This Data Processing Agreement ("DPA") forms part of our Terms & Conditions and sets out the terms on which we process personal data on your behalf when you use Kandorly (the "Service"). Where you are subject to the EU or UK GDPR, this DPA is intended to satisfy Article 28. It supplements our Privacy Policy.
For the personal data you put into the Service - including reviewees, reviewers, invitations, and feedback responses - you (the customer) act as the data controller and we, the Kandorly team, act as your data processor. This DPA governs that processing. For personal data relating to your own account and billing, we act as controller, as described in our Privacy Policy.
The subject matter of the processing is the personal data contained in the feedback workflows you run in the Service. We process this data for the duration of your use of the Service and for as long as needed to provide it. The nature and purpose of the processing is to host, collect, organise, store, and make available feedback so that a manager can run review cycles and prepare summaries - all in accordance with your instructions and the Service's confidential-to-the-manager design.
The personal data we process on your behalf may include names, email addresses, roles, feedback responses (which may include opinions and free-text comments), ratings, and invitation and completion status. The data subjects are the people you involve in feedback: reviewees, reviewers, and the managers and users within your organisation. You must not use the Service to submit special-category data unless you have a lawful basis to do so and have configured the workflow appropriately.
We will:
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include encryption in transit, access controls and least-privilege access, secure authentication, logging and monitoring, and privacy-by-design measures that keep feedback confidential to the manager - including never logging feedback text together with reviewer identity, and disclosing a reviewer's name to the reviewee only where that reviewer has explicitly opted in.
You authorise us to engage sub-processors to help provide the Service - including our cloud hosting and database provider, our authentication provider, our payment processor (Paddle), and our email provider. We impose data-protection obligations on each sub-processor that are equivalent to those in this DPA, and we remain responsible for their performance. We will make a current list of sub-processors available on request and will give you a reasonable opportunity to object to changes.
Where we or our sub-processors transfer personal data outside the European Economic Area or the UK, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant), together with any additional safeguards required to ensure an equivalent level of protection.
Taking into account the nature of the processing and the information available to us, we will assist you in responding to data-subject requests and in meeting your obligations around security, data-protection impact assessments, and consultation with supervisory authorities. We will notify you without undue delay after becoming aware of a personal data breach affecting the data we process on your behalf, and provide the information you reasonably need to meet your own notification obligations.
On termination of the Service, or at your request, we will delete or return the personal data we process on your behalf and delete existing copies, except to the extent we are required by law to retain it. Where deletion is not immediate, we will continue to protect the data and stop actively processing it.
We will make available to you the information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. Where available, we may satisfy audit requests by providing relevant certifications or third-party reports.
To request a signed copy of this DPA, our sub-processor list, or to raise a data-protection question, email us at info@kandorly.com.