Legal · Data handling

Data Processing Agreement

Last updated · June 2026
This is a draft of our standard Data Processing Agreement for K15 Labs managed pods. Final terms are confirmed during onboarding.

When the engagement involves personal data, this DPA defines who is the controller, who is the processor, and how data is processed, secured, transferred, audited, and deleted. It forms part of the Master Service Agreement, with the engagement-specific details set out in Schedule 1.

01

When this DPA applies

This Data Processing Agreement (“DPA”) is entered into between K15 Labs, LLC (“K15 Labs”) and [Client legal name] (“Client”).

This DPA forms part of the Master Service Agreement between the parties (“MSA”, see /legal/msa). If there is a conflict between this DPA and the MSA on the processing of personal data, this DPA controls.

This DPA applies when K15 Labs processes personal data on behalf of Client in connection with the services under the MSA.

This DPA does not apply where K15 Labs does not process personal data on behalf of Client.

02

Definitions

“Applicable Data Protection Laws” means data protection and privacy laws that apply to the processing of personal data under the MSA, including, where applicable, GDPR, UK GDPR, CCPA/CPRA, and similar privacy laws.

“Client Personal Data” means personal data processed by K15 Labs on behalf of Client under the MSA.

“Controller,” “processor,” “personal data,” “processing,” “data subject,” and “personal data breach” have the meanings given to them under Applicable Data Protection Laws.

For CCPA/CPRA purposes, “personal data” includes “personal information,” and K15 Labs acts as a service provider or contractor as applicable.

03

Roles

Client is the controller of Client Personal Data.

Where Client acts as a processor for its own customer, K15 Labs acts as Client’s subprocessor.

K15 Labs is the processor of Client Personal Data and will process Client Personal Data only as described in this DPA, the MSA, Schedule 1, and Client’s documented instructions.

Client is responsible for having a lawful basis for the processing and for giving any required notices to data subjects.

04

Scope and purpose of processing

K15 Labs may process Client Personal Data only to provide the services under the MSA.

This may include:

  • accessing Client repositories, tools, tickets, documentation, systems, and environments;
  • reviewing code, logs, test data, issue reports, support context, or product information;
  • developing, testing, deploying, maintaining, or documenting Client systems;
  • providing QA, cloud/DevOps, design, engineering, reporting, and pod coordination support;
  • communicating with Client stakeholders;
  • performing security, continuity, and operational tasks required for the engagement.

The subject matter, duration, nature, purpose, data categories, and data subject categories are set out in Schedule 1: Data Processing Details.

05

Documented instructions

K15 Labs will process Client Personal Data only on documented instructions from Client.

The MSA, this DPA, Schedule 1, written tickets, written technical instructions, access permissions, approved process documents, and other written Client directions count as documented instructions.

K15 Labs will promptly notify Client if it believes an instruction violates Applicable Data Protection Laws, unless legally prohibited from doing so.

06

CCPA/CPRA service provider terms

Where CCPA/CPRA applies, K15 Labs will act as a service provider or contractor.

K15 Labs will not:

  • sell or share Client Personal Data;
  • retain, use, or disclose Client Personal Data outside the business purpose of providing the services;
  • retain, use, or disclose Client Personal Data for a commercial purpose other than the business purpose of providing the services;
  • combine Client Personal Data with personal data received from other sources except as permitted by Applicable Data Protection Laws;
  • use Client Personal Data for targeted advertising or cross-context behavioral advertising;
  • use Client Personal Data for K15 Labs’ own marketing.

K15 Labs will provide the same level of privacy protection required of service providers or contractors under applicable CCPA/CPRA requirements.

Client may take reasonable and appropriate steps to help ensure that K15 Labs uses Client Personal Data consistently with Client’s obligations under Applicable Data Protection Laws.

K15 Labs will notify Client if it determines it can no longer meet its obligations under Applicable Data Protection Laws.

07

Confidentiality

K15 Labs will ensure that personnel authorized to process Client Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Access to Client Personal Data will be limited to personnel who need access to provide the services.

