Published in full · for transparency

This is Kortave's own Data Processing Agreement under Article 28 GDPR — the binding terms under which we process personal data on behalf of our customers. We publish it in full so you can review exactly what you are agreeing to before you sign. The Processor's identifying details (registered name and seat) and the signature block are completed on execution and are omitted from this published copy for privacy; the legal substance is identical to the executed version. A countersigned copy for your organisation is available on request at [email protected].

GDPR (EU) 2016/679 · Article 28 · Controller–Processor Agreement · Kortave

In force · Article 28 GDPR

Data Processing Agreement

Kortave & the Customer (Controller)

Document referenceKTV-DPA-2026-KTV-001
Version1.0
StatusIn force
Legal basisArticle 28 GDPR (Regulation (EU) 2016/679)
Applicable frameworksGDPR (EU) 2016/679; Hungarian Act CXII of 2011 (Infotörvény)
Governing jurisdictionHungary
Supervisory authorityNAIH (Hungary)
Document typeStandard Data Processing Agreement

1 · Parties and Recitals

1.1 This DPA is entered into between the Customer (the “Controller”), who determines the purposes and means of the processing, and Kortave (the “Processor”), established in Hungary, who processes personal data on behalf of the Controller.

  1. The parties have entered into the Principal Agreement, under which the Processor processes personal data on the documented instructions of the Controller in the course of providing the Kortave platform.
  2. The parties enter into this DPA in order to comply with Article 28 GDPR and to set out the data-protection obligations of the Processor in respect of that processing.
  3. In the event of any conflict or inconsistency between this DPA and the Principal Agreement on data-protection matters, this DPA shall prevail.

1.2 Roles. For the purposes of this DPA and the GDPR, the Customer is the Controller within the meaning of Article 4(7) GDPR and Kortave is the Processor within the meaning of Article 4(8) GDPR.

2 · Definitions

Capitalised terms bear the meanings below. Where a term is defined in the GDPR, it has that meaning; no contradictory bespoke meaning is intended.

Personal Data

Any information relating to an identified or identifiable natural person (Article 4(1) GDPR).

Processing

Any operation performed on Personal Data (Article 4(2) GDPR).

Controller / Processor

The persons determining the purposes and means of, and processing on behalf of, the Controller respectively (Articles 4(7) and 4(8) GDPR).

Sub-processor

Any processor engaged by the Processor to carry out specific processing on behalf of the Controller.

Personal Data Breach

A breach of security as defined in Article 4(12) GDPR.

Special Categories of Data

The categories of data referred to in Article 9(1) GDPR.

Standard Contractual Clauses (SCCs)

The standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914.

Third Country

A country or international organisation outside the European Economic Area (Chapter V GDPR).

3 · Subject Matter, Duration, Nature and Purpose

3.1 The subject-matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Annex I, which forms an integral part of this DPA.

3.2 In summary, the Processor processes Personal Data to provide and administer the Kortave platform to the Controller and to generate compliance deliverables from Controller-supplied data, for the duration of the Principal Agreement.

3.3 Condition precedent for special-category data. Where any processing activity may involve Special Categories of Data within Controller-supplied source documents, such processing shall not commence until the Controller has completed, signed and delivered Schedule A to Annex I. Activation of any special-category processing is a condition precedent to that processing taking place.

4 · Obligations of the Processor

The Processor shall, in respect of all Personal Data processed under this DPA:

  1. Documented instructions. Process the Personal Data only on documented instructions from the Controller, including with regard to transfers to a Third Country, unless required by Union or Member-State law; in such a case it shall inform the Controller before processing, unless that law prohibits it on important grounds of public interest. Art. 28(3)(a)
  2. Confidentiality. Ensure that persons authorised to process the Personal Data have committed to confidentiality or are under an appropriate statutory duty of confidentiality. Art. 28(3)(b)
  3. Security. Take all measures required pursuant to Article 32 GDPR, as set out in Annex II. Art. 28(3)(c); Art. 32
  4. Sub-processing. Respect the conditions in Articles 28(2) and 28(4) GDPR for engaging another processor, as set out in clause 5. Art. 28(3)(d)
  5. Assistance with data-subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests under Chapter III GDPR. Art. 28(3)(e)
  6. Assistance with compliance. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA and prior consultation), taking into account the nature of processing and the information available to the Processor. Art. 28(3)(f)
  7. Deletion or return. At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Union or Member-State law requires storage. Art. 28(3)(g)
  8. Audit and information. Make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, as set out in clause 8. Art. 28(3)(h)
  9. Infringement notice. Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection law. Art. 28(3), final paragraph

5 · Sub-processors

5.1 General authorisation. The Controller grants the Processor general written authorisation to engage the sub-processors listed in Annex III.

5.2 Advance notice and objection. The Processor shall give the Controller at least thirty (30) days' written notice before a new or replacement sub-processor begins processing Personal Data. Within that period the Controller may raise a reasoned objection on data-protection grounds; the parties shall negotiate in good faith, and where the objection cannot be resolved the Controller may terminate the affected part of the services.

5.3 Flow-down. The Processor shall impose on each sub-processor, by contract, the same data-protection obligations as those in this DPA. Art. 28(4)

5.4 Full liability. Where a sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for that sub-processor's performance. Art. 28(4)

6 · International Data Transfers

6.1 The Processor shall not transfer Personal Data to a Third Country except on the documented instructions of the Controller and only where a valid Chapter V mechanism applies: an adequacy decision (Article 45); appropriate safeguards under Article 46, including the SCCs (Decision (EU) 2021/914); or a derogation under Article 49. Arts. 44–46, 49

6.2 Annex III is the live record of which sub-processors transfer Personal Data outside the EEA and under which mechanism. For each non-EEA transfer, the parties rely on the EU SCCs (Decision (EU) 2021/914).

