kind robots

Data Processing Agreement

Kind Robots LLC

Effective Date: February 12, 2026
Last Updated: February 15, 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

  • Data Controller (“Customer”): The entity that has agreed to the Terms of Service for use of the Kind Robots platform
  • Data Processor (“Kind Robots”): Kind Robots LLC, an Indiana limited liability company

This DPA sets out the terms governing Kind Robots' processing of personal data on behalf of the Customer in connection with the Platform.

2. Definitions

Terms not defined herein have the meanings given in the Agreement, GDPR (Regulation (EU) 2016/679), or CCPA (Cal. Civ. Code 1798.100 et seq.) as applicable.

  • “Personal Data”: Any information relating to an identified or identifiable natural person processed by Kind Robots on behalf of the Customer through the Platform.
  • “Processing”: Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • “Subprocessor”: A third party engaged by Kind Robots to process Personal Data on behalf of the Customer.
  • “Data Subject”: The identified or identifiable natural person to whom the Personal Data relates.
  • “Standard Contractual Clauses” (“SCCs”): The contractual clauses approved by the European Commission for the transfer of personal data to third countries.

3. Scope and Duration

3.1 Subject Matter

Kind Robots processes Personal Data to provide the Platform and Services as described in the Agreement.

3.2 Duration

This DPA is effective for the duration of the Agreement and continues until all Personal Data is deleted or returned in accordance with this DPA.

3.3 Nature and Purpose of Processing

Kind Robots processes Personal Data for the following purposes:

  • Providing and operating the Platform
  • Authenticating Users and managing access
  • Processing and delivering AI Agent interactions
  • Transmitting data to Customer-selected LLM providers under the BYOK model
  • Generating usage analytics (aggregated and anonymized where possible)
  • Providing customer support
  • Billing and subscription management

4. Types of Personal Data

Kind Robots may process the following categories of Personal Data on behalf of the Customer:

CategoryExamples
Identity dataNames, email addresses, user IDs
Contact dataEmail addresses, organization information
Usage dataChat session content, Agent interaction logs, API request metadata
Technical dataIP addresses, browser information, device identifiers
Billing dataBilling name and address, subscription information (payment details processed by Stripe)

5. Categories of Data Subjects

  • Customer's employees and team members (Platform Users)
  • Customer's end-users who interact with embedded AI Agents
  • Individuals whose data may be included in chat conversations or API responses

6. Customer Instructions

6.1 Processing Instructions

Kind Robots will process Personal Data only in accordance with:

  • The documented instructions of the Customer
  • The Agreement and this DPA
  • Applicable data protection laws

6.2 Additional Instructions

If the Customer provides processing instructions beyond the scope of the Agreement, Kind Robots will inform the Customer if, in its opinion, such instructions infringe applicable data protection law.

6.3 BYOK Instructions

By configuring LLM provider API keys and Agent settings, the Customer instructs Kind Robots to transmit relevant interaction data to the Customer's selected LLM providers. The Customer acknowledges that data sent to LLM providers is subject to each provider's terms and data practices.

7. Kind Robots Obligations

Kind Robots shall:

  1. Process Personal Data only on documented instructions from the Customer, unless required by applicable law
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality
  3. Implement appropriate technical and organizational security measures (see Section 10)
  4. Assist the Customer in responding to Data Subject rights requests
  5. Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
  6. Delete or return all Personal Data upon termination of the Agreement, at the Customer's choice (subject to Section 12)
  7. Make available to the Customer all information necessary to demonstrate compliance with this DPA

8. Subprocessors

8.1 Authorized Subprocessors

The Customer authorizes Kind Robots to engage the following Subprocessors:

SubprocessorPurposeData ProcessedLocation
SupabaseAuthentication, database hostingAccount data, auth tokens, platform dataUnited States
VercelApplication hosting and deliveryTechnical data, request/response dataGlobal (edge network)
StripePayment processingBilling informationUnited States
ResendTransactional email deliveryEmail addresses, message contentUnited States

8.2 LLM Providers (Customer-Selected)

Under the BYOK model, the following LLM providers may process data as directed by the Customer:

ProviderPurposeData SentLocation
OpenAILLM inferencePrompts, conversation contextUnited States
AnthropicLLM inferencePrompts, conversation contextUnited States
Google (Generative AI)LLM inferencePrompts, conversation contextUnited States / Global
Custom providersLLM inferencePrompts, conversation contextVaries

The Customer selects which LLM provider(s) to use and is responsible for evaluating each provider's data processing practices. Kind Robots does not control which provider the Customer selects.

8.3 Subprocessor Changes

Kind Robots will notify the Customer at least thirty (30) days before engaging a new Subprocessor or replacing an existing one by:

  • Sending notification to the email address associated with the Customer's account
  • Updating the Subprocessor list in this DPA

8.4 Objection to Subprocessors

If the Customer reasonably objects to a new Subprocessor on data protection grounds:

  1. The Customer must notify Kind Robots in writing within fourteen (14) days of receiving notification
  2. Kind Robots will make reasonable efforts to provide an alternative or accommodate the objection
  3. If no resolution is reached, the Customer may terminate the affected Services without penalty

8.5 Subprocessor Obligations

Kind Robots will ensure that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

9. Data Subject Rights

9.1 Assistance

Kind Robots will assist the Customer in fulfilling its obligations to respond to Data Subject requests, including requests for:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure of Personal Data
  • Data portability
  • Restriction of processing
  • Objection to processing

9.2 Direct Requests

If Kind Robots receives a request from a Data Subject directly, Kind Robots will promptly redirect the Data Subject to the Customer, unless legally required to respond directly.