08

Security measures

K15 Labs will maintain reasonable administrative, technical, and organizational measures designed to protect Client Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, disclosure, or access.

These measures may include, as applicable:

  • named user access;
  • least-privilege access;
  • access removal when no longer needed;
  • TLS for data in transit;
  • use of provider-supported encryption at rest where available;
  • use of Client-managed secret stores where reasonably possible;
  • audit logging in K15 Labs-managed environments where reasonably available;
  • confidentiality obligations for assigned personnel;
  • reasonable device, account, and credential hygiene;
  • internal access controls for assigned pod members;
  • reasonable incident response procedures.

Client remains responsible for security of Client-owned accounts, environments, credentials, infrastructure, repositories, tools, and access policies, except where K15 Labs expressly controls them under the MSA.

09

AI tooling

K15 Labs may use AI tooling as permitted under the MSA and Client’s documented instructions.

K15 Labs will not intentionally use Client Personal Data to train public foundation models.

Where Client requires specific AI tooling, model deployments, data restrictions, no-use zones, or compliance controls, those requirements must be documented in the MSA, Schedule 1, or other written instructions.

AI-assisted work remains subject to the same review, confidentiality, and data protection obligations as other work.

10

Subprocessors

Client gives K15 Labs general authorization to use subprocessors to provide the services.

Subprocessors may include infrastructure providers, cloud providers, productivity tools, development tools, communication tools, AI tooling providers, and K15 Labs personnel providers involved in providing the services.

K15 Labs will impose written data protection obligations on subprocessors that are substantially similar to those in this DPA.

K15 Labs remains responsible for subprocessors’ performance of their data protection obligations.

K15 Labs will make a current list of subprocessors available on request.

Where required by Applicable Data Protection Laws, K15 Labs will give Client reasonable notice of material changes to subprocessors. Client may object on reasonable data protection grounds. If the parties cannot resolve the objection, Client may terminate the affected services.

11

Data subject requests

K15 Labs will provide reasonable assistance to Client, taking into account the nature of the processing, to help Client respond to data subject requests under Applicable Data Protection Laws.

If K15 Labs receives a data subject request relating to Client Personal Data, K15 Labs will, where legally permitted, refer the request to Client and not respond directly except on Client’s documented instructions or as required by law.

12

Assistance with compliance

Taking into account the nature of processing and the information available to K15 Labs, K15 Labs will provide reasonable assistance to Client with:

  • security obligations;
  • breach response;
  • data protection impact assessments;
  • prior consultations with supervisory authorities, where applicable;
  • records or information reasonably needed to demonstrate compliance with this DPA.

K15 Labs may charge reasonable fees for assistance that goes beyond ordinary engagement support, unless the assistance is required because of K15 Labs’ breach of this DPA.

13

Personal data breach

K15 Labs will notify Client without undue delay after becoming aware of a confirmed personal data breach affecting Client Personal Data.

Where legally required and reasonably possible, K15 Labs will aim to notify Client within 72 hours after becoming aware of the breach.

The notification will include available information about:

  • the nature of the breach;
  • affected data categories;
  • affected systems, where known;
  • likely consequences, where known;
  • steps taken or proposed to address the breach;
  • contact point for follow-up.

K15 Labs will reasonably cooperate with Client’s breach investigation and response.

A notification under this section is not an admission of fault or liability.

14

International transfers

Where Client Personal Data is transferred internationally and a transfer mechanism is required, the parties will use an appropriate lawful transfer mechanism.

This may include Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or another lawful mechanism under Applicable Data Protection Laws.

The applicable transfer mechanism and any supplementary measures may be documented in Schedule 1 or a separate transfer addendum.

15

Return or deletion

At the end of the services, K15 Labs will return or delete Client Personal Data within a reasonable period, unless retention is required by law, audit, backup, compliance, or legitimate dispute-resolution needs.

Client Personal Data retained in backups will remain protected under this DPA until deleted in the ordinary backup lifecycle.

On request, K15 Labs will confirm deletion or return in writing.

16

Audit and information rights

K15 Labs will make available information reasonably necessary to demonstrate compliance with this DPA.