6.3 The Processor shall carry out and maintain a transfer impact assessment (TIA) for each reliance on the SCCs and make evidence of its completion available to the Controller on request.

7 · Personal Data Breach Notification

7.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. Art. 33(2)

7.2 The notification shall provide all information necessary for the Controller's obligations under Articles 33 and 34 GDPR, describing in particular: (a) the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned; (b) the contact point from whom more information can be obtained; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its effects. Art. 33(3)

7.3 Contact point. For the purposes of Article 33(3) GDPR, the Processor's designated data-protection contact point is [email protected]. The Processor may update this contact point by written notice to the Controller without a formal amendment.

8 · Audit and Inspection

8.1 The Processor shall make available all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Art. 28(3)(h)

8.2 The Controller may request an audit on reasonable prior written notice (ordinarily at least thirty (30) days), not more than once in any twelve-month period save where a Personal Data Breach has occurred or a Supervisory Authority so requires. Audits are conducted during normal business hours, limited to the processing under this DPA, with any third-party auditor bound by confidentiality. Each party bears its own costs unless the audit reveals a material non-compliance by the Processor.

8.3 Certifications and codes of conduct. Adherence to an approved code of conduct (Article 40) or certification mechanism (Article 42) may be provided as an element to demonstrate compliance; such measures supplement, but do not replace or waive, the Controller's audit rights under Article 28(3)(h).

9 · Liability, Term and Termination

9.1 Term. This DPA takes effect on its effective date and remains in force for the duration of the Principal Agreement and for so long as the Processor processes Personal Data on behalf of the Controller.

9.2 Survival. The obligations relating to confidentiality, deletion or return of Personal Data (Article 28(3)(g)) and audit (Article 28(3)(h)) expressly survive termination or expiry.

9.3 Liability. Liability for damage caused by processing is allocated in accordance with Article 82 GDPR. Nothing in this DPA purports to exclude or limit the statutory liability of either party to Data Subjects. Art. 82

10 · Governing Law and Jurisdiction

10.1 This DPA is governed by the laws of Hungary, including the Hungarian Act CXII of 2011 (Infotörvény), without prejudice to the GDPR.

10.2 The competent Hungarian courts have jurisdiction over any dispute arising out of or in connection with this DPA.

10.3 Nothing in this clause deprives any Data Subject of the protections of the GDPR or affects the competence of the relevant Supervisory Authority, the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH).

11 · Signatures

For the Controller

Name: ____________________

Title: ____________________

Date: ____________________

Signature: ____________________

For the Processor (Kortave)

Name: ____________________

Title: ____________________

Date: ____________________

Signature: ____________________

Annex I · Details of the Processing

Processing activityPurposeData subjectsPersonal dataSpecial categoriesRetention
Platform account & user managementProvide and administer the Kortave platform to the CustomerCustomer personnel / authorised usersName; business email; authentication data; usage logsNoneDuration of the subscription + statutory retention
Compliance document generationGenerate compliance deliverables from Customer-supplied dataData subjects within Customer source documentsAs provided by the Customer in source documentsSubject to Schedule A (below)Until deletion/return at end of services (Art. 28(3)(g))

Schedule A — Special-Category Data (Controller-completed and signed). Where any processing may involve Special Categories of Data within Controller-supplied source documents, the Controller shall complete and sign Schedule A listing each special category and the specific Article 9(2) GDPR condition relied upon. The Processor shall not commence processing such data until Schedule A has been completed, signed and delivered, and shall not process any listed category that lacks a specific and plausible Article 9(2) condition. The Controller warrants that it will not supply source documents containing Special Categories of Data until Schedule A is in place.

Annex II · Technical and Organisational Measures (Art. 32)

MeasureArt. 32 mappingRisk mitigated
Encryption in transit (TLS 1.2+) and at restArt. 32(1)(a)Unauthorised access to or interception of Personal Data in transit and at rest
Row-Level Security on all database tables; access restricted to the server-side service roleArt. 32(1)(b)Unauthorised access; loss of confidentiality
Least-privilege access control and server-side secret managementArt. 32(1)(b)Unauthorised access; credential compromise
Monthly automated dependency vulnerability scanning with security reviewArt. 32(1)(d)Exploitation of known vulnerabilities; regular testing and evaluation of effectiveness
Audit logging of all processing and document-release eventsArt. 32(1)(b)Undetected unauthorised processing; loss of accountability and integrity
Automated managed backups with tested restorationArt. 32(1)(c)Loss of availability; restoration after a physical or technical incident
Bot protection on public intake surfacesArt. 32(1)(b)Automated abuse and unauthorised injection of data into intake surfaces

Annex III · Authorised Sub-processors

Sub-processorServiceProcessing locationTransfer mechanism
Supabase, Inc.Managed Postgres database & storageFrankfurt, Germany (AWS eu-central-1) — EEANone required (within EEA)
Hetzner Online GmbHCloud hosting & computeGermany — EEANone required (within EEA)
Anthropic, PBCLLM API for document generationUnited StatesEU SCCs (Decision (EU) 2021/914) + maintained TIA
Resend (Plus Five Five, Inc.)Transactional email deliveryUnited StatesEU SCCs (Decision (EU) 2021/914) + maintained TIA
Cloudflare, Inc.CDN, DNS & bot protectionGlobal edge; may route via non-EEA nodesEU SCCs (Decision (EU) 2021/914) + maintained TIA

Kortave · Data Processing Agreement (Article 28 GDPR) · Reference KTV-DPA-2026-KTV-001
To request a countersigned copy for your organisation, contact [email protected].