Data Processing Addendum
Last updated: 1 July 2026
This Data Processing Addendum (“Addendum”) forms part of the Terms of Service between you (“Customer”) and Krova Inc. (“Krova Cloud”, “we”, “us”) (together, the “Agreement”) and applies automatically, without a separate signature, whenever we process personal data on your behalf in the course of providing the Service. It reflects our standard data-processing terms; if you require an individually countersigned copy, contact [email protected].
On this page
- 1. Scope and incorporation
- 2. Definitions
- 3. Roles and responsibilities
- 4. Details of processing
- 5. Customer instructions
- 6. Confidentiality
- 7. Security measures
- 8. Subprocessing
- 9. Assistance with data-subject requests
- 10. Security-incident notification
- 11. Audit and certifications
- 12. DPIA assistance
- 13. International transfers
- 14. Return and deletion on termination
- 15. Precedence
- Annex 1 — Description of processing
- Annex 2 — Security measures
- Annex 3 — Subprocessors
1. Scope and incorporation
This Addendum supplements, and is incorporated into, the Agreement. It applies only to the extent we process personal data for which you are a controller or processor in connection with your use of the Service — most commonly, personal data of your own end users that resides inside a Cube or that you upload, generate or otherwise process through the Service (“Customer Personal Data”). It does not apply to our processing of your own account, contact and billing data as a controller, which is described in our Privacy Policy. Capitalised terms not defined in this Addendum have the meaning given to them in the Agreement.
2. Definitions
- “Applicable Privacy Law”means all data-protection and privacy laws applicable to the processing of Customer Personal Data under this Addendum, including, as applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), the UK GDPR and the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection (“Swiss FADP”).
- “Controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “security incident” (or equivalent terms such as “personal data breach”) have the meanings given in Applicable Privacy Law.
- “Subprocessor” means a third party engaged by Krova Cloud to process Customer Personal Data in order to provide the Service.
- “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
- “Third Country” means a country outside the European Economic Area, the United Kingdom or Switzerland that has not been recognised by the relevant authority as providing an adequate level of data protection.
3. Roles and responsibilities
For personal data you process through the Service on behalf of your own end users, you act as the controller (or, where you are yourself a processor, as a processor) and Krova Cloudacts as your processor (or sub-processor). Each party is responsible for complying with the obligations that apply to it under Applicable Privacy Law. We process such personal data only on your documented instructions, which the Agreement, this Addendum and your use of the Service's features constitute in full.
4. Details of processing
The subject matter, duration, nature and purpose of processing, the types of personal data and the categories of data subjects are described in Annex 1. You are solely responsible for determining what personal data you process through the Service and for ensuring you have a lawful basis to do so.
5. Customer instructions
We will process Customer Personal Data only in accordance with your documented instructions, unless required to do otherwise by law applicable to us, in which case we will (to the extent permitted by that law) inform you before processing, unless that law prohibits this. The Agreement, this Addendum, your configuration of the Service and your use of its features (including provisioning, resizing, snapshotting, backing up, exporting and deleting Cubes and data) together constitute your complete instructions. If we believe an instruction infringes Applicable Privacy Law, we will notify you promptly; we are not obliged to comply with an instruction we reasonably believe is unlawful.
6. Confidentiality
We ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory) and receive training appropriate to their role, and that access to Customer Personal Data is limited to personnel who need it to provide, secure or support the Service.
7. Security measures
We implement the technical and organisational measures described in Annex 2, designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. You are responsible for using the security features and controls the Service makes available (for example SSH key management, network exposure and access controls for your Cubes) and for the security of software you run and data you store inside your Cubes.
8. Subprocessing
You authorise Krova Cloudto engage Subprocessors to process Customer Personal Data, subject to the terms of this Section. We do not publish the identities of our Subprocessors, but we will provide a current list — including each Subprocessor's role, the categories of data it processes, and its processing location — to you on request (see Annex 3). We impose data-protection obligations on each Subprocessor that are substantially the same as those set out in this Addendum, appropriate to the nature of the services it provides, and we remain liable to you for the acts and omissions of our Subprocessors to the same extent we would be liable if performing their services ourselves.
