Data Processing Agreement.

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement (“MSA”) between Kimpton AI, Inc. (“Kimpton,” “we,” “us”) and the customer entity identified in the MSA (“Customer”). This DPA governs the processing of Personal Data by Kimpton on behalf of Customer in connection with the Kimpton platform and related services (“Services”).

2. Definitions

Terms used in this DPA have the meanings set forth below. Capitalized terms not defined here have the meaning given in the MSA.

• Personal Data means any information relating to an identified or identifiable natural person processed by Kimpton on behalf of Customer.
• Data Subject means the natural person to whom Personal Data relates.
• Controller means the entity that determines the purposes and means of processing Personal Data (Customer).
• Processor means the entity that processes Personal Data on behalf of the Controller (Kimpton).
• Sub-processor means any third-party processor engaged by Kimpton to process Personal Data on behalf of Customer.
• Applicable Data Protection Law means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

3. Scope and roles

Customer is the Controller of Personal Data and Kimpton is the Processor. Kimpton will process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data, unless required to do so by applicable law.

4. Processing details

Subject matter: Provision of the Kimpton Services.
Duration: The term of the MSA.
Nature and purpose: Delivery of AI-driven research, trade proposals, portfolio analytics, and related functionality.
Categories of Data Subjects:Customer’s authorized users, and individuals whose data Customer includes in its queries, uploads, or portfolio connections.
Types of Personal Data: Account and authentication data, device and usage data, and any Personal Data contained in Customer content submitted to the Services.

5. Confidentiality

Kimpton ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

6. Security

Kimpton implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, or disclosure. These include encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and vulnerability management. Kimpton is currently undergoing SOC 2 Type II audit review.

7. Sub-processors

Customer authorizes Kimpton to engage Sub-processors to process Personal Data, provided that Kimpton: (i) imposes data protection obligations on each Sub-processor substantially similar to those set out in this DPA; and (ii) remains liable for the acts and omissions of its Sub-processors. A current list of Sub-processors is available on request.

8. Data subject rights

Kimpton will provide reasonable assistance to Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

9. Personal data breach

Kimpton will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide reasonable information and assistance to help Customer meet its obligations under Applicable Data Protection Law.

10. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, such transfers are made pursuant to the Standard Contractual Clauses adopted by the European Commission, as supplemented by any additional measures required by Applicable Data Protection Law.

11. Deletion and return

Upon termination of the MSA or at Customer’s earlier written request, Kimpton will delete or return all Personal Data processed on behalf of Customer, except where retention is required by applicable law. Deletion is typically completed within 30 days of request.

12. Audits

Kimpton will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including the most recent third-party audit reports and security certifications.

13. Contact

Questions about this DPA should be directed to legal@kimpton.ai.