NextKS
← Legal

DATA PROCESSING AGREEMENT

Between Customer and T-SolArch s.r.o. (NextKS)

Effective Date: [Date of Customer's acceptance of NextKS Terms of Service]

1. DEFINITIONS AND INTERPRETATION

1.1. Definitions

In this Data Processing Agreement ("DPA"):

  • "Agreement" means the NextKS General Terms of Service and any Order Form between the Parties governing the Customer's use of the Services.
  • "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
  • "Customer" means the entity identified in the applicable Order Form or Services registration documents.
  • "Customer Data" means Personal Data that Customer provides to Provider that Provider processes on behalf of Customer to provide the Services.
  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, and any applicable national implementing legislation.
  • "Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  • "Personal Data" has the meaning given in Article 4(1) of the GDPR.
  • "Personal Data Breach" has the meaning given in Article 4(12) of the GDPR.
  • "Processing" has the meaning given in Article 4(2) of the GDPR, and "process", "processes" and "processed" shall be interpreted accordingly.
  • "Processor" means the entity which processes Personal Data on behalf of the Controller.
  • "Provider" means T-SolArch s.r.o., a business company organized under the laws of the Czech Republic, seated at Příkop 843/4, 602 00 Brno, Czech Republic, ID No.: 095 65 701, doing business as "NextKS".
  • "Services" means the NextKS AI-powered knowledge management platform and related services as described in the Agreement.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Decision on 4 June 2021 (Commission Implementing Decision (EU) 2021/914).
  • "Subprocessor" means any Processor engaged by Provider to process Customer Data.

1.2. Interpretation

This DPA forms part of and is incorporated into the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

2. SCOPE AND ROLES

2.1. Scope of DPA

This DPA applies where and only to the extent that Provider processes Customer Data on behalf of Customer in the course of providing the Services and such processing is subject to Data Protection Laws.

2.2. Roles of the Parties

The Parties acknowledge and agree that:

(a) Customer is the Controller of Customer Data and determines the purposes and means of the processing of Customer Data;

(b) Provider is the Processor of Customer Data and processes Customer Data only on behalf of and in accordance with Customer's documented instructions;

(c) Customer is solely responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data;

(d) Customer shall ensure that it has all necessary rights, consents, and lawful bases under Data Protection Laws to provide Customer Data to Provider and to authorize Provider to process Customer Data in accordance with this DPA and the Agreement.

3. PROVIDER'S OBLIGATIONS

3.1. Processing Instructions

Provider shall process Customer Data only in accordance with Customer's documented instructions unless required to do so by applicable law. Customer's instructions for the processing of Customer Data shall be to provide the Services in accordance with the Agreement. Provider shall inform Customer if, in Provider's opinion, an instruction from Customer infringes Data Protection Laws.

3.2. Confidentiality

Provider shall ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security Measures

Provider shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Customer Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures are described in Annex II (Technical and Organizational Measures) to this DPA.

3.4. Subprocessors

(a) General Authorization: Customer provides a general authorization for Provider to engage Subprocessors to process Customer Data, provided that Provider complies with the requirements of this Section 3.4.

(b) Current Subprocessors: The Subprocessors currently engaged by Provider and authorized by Customer are listed in Annex III (Subprocessors) to this DPA.

(c) New Subprocessors: Provider shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors at least thirty (30) days prior to authorizing any new Subprocessor to process Customer Data (the "Notice Period"). Such notification may be provided by email to Customer's registered contact or by publication on Provider's website at nextksframework.com.

(d) Objection Right: Customer may object to Provider's appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Provider in writing within the Notice Period. If Customer objects, the Parties shall work together in good faith to find a mutually acceptable resolution. If no resolution can be found within thirty (30) days, either Party may terminate the affected Services upon written notice, and Provider shall refund Customer any prepaid fees for the terminated Services covering the period after termination.

(e) Subprocessor Obligations: Provider shall ensure that any Subprocessor is bound by a written contract containing data protection obligations no less protective than those set out in this DPA, including obligations regarding security, confidentiality, assistance with Data Subject rights, and deletion or return of data. Provider remains fully liable to Customer for any failure by a Subprocessor to fulfill its data protection obligations.

3.5. Data Subject Rights

(a) Taking into account the nature of the processing, Provider shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, data portability, and objection).

(b) If Provider receives a request from a Data Subject in relation to Customer Data, Provider shall promptly redirect the Data Subject to Customer and shall not respond to the request without Customer's prior written authorization, except to confirm that the request relates to Customer.

3.6. Personal Data Breaches

(a) Provider shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and in any event no later than forty-eight (48) hours after becoming aware of the breach.

