Legal
Data Processing Agreement
Last updated: January 15, 2026
1. Overview
This Data Processing Agreement ("DPA") forms part of the agreement between Jishu Labs, Inc. ("Processor") and the entity agreeing to these terms ("Controller") for the provision of the Kiku Service. This DPA reflects the parties' commitment to comply with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- "Sub-processor" means any third party engaged by Jishu Labs to process Personal Data on behalf of the Controller.
- "Data Subject" means the individual to whom Personal Data relates.
3. Scope of Processing
The Processor shall process Personal Data only as necessary to provide the Kiku Service, as documented in the main service agreement and this DPA. Categories of data processed include:
- Account information (name, email, authentication tokens)
- Usage telemetry (anonymized feature usage, performance metrics)
- Code metadata (file structure, import graphs - not source code)
- Chat history and AI interactions (if using Kiku Chat features)
4. Processor Obligations
- Process Personal Data only on documented instructions from the Controller
- Ensure all personnel processing data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject rights requests
- Notify the Controller of any data breach without undue delay (within 48 hours)
- Delete or return all Personal Data upon termination of the agreement
- Make available all information necessary to demonstrate compliance
5. Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall maintain a current list of sub-processors and notify the Controller at least 30 days before adding or replacing a sub-processor. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and hosting | US, EU |
| Supabase | Database and authentication | US |
| Stripe | Payment processing | US |
| OpenAI | AI model inference (chat features) | US |
6. International Transfers
For transfers of Personal Data outside the European Economic Area, the Processor relies on Standard Contractual Clauses (EU Commission Decision 2021/914) supplemented by additional safeguards as necessary. The Controller may request a copy of the applicable transfer mechanism.
7. Security Measures
The Processor implements and maintains technical and organizational measures as described in the Kiku Security page, including AES-256 encryption at rest, TLS 1.3 in transit, SOC 2 Type II certified infrastructure, regular penetration testing, and role-based access controls. Detailed security documentation is available upon request.
8. Requesting a Signed DPA
Enterprise and Team customers can request a signed copy of this DPA. Contact our legal team to initiate the process.
DPA Requests
Email: legal@jishulabs.com
Typical turnaround: 3-5 business days