Legal
Data Processing Addendum
The standard DPA governing how Kosansh processes personal data on behalf of client controllers.
Last reviewed: June 2026. This document is written in plain language. If something is not clear, use the Contact form and choose Security and privacy.
Policy content
Purpose of this addendum
This Data Processing Addendum governs the processing of personal data by Kosansh on behalf of clients who are data controllers. It supplements the applicable services agreement. In cases of conflict, this DPA takes precedence for matters related to personal data processing.
Roles and responsibilities
The client is the data controller. Kosansh is the data processor. Kosansh processes personal data only on documented instructions from the client. Kosansh will inform the client if it believes an instruction would violate applicable data protection law.
Processing purposes
Kosansh processes personal data only for the purposes described in the applicable services agreement and the client instructions provided under it. Kosansh does not use client personal data for its own purposes or share it with third parties except as required to deliver the services.
Security measures
Kosansh implements appropriate technical and organizational security measures including encryption at rest, transport security, access controls, logging, and regular security reviews. Measures are described in the security overview available through the Contact form.
Sub-processors
Kosansh may engage sub-processors to assist with service delivery. A current list is published on the Subprocessors page. Kosansh will notify clients of changes to sub-processors and provide a reasonable objection period.
Data subject rights
Kosansh will assist clients in fulfilling data subject rights requests including access, correction, deletion, and portability to the extent technically feasible and within the scope of the processing described in the services agreement.
Data retention and deletion
Kosansh retains personal data for the period specified in the services agreement or as required by law. Upon termination of the services agreement, Kosansh will delete or return personal data within the agreed timeline unless retention is required by law.
Audit rights
Clients have the right to audit Kosansh compliance with this DPA on reasonable notice and at their own cost. Kosansh will provide information and cooperation necessary to demonstrate compliance. Audit results are treated as confidential.
How to request the DPA
Enterprise clients requiring a signed DPA should use the Contact form and choose Security and privacy. We will provide the standard DPA document and arrange for execution as part of the services agreement process.
Other legal documents
Privacy Policy
How we collect and use your personal data.
Terms of Use
How you may use this site and its services.
Cookie Policy
What cookies we use and how to manage them.
DPA
Data processing addendum for enterprise clients.
Subprocessors
Third parties we use to process data.
Acceptable Use
Permitted and prohibited uses of our services.