(b) Such notification shall, to the extent possible, include:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The name and contact details of Provider's data protection officer or other contact point;
  • A description of the likely consequences of the Personal Data Breach;
  • A description of the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

(c) Provider shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

3.7. Data Protection Impact Assessment and Prior Consultation

Provider shall provide reasonable assistance to Customer (at Customer's expense) with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws, to the extent that such assistance relates to the processing of Customer Data and taking into account the nature of the processing and information available to Provider.

3.8. Deletion or Return of Customer Data

(a) Upon termination or expiration of the Services, Provider shall (at Customer's election) delete or return to Customer all Customer Data in Provider's possession or control, and delete existing copies, unless retention is required by applicable law.

(b) Provider shall complete such deletion or return within thirty (30) days of the termination date, unless a different period is specified in the Agreement or required by law.

(c) Provider shall provide written certification to Customer of the deletion or return upon request.

3.9. Audit Rights

(a) Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer, subject to the following conditions:

  • Customer shall provide Provider with at least thirty (30) days' prior written notice of any intended audit;
  • Audits shall be conducted no more than once per year, unless required by a supervisory authority or in response to a suspected breach;
  • Audits shall be conducted during Provider's normal business hours and in a manner that does not unreasonably interfere with Provider's business operations;
  • Customer and any third-party auditors shall execute a confidentiality agreement acceptable to Provider;
  • Customer shall bear all costs associated with the audit.

(b) In lieu of an audit, Provider may provide Customer with copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports) that demonstrate Provider's compliance with this DPA, if such reports or certifications are available and cover the scope of the requested audit.

4. CUSTOMER'S OBLIGATIONS

4.1. Lawful Processing

Customer represents and warrants that:

(a) Customer has all necessary rights, consents, and lawful bases under Data Protection Laws to collect, use, and disclose Customer Data and to authorize Provider to process Customer Data as contemplated by this DPA and the Agreement;

(b) Customer's instructions for the processing of Customer Data, including the appointment of Provider as a Processor, comply with Data Protection Laws;

(c) Customer has provided, or will provide, all necessary privacy notices to Data Subjects and has obtained all necessary consents as required by Data Protection Laws.

4.2. Compliance with Data Protection Laws

Customer shall comply with all applicable Data Protection Laws in its use of the Services and its processing of Customer Data. Customer acknowledges and agrees that Provider has no obligation to assess whether Customer's use of the Services complies with Data Protection Laws applicable to Customer.

4.3. Processing Instructions

Customer shall not instruct Provider to process Customer Data in a manner that would violate Data Protection Laws or this DPA. Customer is solely responsible for ensuring that its instructions are lawful.

5. INTERNATIONAL DATA TRANSFERS

5.1. Data Storage Location

Provider processes and stores Customer Data primarily in the European Union (West Europe region). Details of data storage locations are provided in Provider's Privacy Policy.

5.2. Transfers to Third Countries

(a) To the extent that Provider transfers Customer Data from the European Economic Area (EEA), United Kingdom, or Switzerland to a country outside such regions that is not recognized by the European Commission as providing an adequate level of data protection (a "Third Country"), such transfer shall be governed by the Standard Contractual Clauses.

(b) The Standard Contractual Clauses are deemed incorporated into this DPA by reference and completed as follows:

  • Module: Module Two (Controller to Processor) applies to transfers of Customer Data from Customer to Provider. Module Three (Processor to Sub-Processor) applies to onward transfers of Customer Data from Provider to Subprocessors in Third Countries. Provider ensures that appropriate Standard Contractual Clauses (Module Three) are in place with each Subprocessor processing Customer Data in a Third Country;
  • Optional Clauses: Clause 7 (docking clause), Clause 11 (optional language), and Clause 9 Option 1 do not apply;
  • Clause 9 (Use of Sub-processors): Option 2 (general written authorization) applies, with the time period for prior notice set forth in Section 3.4(c) of this DPA;
  • Clause 17 (Governing Law): The laws of the Czech Republic shall apply;
  • Clause 18 (Choice of forum and jurisdiction): The courts of Brno, Czech Republic shall have jurisdiction;
  • Annex I: The information required is set out in Annex I (Details of Processing) to this DPA;
  • Annex II: The technical and organizational measures are set out in Annex II (Technical and Organizational Measures) to this DPA;
  • Annex III: The list of Subprocessors is set out in Annex III (Subprocessors) to this DPA.

(c) For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) shall apply, completed in accordance with the above.

5.3. Subprocessor Transfers

Provider shall ensure that any Subprocessor engaged to process Customer Data in a Third Country is bound by the Standard Contractual Clauses or another adequate data transfer mechanism recognized under Data Protection Laws.

