Ken AI

Ken AI Data Processing Addendum

Company: Ken Technology LLC
Website: https://getken.ai
Contact: [email protected]
Effective Date: May 7, 2026
Last Updated: May 7, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Ken Technology LLC ("Ken") and the client entity that signs or accepts an agreement for Ken's services ("Client"). This DPA applies when Ken processes Client Personal Data on behalf of Client as a processor, service provider, or contractor.

1. Relationship to the Agreement

1.1 Incorporation. This DPA is incorporated into the Terms of Service, Service Agreement, Order Form, or other agreement between Ken and Client governing the Services (the "Agreement").

1.2 Order of precedence. If there is a conflict between this DPA and the Agreement regarding processing of Client Personal Data, this DPA controls. The Standard Contractual Clauses control to the extent required by applicable data transfer law.

1.3 Scope. This DPA applies only to Client Personal Data processed by Ken on behalf of Client. This DPA does not apply to personal information that Ken processes as an independent controller or business, such as Ken account data, billing data, security logs, Ken-Sourced Data in the Ken Database, Ken's own marketing data, or Suppression Data retained by Ken for independent compliance purposes.

2. Definitions

2.1 Applicable Data Protection Laws means all privacy, data protection, and data security laws applicable to the processing of Client Personal Data under the Agreement, including where applicable GDPR, UK GDPR, Swiss data protection law, EU ePrivacy rules, UK PECR, CCPA/CPRA, other U.S. state privacy laws, and similar laws.

2.2 Client Personal Data means personal data, personal information, or similar regulated information that Client provides to Ken or instructs Ken to process on Client's behalf under the Agreement.

2.3 Controller, Processor, Data Subject, Personal Data, Processing, and Supervisory Authority have the meanings given in GDPR or other Applicable Data Protection Laws.

2.4 CCPA Terms. For purposes of U.S. state privacy laws, "business," "service provider," "contractor," "consumer," "personal information," "sale," "sharing," and similar terms have the meanings given under applicable U.S. state privacy laws.

2.5 Security Incident means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data processed by Ken under this DPA.

2.6 Subprocessor means a third party engaged by Ken to process Client Personal Data on behalf of Client in connection with the Services.

2.7 Standard Contractual Clauses or SCCs means the European Commission's standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914, as updated, replaced, or superseded.

3. Roles of the Parties

3.1 Client as controller or business. Client is the controller, business, or equivalent entity for Client Personal Data. Client determines the purposes and means of processing Client Personal Data and is responsible for compliance with Applicable Data Protection Laws.

3.2 Ken as processor, service provider, or contractor. Ken processes Client Personal Data as processor, service provider, or contractor on behalf of Client and only for the purposes described in the Agreement, this DPA, documented instructions, and Applicable Data Protection Laws.

3.3 Ken as independent controller. Ken may process certain data as an independent controller or business, including Ken account data, billing data, security logs, service analytics, Ken-Sourced Data in the Ken Database, and Suppression Data retained for compliance. Such processing is governed by Ken's Privacy Policy and the Agreement, not this DPA.

3.4 Ad platform integrations. Where Client instructs Ken to sync Ad Audience Data to ad platforms, Client is responsible for determining whether such data is eligible for advertising, matching, measurement, or retargeting and for providing all required notices, consents, opt-outs, and platform certifications.

4. Client Obligations

4.1 Lawful instructions. Client will provide only lawful instructions and will ensure that its instructions comply with Applicable Data Protection Laws.

4.2 Legal basis. Client is responsible for establishing and documenting a valid legal basis for processing Client Personal Data, including any required consent, legitimate interest assessment, notice, contract necessity, or other basis.

4.3 Notices and rights. Client is responsible for providing required privacy notices, honoring privacy rights, maintaining suppression lists, and handling data subject requests unless Ken expressly agrees otherwise.

4.4 Data quality and restrictions. Client is responsible for the accuracy, quality, legality, and source of Client Personal Data. Client must not provide Restricted Data, sensitive data, special category data, children's data, consumer credit data, or similar high-risk data unless Ken expressly agrees in writing and additional required terms and safeguards are in place.

4.5 Compliance for Campaigns. Client is responsible for compliance with laws governing outbound marketing, email, retargeting, audience matching, advertising claims, and target jurisdictions, including consent requirements where applicable.

5. Ken Processing Obligations

5.1 Documented instructions. Ken will process Client Personal Data only on Client's documented instructions, including the Agreement, Campaign settings, Client approvals, Service Agreement, Order Form, and written instructions, unless required by law. If Ken believes an instruction violates Applicable Data Protection Laws, Ken will notify Client unless prohibited by law.

5.2 Personnel confidentiality. Ken will ensure that persons authorized to process Client Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality obligations.

5.3 Security. Ken will implement and maintain appropriate technical and organizational measures designed to protect Client Personal Data, as described in Annex II.

5.4 Data subject requests. Taking into account the nature of the processing, Ken will provide reasonable assistance to Client for responding to data subject requests relating to Client Personal Data. If Ken receives a request directly and identifies it as relating to Client Personal Data, Ken may redirect the requester to Client or notify Client, unless prohibited by law.

5.5 Assistance. Taking into account the nature of processing and information available to Ken, Ken will provide reasonable assistance to Client for security obligations, breach notifications, data protection impact assessments, prior consultations, and privacy rights requests, to the extent required by Applicable Data Protection Laws.

5.6 Records. Ken will maintain records of processing as required by Applicable Data Protection Laws.

5.7 Compliance information. Ken will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and third-party restrictions.

6. CCPA and U.S. State Privacy Terms

6.1 Service provider and contractor restrictions. To the extent Client Personal Data is subject to CCPA/CPRA or similar U.S. state privacy laws and Ken acts as a service provider, contractor, or processor, Ken will not:

  • sell or share Client Personal Data;
  • retain, use, or disclose Client Personal Data outside the business purposes of providing the Services or as otherwise permitted by law;
  • retain, use, or disclose Client Personal Data for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by law;
  • retain, use, or disclose Client Personal Data outside the direct business relationship between Ken and Client, except as permitted by law;
  • combine Client Personal Data with personal information Ken receives from another source, except as permitted by law.

6.2 Permitted purposes. Ken may process Client Personal Data to provide, secure, maintain, support, improve, and analyze the Services; detect security incidents; protect against fraud or illegal activity; comply with law; maintain suppression and compliance records; and exercise rights under the Agreement, in each case as permitted by Applicable Data Protection Laws.

6.3 Notification. Ken will notify Client if Ken determines it can no longer meet its obligations under applicable U.S. state privacy laws.

6.4 Client monitoring. Client may take reasonable and appropriate steps to help ensure Ken's use of Client Personal Data is consistent with Client's obligations under applicable U.S. state privacy laws, including through the audit mechanism in this DPA.

7. Subprocessors

7.1 General authorization. Client grants Ken general authorization to engage Subprocessors to process Client Personal Data in connection with the Services.

7.2 Subprocessor obligations. Ken will impose data protection obligations on Subprocessors that are materially no less protective than those in this DPA, to the extent applicable to the Subprocessor's processing.

7.3 Current Subprocessors. Ken's current Subprocessor categories and material named service providers are set out in Annex III. For security, confidentiality, and vendor-management reasons, Ken may describe certain infrastructure, database, enrichment, support, analytics, CRM, and internal-operations providers by category. Where required by Applicable Data Protection Laws or a signed agreement, Ken will provide more detailed current subprocessor information to Client upon written request, subject to confidentiality, security, and third-party restrictions.

7.4 Changes. Ken may add or replace Subprocessors. Where required by Applicable Data Protection Laws, Ken will provide notice of material Subprocessor changes by email, website notice, in-app notice, or other reasonable means. Client may object on reasonable data protection grounds within ten days after notice. If the parties cannot resolve the objection, Ken may suspend the affected processing or Client may terminate the affected Services as its sole remedy.

7.5 Responsibility. Ken remains responsible for Subprocessors' performance of their data protection obligations to the extent required by Applicable Data Protection Laws.

8. International Data Transfers

8.1 Processing locations. Ken processes data in the United States and the European Union, including the Netherlands and Germany. Subprocessors may process Client Personal Data in the United States, European Union, United Kingdom, and other jurisdictions.

8.2 EEA transfers. For transfers of Client Personal Data from the European Economic Area to a country that does not provide an adequate level of protection, the SCCs are incorporated by reference and apply as follows: Module Two applies where Client is controller and Ken is processor; Module Three applies where Client is processor and Ken is subprocessor; the optional docking clause applies; Clause 7 applies; Clause 9 Option 2 applies with a notice period of ten days; Clause 11 optional language is omitted; Clause 17 is governed by the law of Ireland unless otherwise required; and Clause 18 provides for jurisdiction in the courts of Ireland unless otherwise required.

8.3 UK transfers. For transfers subject to UK GDPR, the SCCs apply together with the UK International Data Transfer Addendum or UK International Data Transfer Agreement, as applicable.

8.4 Swiss transfers. For transfers subject to Swiss data protection law, the SCCs apply with modifications required for Swiss law, including references to the Swiss Federal Data Protection and Information Commissioner and Swiss law where applicable.

8.5 Data Privacy Framework. Where a Subprocessor is certified under the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework, Ken may rely on that certification where legally available. If certification is unavailable or invalid, Ken will rely on SCCs, the UK Addendum, or another lawful transfer mechanism where required.

8.6 Supplementary measures. Ken will implement commercially reasonable supplementary measures where required, taking into account the nature of the data, processing, transfer, and available safeguards.

9. Security Incident Notification

9.1 Notice. Ken will notify Client without undue delay after confirming a Security Incident involving Client Personal Data. Notice may be provided by email, in-app notification, or other reasonable means.

9.2 Content. To the extent known and legally permitted, Ken's notice will include information reasonably available to Ken about the nature of the Security Incident, categories of affected data, likely consequences, mitigation measures, and contact information for follow-up.

9.3 Cooperation. Ken will take reasonable steps to contain, investigate, and remediate the Security Incident and will provide reasonable cooperation to Client for required notifications.

9.4 No admission. Ken's notification or response to a Security Incident is not an admission of fault or liability.

10. Audits and Compliance Reviews

10.1 Reports and information. Upon reasonable written request, Ken will provide available information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, questionnaire responses, policies, or third-party reports if available.

10.2 Audit limits. Unless required by Applicable Data Protection Laws or a regulator, audits are limited to once per calendar year, during normal business hours, with at least thirty days' notice, and subject to confidentiality, security, and reasonable scope limitations. Audits must not disrupt Ken's business or compromise other clients' data or Ken's security.

10.3 Independent auditor. Ken may require that audits be conducted by an independent auditor bound by confidentiality. Client is responsible for its audit costs and Ken's reasonable costs for extraordinary support.

10.4 Remediation. If an audit identifies a material non-compliance with this DPA, Ken will use commercially reasonable efforts to remediate it.

11. Return and Deletion

11.1 During the term. Ken will delete, return, or export Client Personal Data during the term where required by Applicable Data Protection Laws and reasonably possible through the Services, subject to the Agreement and technical limitations.

11.2 After termination. Unless the Agreement states otherwise, Client may request an export of available Client Personal Data before termination or within fourteen days after the effective termination date. After that period, Ken may archive, delete, or make unavailable active copies of Client Personal Data.

11.3 Deletion timeline. Ken may delete or make unavailable active copies of uploaded lead lists, replies, inboxes, Ken-Sourced Data delivered to Client to the extent held in Client's workspace, workspace-level opt-out lists, Campaign analytics, and related workspace data after fourteen days following termination or cancellation.

11.4 Retention exceptions. Ken may retain Client Personal Data where required or permitted by law, including for billing, tax, legal, security, fraud prevention, dispute resolution, compliance, backups, archival systems, performance fee attribution, and enforcement. Ken may retain minimal Suppression Data as needed to honor opt-outs and avoid future outreach.

11.5 Backups. Client Personal Data may remain in backups or disaster recovery systems until overwritten or deleted according to Ken's ordinary backup lifecycle, subject to access restrictions.

12. Liability

The liability and indemnification terms in the Agreement apply to this DPA, unless prohibited by Applicable Data Protection Laws.

13. Miscellaneous

13.1 No third-party beneficiaries. Except where required by the SCCs or Applicable Data Protection Laws, this DPA does not create third-party beneficiary rights.

13.2 Updates. Ken may update this DPA as needed to comply with Applicable Data Protection Laws, update Subprocessors, or reflect changes to the Services. Material adverse changes will be handled according to the Agreement.

13.3 Contact. DPA questions may be sent to [email protected].

Annex I - Details of Processing

A. Parties

Data exporter / Client: The Client entity identified in the Agreement.
Data importer / Processor: Ken Technology LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, United States.

B. Subject Matter

Ken provides managed B2B outbound, data enrichment, email infrastructure, AI personalization, analytics, reporting, reply handling, ad integration support, and related services to Client.

C. Duration

Processing continues for the term of the Agreement and for the post-termination retention period described in the Agreement and this DPA, unless a longer period is required or permitted by law.

D. Nature of Processing

Collection, receipt, hosting, storage, organization, structuring, enrichment, verification, deduplication, qualification, segmentation, scoring, personalization, AI processing, email generation, email transmission, tracking, reply processing, analytics, reporting, export, deletion, and related processing necessary to provide the Services.

E. Purposes of Processing

To provide the Services, including onboarding, list processing, Campaign execution, email verification, personalization, deliverability, reply handling, meeting attribution, reporting, analytics, integrations, support, security, compliance, and service improvement.

F. Categories of Data Subjects

  • Client's employees, contractors, representatives, and Authorized Users;
  • Prospects, leads, business contacts, customer contacts, target account contacts, and other business contacts supplied or authorized by Client;
  • individuals who interact with Campaigns, including people who open, click, reply, unsubscribe, or book meetings;
  • Client customers, competitors, partners, or excluded contacts included in blocklists or suppression lists.

G. Categories of Client Personal Data

  • names;
  • business email addresses;
  • phone numbers if provided;
  • company name, company domain, job title, department, seniority, role, and professional profile URLs;
  • CRM records, account notes, calendar or scheduling metadata, meeting attribution data, and lead status;
  • Client Content, Campaign instructions, target audience descriptions, blocklists, customer lists, competitor lists, and suppression lists;
  • email verification results, segmentation, scoring, enrichment, and qualification information;
  • Campaign engagement data, including sends, opens, clicks, bounces, replies, unsubscribe events, timestamps, sentiment tags, and related analytics;
  • IP address, user-agent, device/browser information, and anti-bot indicators related to Campaign engagement where applicable;
  • support communications and operational logs.

H. Sensitive Data

None expected. Client must not provide sensitive data, special category data, consumer credit data, children's data, health data, financial account data, government identifiers, or similar Restricted Data unless expressly agreed in writing.

I. Frequency of Transfer

Continuous or as initiated by Client, Authorized Users, Campaign settings, integrations, or the Services.

J. Retention

As described in the Agreement and Section 11 of this DPA. Active workspace data may be archived, deleted, or made unavailable after fourteen days following termination or cancellation, subject to retention exceptions.

K. Competent Supervisory Authority

For SCC purposes, the competent supervisory authority will be determined under the SCCs based on the data exporter and applicable law. If no supervisory authority can be determined, the parties will use the Irish Data Protection Commission unless another authority is legally required.

Annex II - Technical and Organizational Measures

Ken maintains commercially reasonable technical and organizational measures designed to protect Client Personal Data. Measures may include:

1. Access Control

  • role-based access controls and least-privilege access;
  • unique user accounts where appropriate;
  • authentication controls;
  • access review and removal procedures;
  • restrictions on production data access based on job function.

2. Confidentiality and Personnel Controls

  • confidentiality obligations for personnel and contractors;
  • internal policies and procedures for handling Client Data;
  • limited access to Client Personal Data based on business need;
  • security awareness and operational guidance appropriate to role.

3. Encryption and Transmission Security

  • encryption in transit using industry-standard protocols where appropriate;
  • encryption at rest where appropriate and supported by systems;
  • secure transfer mechanisms for sensitive operational data where feasible.

4. Infrastructure and Network Security

  • cloud and infrastructure security controls;
  • network and account monitoring;
  • logging and audit trails where appropriate;
  • defensive security methods designed to detect abuse, unauthorized access, and suspicious activity;
  • vulnerability management and patching practices appropriate to the systems used.

5. Data Segregation and Minimization

  • logical segregation of client workspaces or Campaigns where appropriate;
  • data minimization in AI and integration workflows where feasible;
  • limited retention practices and deletion or archival procedures.

6. Availability and Resilience

  • backup and recovery practices;
  • operational monitoring;
  • incident response procedures;
  • redundancy or recovery measures where commercially reasonable.

7. Vendor and Subprocessor Controls

  • review of vendors and Subprocessors based on data sensitivity and service function;
  • contractual or platform terms requiring confidentiality and data protection;
  • data processing terms with material Subprocessors where appropriate.

8. Incident Response

  • procedures to identify, investigate, contain, and remediate suspected security incidents;
  • escalation and notification processes;
  • post-incident review where appropriate.

Ken does not claim SOC 2, ISO 27001, or similar certification unless expressly stated in writing.

Annex III - Subprocessors and Third-Party Services

This Annex identifies material named providers and categories of third-party services used to provide the Services. Ken does not publicly list every cloud, database, enrichment, email-verification, support, analytics, CRM, security, monitoring, or internal-operations tool for security and confidentiality reasons. