Kosuke

Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Kosuke Pentest Service Agreement (the "Agreement") between Kosuke, Inc. ("Kosuke", "Processor") and the customer identified in the Service Order ("Customer", "Controller"). It governs any processing of personal data subject to the EU GDPR, UK GDPR, or Swiss FADP that may occur during the services. In case of conflict between this DPA and the Agreement on data protection matters, this DPA prevails.

1. Definitions

Capitalized terms have the meanings given in the Agreement or the GDPR. In addition:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Kosuke on behalf of Customer under the Agreement.
  • "Processing" means any operation performed on Personal Data, including access, collection, storage, use, disclosure, or destruction.
  • "Sub-processor" means any third party engaged by Kosuke to process Personal Data on behalf of Customer.
  • "Data Protection Laws" means EU GDPR (Regulation 2016/679), UK GDPR and UK Data Protection Act 2018, and Swiss FADP, as applicable.
  • "SCC" means the Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914.

2. Scope and nature of processing

2.1 Nature of the processing

Personal Data may be incidentally accessed during penetration testing solely to the extent strictly necessary to validate vulnerabilities and document findings. Kosuke does not exfiltrate, store, or transfer Personal Data beyond this minimum. The processing is incidental and limited to the testing window.

2.2 Categories of data subjects

  • Customer's end users (where their data is accessible via tested systems)
  • Customer's employees (where their accounts are tested)
  • Other categories identified in the Service Order

2.3 Types of Personal Data

Depending on the Target Systems, processing may incidentally involve identification data (name, email), account credentials (usernames, hashed passwords), and behavioral data (logs, IP addresses). Kosuke will not process special categories of Personal Data (Article 9 GDPR) unless expressly authorized by Customer in writing.

2.4 Duration

Processing occurs only during the testing window specified in the Service Order. Any Personal Data accessed is destroyed in accordance with Section 7 below.

3. Kosuke's obligations as Processor

Kosuke shall:

  • Process Personal Data only on Customer's documented instructions, as set forth in the Agreement, this DPA, and the Service Order;
  • Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures as set forth in Annex A;
  • Engage Sub-processors only in accordance with Section 4;
  • Provide reasonable assistance to Customer for data subject requests (Articles 12–22 GDPR);
  • Provide reasonable assistance to Customer for security obligations, breach notification, and data protection impact assessments (Articles 32–36 GDPR);
  • Delete or return Personal Data upon termination as set forth in Section 7;
  • Make available information necessary to demonstrate compliance, including supporting reasonable audits per Section 6;
  • Apply data minimization: access Personal Data only to the strict minimum necessary to validate vulnerabilities.

4. Sub-processors

Customer grants Kosuke general authorization to engage Sub-processors. Kosuke will (i) impose written data protection obligations on each Sub-processor no less protective than this DPA, and (ii) remain fully liable for Sub-processors' performance.

Kosuke will notify Customer of intended changes to the Sub-processor list, giving Customer 30 days to object. If Customer reasonably objects, the parties will work in good faith toward a resolution; failing agreement, Customer may terminate the affected services without penalty other than payment for services rendered.

The current list of Sub-processors is maintained at /legal/subprocessors and is available upon written request to security@kosuke.ai.

5. International data transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to Kosuke (or any Sub-processor) in the United States or another third country not deemed adequate by the European Commission, the transfer is governed by the SCC Module 2 (Controller-to-Processor), which are incorporated by reference into this DPA and deemed signed by the parties. The following provisions apply to the SCC:

  • Clause 7 (docking clause): does not apply;
  • Clause 9 (Sub-processors): Option 2 (general written authorization) applies, with 30 days advance notice;
  • Clause 11 (redress): optional independent dispute resolution does not apply;
  • Clause 17 (governing law): the law of the EEA Member State where Customer is established;
  • Clause 18 (forum): the courts of the EEA Member State where Customer is established;
  • Annex I (parties, description of transfer, supervisory authority): as set forth in Section 2 of this DPA and the Service Order;
  • Annex II (technical and organizational measures): as set forth in Annex A;
  • Annex III (Sub-processors): as set forth at /legal/subprocessors.

