducted remotely and at the Controller's expense. The Processor shall respond to reasonable written questionnaires within 30 days.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability in the underlying Service Agreement, except that liability shall not be limited for breaches of Articles 82-84 GDPR.

8. Signing

This DPA is deemed accepted when the Controller executes the Service Agreement. A signed counterpart is available on request from privacy@kakdigital.com.

Annex I — Data Subject Categories and Data Categories

See Section 2 above.

Annex II — Technical and Organizational Measures

  • Encryption at rest (AES-256 via Supabase + AES-256-CBC for sensitive tokens at application layer)
  • Encryption in transit (TLS 1.3 minimum)
  • Per-tenant database isolation (each Cortex tenant gets its own Supabase project)
  • Row-Level Security on all tables (enforced at database level)
  • Role-based access control with principle of least privilege
  • Audit logging of all admin actions
  • Pseudonymization via hashed identifiers (SHA-256) where raw PII would be unnecessary
  • Automated backup + point-in-time restore
  • Incident response plan with 48h notification SLA
  • Annual access review

Contact

DPA questions: privacy@kakdigital.com
KAK Digital LLC · 30 N Gould St., Sheridan, WY 82801, USA