9.3 Costs

If Data Subject rights requests require significant effort beyond standard Platform functionality, Kind Robots may charge a reasonable fee for assistance based on administrative costs.

10. Security Measures

Kind Robots implements the following technical and organizational measures to protect Personal Data:

10.1 Technical Measures

  • Encryption at rest: AES-256-GCM encryption for sensitive data (LLM API keys); database-level encryption via Supabase
  • Encryption in transit: TLS 1.2+ for all data transmission
  • Access controls: JWT-based authentication, role-based access control, organization-level data isolation
  • Input validation: Parameterized queries, input sanitization, SSRF protection
  • Rate limiting: Per-endpoint and per-project rate limits
  • CORS controls: Per-project origin restrictions for embedded widgets
  • Log sanitization: Automatic redaction of sensitive data from logs and error messages

10.2 Organizational Measures

  • Principle of least privilege for internal access
  • Code review for all changes
  • Regular security assessments
  • Incident response procedures
  • Confidentiality obligations for all personnel

11. Data Breach Notification

11.1 Notification Timeline

In the event of a Personal Data breach, Kind Robots will:

  1. Notify the Customer without undue delay and no later than seventy-two (72) hours after becoming aware of the breach

11.2 Notification Content

The breach notification will include, to the extent available:

  • A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  • The name and contact details of Kind Robots' point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

11.3 Customer Obligations

The Customer is responsible for:

  • Fulfilling any notification obligations to Data Subjects and supervisory authorities under applicable law
  • Determining whether the breach triggers regulatory notification requirements based on the data involved

12. Data Return and Deletion

12.1 Upon Termination

Upon termination of the Agreement:

  • Kind Robots will retain Customer data for thirty (30) days to allow for data export
  • After the 30-day retention period, Kind Robots will delete all Personal Data from active systems
  • Backup copies will be deleted in accordance with standard backup rotation schedules, not to exceed ninety (90) days

12.2 Data Export

During the retention period, the Customer may export their data through:

  • The Platform's admin dashboard (self-service export)
  • Request to Kind Robots support for assisted export

12.3 Deletion Confirmation

Upon request, Kind Robots will provide written confirmation that Personal Data has been deleted.

12.4 Exceptions

Kind Robots may retain Personal Data after termination if required by applicable law (e.g., billing records for tax compliance), in which case the data will be protected in accordance with this DPA and processed only for the legally required purpose.

13. Audit Rights

13.1 Information Requests

Kind Robots will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

13.2 Audits

The Customer may conduct audits (or engage a qualified third-party auditor subject to confidentiality obligations) to verify Kind Robots' compliance with this DPA, subject to:

  • Reasonable advance notice of at least thirty (30) days
  • Audits conducted during normal business hours
  • No more than one (1) audit per year (unless a data breach has occurred or a supervisory authority requires an audit)
  • The Customer bears the cost of the audit

13.3 Compliance Certifications

Kind Robots may satisfy audit requirements by providing relevant compliance certifications, audit reports, or third-party attestations, where available.

14. Cross-Border Transfers

14.1 Transfer Mechanisms

For transfers of Personal Data from the EU/EEA to the United States or other third countries, Kind Robots relies on:

  • The EU-US Data Privacy Framework (where applicable and certified)
  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
  • Other approved transfer mechanisms as applicable

14.2 SCCs

Where SCCs are relied upon:

  • The SCCs are incorporated into this DPA by reference
  • Kind Robots will comply with all obligations of the “data importer” under the SCCs
  • In the event of conflict between this DPA and the SCCs, the SCCs prevail

14.3 Transfer Impact Assessments

Kind Robots will cooperate with the Customer in conducting transfer impact assessments where required and will implement supplementary measures as necessary to ensure an adequate level of data protection.

15. CCPA Addendum

For Customers subject to the California Consumer Privacy Act:

15.1 Service Provider Designation

Kind Robots is designated as a “Service Provider” under the CCPA. Kind Robots:

  • Processes Personal Information only for the business purposes specified in the Agreement
  • Does not sell Personal Information
  • Does not retain, use, or disclose Personal Information for any purpose other than providing the Services
  • Does not combine Personal Information received from the Customer with Personal Information from other sources (except as permitted by the CCPA)

15.2 Compliance Certification

Kind Robots certifies that it understands and will comply with the restrictions set forth in this CCPA Addendum.

15.3 CCPA Rights Assistance

Kind Robots will assist the Customer in responding to consumer rights requests under the CCPA, including requests to know, delete, and opt-out.

16. General Provisions

16.1 Governing Law

This DPA is governed by the laws of the State of Indiana, United States, except where mandatory data protection laws (such as GDPR) require otherwise.

16.2 Conflict

In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

16.3 Amendments

This DPA may be amended by Kind Robots to reflect changes in applicable data protection laws, provided that such amendments do not materially reduce the level of data protection afforded to Personal Data.

17. Contact

For questions about this DPA or data processing inquiries:

Kind Robots LLC
Data Protection Contact: privacy@kindrobots.ai
Website: kindrobots.ai

See also our Terms of Service and Privacy Policy.