For UK transfers, the UK Information Commissioner's Office International Data Transfer Addendum (IDTA) version B1.0 is incorporated by reference and supplements the SCC. For Swiss transfers, the SCC apply mutatis mutandis with references to the GDPR read as references to the FADP, and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Kosuke maintains supplementary measures consistent with Schrems II case law (Case C-311/18), including encryption in transit and at rest, access controls, and contractual protections against access by third-country authorities.

6. Data subject requests, breaches, and audits

6.1 Data subject requests

If Kosuke receives a request directly from a data subject relating to Personal Data processed under this DPA, Kosuke will promptly forward it to Customer and provide reasonable assistance to enable Customer to comply with Articles 12–22 GDPR.

6.2 Personal data breach

Kosuke will notify Customer without undue delay, and in any event within 24 hours of becoming aware, of any confirmed or suspected Personal Data Breach. The notification will include the nature of the breach, affected data categories and approximate numbers, likely consequences, and remediation measures, to the extent then available. Kosuke will cooperate reasonably with Customer's notification efforts to supervisory authorities and data subjects.

6.3 Audits

Customer may, upon reasonable written request and no more than once per calendar year (except after a Breach attributable to Kosuke or upon supervisory authority request), audit Kosuke's compliance with this DPA. Audit modalities: (i) review of Kosuke's most recent third-party audit reports (e.g., SOC 2, ISO 27001), where available; (ii) written questionnaire; or (iii) on-site audit with 30 days advance notice, during business hours, with minimal disruption, subject to confidentiality. Customer bears audit costs unless material non-compliance is found.

7. Return or deletion of personal data

Within 90 days of completion of each engagement (or termination of the Agreement, whichever is earlier), Kosuke will, at Customer's choice, either return all Personal Data in a commonly used machine-readable format, or securely destroy it and certify deletion in writing upon request. Kosuke may retain (i) one archival copy for legal and audit purposes under continued confidentiality, and (ii) aggregated anonymized data that does not identify any data subject.

8. Customer's obligations as Controller

Customer represents and warrants that (i) it has complied and will comply with Data Protection Laws, (ii) it has obtained all necessary rights, legal bases, and consents for Kosuke's processing under the Agreement, and (iii) Kosuke's processing in accordance with the Agreement will not violate Data Protection Laws or any agreement to which Customer is bound.

9. Liability

Liability under this DPA is governed by the limitation of liability provisions of the Agreement, except that liability for breaches of GDPR giving rise to direct claims by data subjects (Article 82 GDPR) or supervisory authority fines (Article 83 GDPR) is not subject to the contractual liability cap to the extent prohibited by mandatory law.

10. General

This DPA enters into force on the Effective Date and continues for the duration of the Agreement plus any retention period in Section 7. It is governed by the law of the EEA Member State where Customer is established for GDPR matters, except that the SCC are governed as set forth in their Clause 17. The order of precedence is: SCC > this DPA > Agreement. Electronic signatures are valid and binding.

Annex A — Technical and Organizational Measures

Pursuant to Article 32 GDPR, Kosuke implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These include:

Organizational

  • Documented information security policy, reviewed annually
  • Mandatory security and privacy training for all personnel
  • Confidentiality obligations on all personnel and contractors
  • Background checks for personnel with Personal Data access
  • Documented incident response and breach notification procedures

Technical — Confidentiality and Integrity

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Role-based access control with least-privilege principle
  • Multi-factor authentication for all administrative access
  • Comprehensive audit logging of Personal Data access
  • Pseudonymization where technically feasible

Technical — Availability and Resilience

  • Regular automated encrypted backups
  • Documented disaster recovery procedures
  • Service uptime monitoring

Data Minimization (Specific to Penetration Testing)

  • Personnel access Personal Data only to the strict minimum necessary to validate vulnerabilities
  • Personal Data is not exfiltrated, stored, or transferred beyond validation
  • Validation evidence stored encrypted and pseudonymized where possible
  • Automatic destruction per Section 7

Annex B — Sub-processors

The current and complete list of Sub-processors is maintained at /legal/subprocessors and is available to Customer upon written request to security@kosuke.ai.

Contact

For DPA execution requests, sub-processor objections, or data protection inquiries, contact security@kosuke.ai.