Before adding a new Subprocessor or replacing an existing one, we will give you at least 30 days' advance notice by email to your account address or by another direct means. If you have a reasonable data-protection-related objection to a new Subprocessor, notify us in writing at [email protected] within that notice period. We will work with you in good faith to address the objection; if we cannot reach a resolution, you may terminate the portion of the Service that cannot be provided without the objected-to Subprocessor by written notice, as your sole and exclusive remedy.
9. Assistance with data-subject requests
Taking into account the nature of the processing, we provide self-service tools that let you access, export and delete Customer Personal Data directly — for example exporting or deleting a Cube, its snapshots and its backups from the dashboard or API. Where a data subject request cannot reasonably be satisfied using those tools, we will provide reasonable additional assistance to help you respond to requests to exercise data-subject rights under Applicable Privacy Law. If we receive a request directly from one of your end users concerning Customer Personal Data, we will direct that person to make the request to you and, where legally permitted, notify you without undue delay. Requests for assistance under this Section should be sent to [email protected]. We may charge a reasonable fee for assistance that requires material engineering effort beyond the self-service tools described above.
10. Security-incident notification
If we become aware of a security incident affecting Customer Personal Data, we will notify you without undue delay after becoming aware of it, and provide the information we then have available to help you meet any notification obligations you have under Applicable Privacy Law. We will take reasonable steps to identify the cause of the incident, mitigate its effects and remediate the cause, and will provide reasonable cooperation and updates as our investigation progresses. Notification of, or response to, a security incident under this Section is not an acknowledgement by us of any fault or liability with respect to the incident.
11. Audit and certifications
On reasonable written request, and no more than once per calendar year (except where required by a supervisory authority or following a security incident affecting your Customer Personal Data), we will make available the information reasonably necessary to demonstrate compliance with this Addendum, which may include written summaries of our security programme, responses to a reasonable security questionnaire, or a walkthrough of relevant controls. We do not currently hold SOC 2 or ISO/IEC 27001 certification; we will identify our current certifications and audit reports, if any, if and when they become available. Any audit beyond the provision of such information must be conducted during business hours, with reasonable advance notice, in a manner that minimises disruption to our business and to our other customers, and at your expense. We may decline to engage an auditor that is a competitor of ours or that lacks appropriate confidentiality and professional obligations, and any auditor must sign a confidentiality agreement satisfactory to us. This Section does not entitle you or your auditor to access another customer's data or our internal systems beyond what is reasonably necessary to verify compliance with this Addendum.
12. DPIA assistance
Taking into account the nature of processing and the information reasonably available to us, we will provide reasonable assistance to you with any data protection impact assessment, and any prior consultation with a supervisory authority, that you reasonably consider is required by Applicable Privacy Law as a result of processing carried out by us on your behalf, by providing the information described in this Addendum (including its Annexes) and any additional documentation we make generally available.
13. International transfers
We and our Subprocessors may process Customer Personal Data in countries other than the country in which you or your end users are located, including in the United States and other Third Countries. Where such a transfer is subject to Applicable Privacy Law that restricts transfers outside the EEA, the UK or Switzerland, the following apply:
- EEA transfers: to the extent Customer Personal Data subject to the EU GDPR is transferred to a Third Country, the SCCs are incorporated by reference, with Module 2 (controller to processor) applying where you are a controller and Module 3 (processor to processor) applying where you are a processor acting on behalf of a third-party controller. Annexes I, II and III to the SCCs are populated by Annexes 1, 2 and 3 to this Addendum respectively.
- UK transfers:to the extent Customer Personal Data subject to the UK GDPR is transferred to a Third Country, the UK Information Commissioner's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK IDTA”) is incorporated by reference and applies in addition to the SCCs referenced above.
- Swiss transfers:to the extent Customer Personal Data subject to the Swiss FADP is transferred to a Third Country, the SCCs referenced above apply as modified by the requirements of the Federal Data Protection and Information Commissioner (“Swiss-modified SCCs”), including that references to the EU GDPR are read as references to the Swiss FADP where required and the competent supervisory authority and courts are those of Switzerland where the transfer is governed exclusively by the Swiss FADP.
- Data Privacy Framework:where we or a relevant Subprocessor self-certify to the EU-U.S. Data Privacy Framework, the UK Extension to the Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework (together, the “DPF”), we or that Subprocessor may rely on the DPF as an additional or alternative transfer mechanism to the extent permitted by Applicable Privacy Law.
- If a competent authority or court determines that a data-transfer mechanism referenced in this Section is no longer valid, we will work with you in good faith to implement an alternative mechanism permitted by Applicable Privacy Law, which may include a supervisory-authority-approved adequacy decision or our (or a Subprocessor's) binding corporate rules, without undue delay.
14. Return and deletion on termination
On expiry or termination of the Agreement, or on your written request, we will delete Customer Personal Data within 90 days, except to the extent applicable law requires us to retain it, or it is contained in an archived backup created and retained in the ordinary course of business, in which case we will isolate and protect it from further processing and delete it in accordance with our routine backup-rotation schedule. This Section is consistent with, and does not extend, the retention periods described in our Privacy Policy. You remain responsible for exporting any Customer Personal Data you wish to retain before termination, using the export tools the Service makes available.
15. Precedence
If there is a conflict between this Addendum and the Agreement, this Addendum controls with respect to the processing of Customer Personal Data. If there is a conflict between this Addendum and the SCCs, the UK IDTA or the Swiss-modified SCCs incorporated under Section 13, the relevant transfer mechanism controls with respect to the transfer of Customer Personal Data it covers. In all other respects, the Agreement continues to apply.
Annex 1 — Description of processing
Subject matter and duration
Processing of Customer Personal Data by Krova Cloud as necessary to provide the Service, for the duration of the Agreement plus the return/deletion period described in Section 14.
Nature and purpose of processing
Storage, hosting, transmission, backup and deletion of data you upload to, generate within or configure through a Cube; provisioning and operation of the underlying compute, storage and networking resources; and the limited additional processing described in this Addendum (security-incident detection, data-subject-request assistance, and audit support).
Categories of data subjects
The data subjects are determined by you and may include your own employees, contractors, customers, users or any other individuals whose personal data you choose to process through the Service.
Categories of personal data
The categories of personal data are determined by you based on how you configure and use your Cubes, and may include any personal data you choose to store, process or transmit through the Service. We do not control or limit the categories of personal data you process, and you are responsible for ensuring the Service is an appropriate place to process any special categories of personal data (such as health, biometric or similarly sensitive data) you decide to include.
Annex 2 — Security measures
Technical and organisational measures currently in place include:
- Encryption at rest for sensitive secrets: sensitive credentials and secrets we hold to operate the Service are encrypted with AES-256-GCM before being stored.
- Encryption in transit: connections to the dashboard, API and control-plane services use TLS; server management connections use SSH.
- Isolation between customers:each Cube runs as an isolated Firecracker microVM with its own virtual CPU, memory, disk and network namespace, separate from other customers' Cubes on the same host.
- Access controls: role-based permissions within each space (owner, admin, member, viewer), authenticated sessions, and internal access to production systems and infrastructure restricted to personnel who need it to operate the Service.
- Audit and lifecycle logging: mutations to customer resources (spaces, Cubes, snapshots, backups, domains) are recorded in audit and lifecycle logs used for security investigation and change tracking.
- Backups and redundancy: snapshot and backup functionality is available so you can protect Customer Content against accidental loss; storage is spread across configured storage backends with per-cube deduplicated repositories for snapshots.
- Vulnerability and patch management: host operating systems and guest images receive security updates as part of our operational processes.
We review and, where appropriate, update these measures over time. This Annex describes measures actually in place and does not represent, and should not be read as implying, any third-party certification (such as SOC 2 or ISO/IEC 27001) that we do not currently hold.
Annex 3 — Subprocessors
Krova Clouddoes not publish the identities of its Subprocessors. A current list of the Subprocessors engaged to process Customer Personal Data — including each Subprocessor's role, the categories of data it processes, and its processing location — is available to customers on request. To request the current list, or to be added to change notifications, contact [email protected]. We give affected customers at least 30 days' advance notice of any new or replacement Subprocessor, and an opportunity to object, as described in Section 8.