Client may request an audit no more than once per year, unless required by Applicable Data Protection Laws or following a confirmed personal data breach affecting Client Personal Data.

Audits must be:

  • subject to reasonable advance written notice;
  • limited to the scope of this DPA;
  • conducted during normal business hours;
  • performed in a way that does not unreasonably disrupt K15 Labs’ operations;
  • subject to confidentiality obligations;
  • conducted without access to other clients’ confidential information, systems, or personal data.

K15 Labs may satisfy an audit request by providing security documentation, policies, summaries, third-party reports, written responses, or other reasonable evidence before allowing live inspection.

17

Deidentified and aggregated data

K15 Labs may create and use deidentified or aggregated information only where it cannot reasonably identify Client, data subjects, or Client systems.

K15 Labs will not attempt to reidentify deidentified data except as permitted by law for testing whether deidentification is effective.

18

Liability

Liability arising under this DPA is subject to the liability limits and exclusions in the MSA, except where liability cannot be limited under Applicable Data Protection Laws.

19

Term

This DPA remains in effect for as long as K15 Labs processes Client Personal Data.

Sections that by their nature should survive termination will survive, including confidentiality, deletion, audit, international transfers, and liability.

20

Schedule 1: Data Processing Details

1. Subject matter

K15 Labs’ provision of managed AI-native engineering pod services to Client under the MSA.

2. Duration

For the term of the MSA and any period during which K15 Labs processes Client Personal Data for return, deletion, backup, legal, audit, compliance, or dispute-resolution purposes.

3. Nature and purpose of processing

Processing Client Personal Data as needed to provide engineering, development, QA, cloud/DevOps, design, pod coordination, reporting, onboarding, continuity, and related services under the MSA.

Processing may include access, viewing, retrieval, organization, storage, testing, modification, transmission, deletion, and other operations necessary to provide the services.

4. Categories of data subjects

As applicable to the engagement:

  • Client employees, contractors, and representatives;
  • Client customers, users, prospects, or end users;
  • individuals contained in Client databases, logs, tickets, repositories, analytics, support materials, or test data;
  • other individuals whose personal data is included in Client systems or materials accessed during the engagement.

5. Categories of personal data

As applicable to the engagement:

  • names;
  • email addresses;
  • usernames or account identifiers;
  • job titles and business contact details;
  • user IDs, customer IDs, and internal identifiers;
  • IP addresses, device data, logs, usage data, and technical metadata;
  • support tickets, issue reports, comments, messages, and documentation;
  • customer records or application data made available in Client systems;
  • other personal data contained in Client repositories, databases, logs, tools, or environments.

6. Sensitive personal data

Sensitive personal data is not expected unless stated here:

[Sensitive personal data, if any.]

Client should not provide sensitive personal data to K15 Labs unless required for the engagement and documented in writing.

7. Processing locations

Primary processing locations:

  • [United States]
  • [European Economic Area, if applicable]
  • [Other locations, if applicable]

Remote personnel locations:

  • [List countries or regions, if required.]

8. Subprocessors

Current subprocessors:

  • [Subprocessor name] - [service provided] - [location]
  • [Subprocessor name] - [service provided] - [location]

Subprocessor list may be provided separately and updated from time to time.

9. Transfer mechanism

Selected per engagement. Where no personal data is transferred outside the United States, the mechanism is “Not applicable.” Otherwise, the applicable mechanism is one of:

  • [Standard Contractual Clauses]
  • [UK International Data Transfer Addendum]
  • [Adequacy decision]
  • [Other]
  • [Not applicable]

10. Client instructions

Client instructions include:

  • the MSA;
  • this DPA;
  • Schedule 1;
  • approved tickets;
  • approved process documents;
  • access permissions;
  • written technical instructions;
  • written security or AI-tooling restrictions.

11. Signatures

Signatory
K15 Labs, LLC
Name
[Authorized signer]
Title
[Title]
Signature
 
Date
 
Signatory
[Client legal name]
Name
[Signer name]
Title
[Signer title]
Signature
 
Date