6. LIABILITY AND INDEMNIFICATION

6.1. Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either Party's liability for fraud, gross negligence, or violations of Data Protection Laws that cannot be limited by contract under applicable law.

6.2. Supervisory Authority Claims

If a supervisory authority brings a claim against Provider arising from Customer's violation of Data Protection Laws or Customer's instructions to Provider, Customer shall defend and indemnify Provider against such claim in accordance with the indemnification provisions of the Agreement.

7. TERM AND TERMINATION

7.1. Term

This DPA shall commence on the Effective Date and shall remain in effect for as long as Provider processes Customer Data on behalf of Customer, or until termination of the Agreement, whichever occurs first.

7.2. Effect of Termination

Upon termination of this DPA, Provider's obligations regarding deletion or return of Customer Data under Section 3.8 shall apply. Sections of this DPA that by their nature should survive termination (including Sections 3.8, 6, and 8) shall survive.

8. GENERAL PROVISIONS

8.1. Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall take precedence to the extent of such conflict.

8.2. Amendments

This DPA may not be amended, modified, or supplemented except by a written agreement signed or otherwise formally accepted by authorized representatives of both Parties. Notwithstanding the foregoing, Provider may update the Annexes to this DPA (including the list of Subprocessors and technical and organizational measures) to reflect changes required by Data Protection Laws, regulatory guidance, or changes in Provider's data processing practices, provided that such updates do not materially reduce the overall level of data protection afforded to Customer Data. Provider shall notify Customer of any material changes to the Annexes at least thirty (30) days in advance. If Customer objects to such changes on reasonable data protection grounds, the Parties shall negotiate in good faith to resolve the objection. If no resolution is reached within thirty (30) days, either Party may terminate the affected Services upon written notice.

8.3. Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves, to the extent possible, the original intent of the Parties.

8.4. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Czech Republic. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Brno, Czech Republic, except where the Standard Contractual Clauses specify otherwise.

8.5. Entire Agreement

This DPA, together with the Agreement and its exhibits and annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings or agreements, whether written or oral, regarding such subject matter.

ANNEX I: DETAILS OF PROCESSING

A. LIST OF PARTIES

Data Exporter (Customer):

Name: [As specified in Order Form] Address: [As specified in Order Form] Contact: [As specified in Order Form] Role: Controller

Data Importer (Provider):

Name: T-SolArch s.r.o. (doing business as NextKS) Address: Příkop 843/4, 602 00 Brno, Czech Republic Contact: support@nextks.com Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects:

  • Customer's authorized users (employees, contractors, or other personnel authorized by Customer to access the Services)

Categories of Personal Data:

  • Account Information: Names, work email addresses, job titles, user credentials
  • Usage Data: User actions, queries, document views, timestamps, IP addresses
  • Customer Content: Knowledge base articles, documents, Q&A content, and other business information uploaded by Customer or its users (which may incidentally include personal data such as names, email addresses, or other identifiers)
  • Q&A Ticket Data: User names and email addresses associated with Q&A tickets, transmitted to LLM providers (currently OpenAI and Anthropic) as necessary for AI-powered ticket processing and routing

Sensitive Data (if applicable): No sensitive data (as defined in Article 9 of GDPR) is intended to be processed. Customer is responsible for ensuring that no sensitive data is uploaded to the Services unless Customer has obtained appropriate consents and lawful bases under Data Protection Laws.

Frequency of Transfer: Continuous, for the duration of the Agreement.

Nature and Purpose of Processing: Provider processes Customer Data for the purpose of providing the NextKS AI-powered knowledge management platform, including:

  • User authentication and access control
  • Knowledge base indexing and search
  • AI-powered query responses using large language models
  • Usage analytics and dashboards for Customer
  • Platform security and fraud prevention
  • Customer support

Retention Period: Customer Data is retained during the term of the Agreement. Upon termination, Customer Data is deleted or returned within thirty (30) days unless longer retention is required by law. See Section 3.8 and Provider's Privacy Policy for details.

Subprocessors: See Annex III.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be:

  • For Customer located in the Czech Republic: Úřad pro ochranu osobních údajů (Czech Data Protection Authority)
  • For Customers located in other EEA countries: The supervisory authority of the Customer's country in accordance with GDPR Article 51

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

Provider implements and maintains the following technical and organizational measures to protect Customer Data:

1. Access Control

Logical Isolation:

  • Customer data is protected using a multi-tenant architecture with row-level security (RLS) policies in Supabase
  • RLS ensures each customer's data is accessible only to that customer's authorized users
  • Queries automatically filter data based on authenticated user's tenant context
  • Application-layer access controls enforce tenant boundaries

User Authentication:

  • Role-based access control (RBAC) for Customer users
  • Strong password requirements
  • Secure session management

Staff Access:

  • Provider staff access to Customer Data is limited to authorized personnel on a need-to-know basis
  • Administrative access is logged and monitored
  • Staff are bound by confidentiality obligations

2. Encryption

Data in Transit:

  • TLS/SSL encryption for all data transmitted between Customer devices and Provider servers
  • TLS encryption for data transmitted to Subprocessors (Vercel, Supabase, OpenAI)

Data at Rest:

  • Industry-standard encryption algorithms for data stored in Provider's databases
  • Encrypted backups

3. Data Resiliency and Backup

  • Regular automated backups of Customer Data
  • Encrypted backups stored in EU region
  • Disaster recovery procedures to restore service availability
  • Backup retention in accordance with data retention schedule

4. Operational Security

  • Firewalls and network segmentation
  • Intrusion detection and prevention systems
  • Anti-malware protections
  • Regular security assessments and vulnerability scans
  • Penetration testing

5. Incident Response

  • Security incident response plan
  • Monitoring and logging of security events
  • Breach notification procedures compliant with GDPR Article 33/34

6. Physical Security

  • Customer Data hosted in certified data centers operated by Vercel and Supabase
  • Physical access controls, surveillance, and monitoring at data center facilities

7. Security Testing and Compliance

  • Regular vulnerability assessments
  • Security patch management
  • Staff security training

ANNEX III: SUBPROCESSORS

Provider currently engages the following Subprocessors to process Customer Data:

SubprocessorService ProvidedData LocationData Transferred
Vercel Inc.Server hosting platformEU (West Europe region)All Customer Data (hosted in EU)
Supabase Inc.Database and data storageEU (West Europe region)All Customer Data (stored in EU)
OpenAI OpCo, LLC / OpenAI Ireland LtdAI processing (large language models for query responses and Q&A ticket processing)United StatesQuery content, knowledge base snippets, and user names and email addresses associated with Q&A tickets
Anthropic PBC / Anthropic UK LtdAI processing (large language models for query responses and Q&A ticket processing)United StatesQuery content, knowledge base snippets, and user names and email addresses associated with Q&A tickets
Salesforce, Inc. (Slack)Messaging platform for Q&A ticket notifications and responsesEU (if Customer's Slack workspace is EU-configured) / United StatesQ&A ticket content (including user names, email addresses, query content, and AI-generated responses)
Microsoft Corporation (Microsoft Teams)Messaging platform for Q&A ticket notifications and responsesEU (if Customer's Teams tenant is EU-configured) / United StatesQ&A ticket content (including user names, email addresses, query content, and AI-generated responses)

Data Processing Agreements:

LLM Provider Specific Terms:

  • OpenAI: Retains API data for maximum 30 days, after which it is deleted. Does not use Customer Data to train general-purpose AI models. Data is transferred to the United States; transfers are protected by Standard Contractual Clauses.
  • Anthropic: Data retained for duration of agreement; deleted within 30 days of termination. Does not use Customer Data to train general-purpose AI models. Processing limited to providing/maintaining the service, verifying quality/security, and debugging. 48-hour breach notification. AES-256 encryption at rest, TLS 1.2+ in transit. Sub-processors listed at trust.anthropic.com/subprocessors (15-day objection period). Data is transferred to the United States; transfers are protected by Standard Contractual Clauses (governed by Irish law).
  • Data transmitted to LLM providers includes user names and email addresses where necessary for Q&A ticket processing and routing functionality.

Messaging Platform Specific Terms:

  • Slack / Microsoft Teams: NextKS pushes Q&A ticket content (including user names, email addresses, query text, and AI-generated responses) to the Customer's configured messaging platform. Data location depends on the Customer's own Slack workspace or Microsoft Teams tenant configuration. Customers are responsible for ensuring their messaging platform configuration meets their data residency requirements. NextKS does not control data retention or access policies within the Customer's messaging platform.

Notification of Changes: Provider will notify Customer of any new or replacement Subprocessors in accordance with Section 3.4(c) of this DPA (30 days' prior notice).

END OF DATA PROCESSING AGREEMENT

EXECUTION

This Data Processing Agreement is incorporated into and forms part of the Agreement between the Parties. By accepting the NextKS Terms of Service or executing an Order Form, Customer agrees to the terms of this DPA.

For T-SolArch s.r.o. (NextKS):

Signature: ___________________________
Name: Tomáš Franc
Title: Managing Director
Date: ___________________________

For Customer:

Signature: ___________________________
Name: ___________________________
Title: ___________________________
Date: ___________________________