Skip to content

Data Processing Addendum

Draft — requires legal review before use

This Data Processing Addendum ("DPA") is a working draft and a binding contract once in force. It must be reviewed by a qualified data-protection lawyer before it is offered to or relied upon by customers. Do not present it as final.

Last updated: June 25, 2026

This DPA forms part of, and is incorporated into, the Terms of Service (the "Agreement") between the customer ("Controller", "you") and ARK Consulting (Jasminowa 6b/59, 05-825 Grodzisk Mazowiecki, Poland; NIP 8381725246) operating the KikiDoc service ("Processor", "KikiDoc", "we"). It applies where, and to the extent that, KikiDoc processes Personal Data contained in Customer Content on your behalf in the course of providing the Service, and where such processing is subject to the GDPR or UK GDPR.

By accepting the Agreement and using the Service, you accept this DPA on behalf of yourself and any entity you represent. Where a separate signed DPA is required, contact [email protected].

Order of precedence. In case of conflict on data-protection matters, this DPA prevails over the rest of the Agreement; the Standard Contractual Clauses, where they apply, prevail over this DPA.

1. Definitions

"GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR. "Personal Data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR. "Customer Content" has the meaning given in the Agreement. "Subprocessor" means a third party engaged by KikiDoc to process Personal Data. "Standard Contractual Clauses" ("SCCs") means the clauses approved by the European Commission for transfers of Personal Data to third countries.

2. Roles and scope of processing

  • For Personal Data contained in Customer Content, you are the Controller and KikiDoc is the Processor (or, where you act as a processor for a third party, KikiDoc is a sub-processor).
  • KikiDoc processes such Personal Data only to provide, secure, and maintain the Service.
  • The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are set out in Annex I.

3. Processing on documented instructions

  • KikiDoc will process Personal Data only on your documented instructions, including with regard to international transfers, unless required to act otherwise by applicable law (in which case KikiDoc will, where legally permitted, inform you of that requirement before processing).
  • Your use of the Service, and your configuration of it, constitute your instructions. KikiDoc will inform you if, in its opinion, an instruction infringes the GDPR or other data-protection law.

4. Confidentiality

KikiDoc ensures that persons authorized to process the Personal Data are bound by appropriate obligations of confidentiality.

5. Security

KikiDoc implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, costs, and the nature, scope, context, and purposes of processing (GDPR Art. 32). A summary of those measures is set out in Annex II and on our Security page.

6. Subprocessors

  • You provide general written authorization for KikiDoc to engage Subprocessors. The current Subprocessors are listed at Annex III / our Subprocessors page.
  • KikiDoc will give at least 30 days' prior notice of the addition or replacement of any Subprocessor (via the Subprocessors page and, on request, by email). You may object on reasonable data-protection grounds within that period; if the objection cannot be resolved in good faith, you may terminate the affected Service as your sole remedy.
  • KikiDoc imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains liable to you for a Subprocessor's performance of those obligations.

7. Data subject rights

Taking into account the nature of the processing, KikiDoc will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the GDPR. Where a data subject contacts KikiDoc directly about Customer Content, KikiDoc will refer them to you.

8. Assistance

KikiDoc will assist you, taking into account the nature of processing and the information available to it, in ensuring compliance with your obligations regarding: security of processing (Art. 32); personal data breach notification and communication (Arts. 33–34); data protection impact assessments (Art. 35); and prior consultation with a supervisory authority (Art. 36).

9. Personal data breach notification

KikiDoc will notify you without undue delay after becoming aware of a personal data breach affecting Personal Data processed under this DPA, and will provide information reasonably available to it to help you meet your own notification obligations.

10. International transfers

Where KikiDoc or a Subprocessor processes Personal Data outside the EEA or UK, the transfer is made under an adequacy decision, the EU Standard Contractual Clauses (and the UK Addendum where relevant), or another lawful transfer mechanism, which are incorporated into this DPA by reference and prevail over it in case of conflict.

11. Deletion or return

On termination of the Service, KikiDoc will, at your choice, delete or return the Personal Data processed under this DPA, and delete existing copies, unless applicable law requires continued storage. Routine deletion of artifacts and account data otherwise follows the retention periods in the Privacy Policy and Security page (e.g. artifacts auto-deleted after 24 hours; account data deleted/anonymized within 30 days of account deletion). Data in routine backups is deleted on the standard backup cycle.

12. Audits and information

KikiDoc will make available to you information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits are subject to reasonable advance notice, frequency limits, confidentiality obligations, and KikiDoc's security and operational requirements; KikiDoc may satisfy this obligation by providing relevant documentation where available.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (see Terms §12).

14. Term

This DPA takes effect when you accept the Agreement and continues for as long as KikiDoc processes Personal Data on your behalf. Provisions that by their nature should survive termination (including Sections 9–12) survive.

15. Governing law

This DPA is governed by the laws of Poland, except where the SCCs or mandatory data-protection law require otherwise.


Annex I — Details of processing

  • Subject matter: provision of the KikiDoc service (rendering HTML, templates, data, and URLs into PDFs and images, and related features).
  • Duration: the term of the Agreement plus any period until deletion/return under Section 11.
  • Nature and purpose: hosting, transmission, rendering, temporary storage, and deletion of Customer Content as needed to provide the Service.
  • Types of Personal Data: determined and controlled by you. Customer Content may contain any Personal Data you choose to submit — for example names, contact details, addresses, order/invoice details, or other fields included in the documents you generate. KikiDoc does not require or specify particular categories.
  • Categories of data subjects: determined and controlled by you — for example your customers, end-users, employees, or other individuals whose data appears in Customer Content.
  • Special-category data: the Service is not intended for special categories of Personal Data (Art. 9) or criminal-offence data; you should not submit such data unless separately agreed in writing.

Annex II — Technical and organizational measures

The technical and organizational measures KikiDoc applies are described on the Security page, which forms part of this DPA. They include, among others: encryption in transit (TLS); encryption at rest for the database, object storage, and stored credentials; hashed passwords; per-organization tenant isolation; scoped API keys and token-based authentication; SSRF protections; signed webhook callbacks; rate limiting and quotas; automatic deletion of rendered artifacts; logging and monitoring; and breach response.

Annex III — Subprocessors

The current list of Subprocessors, their roles, and processing locations is maintained at our Subprocessors page, which forms part of this DPA.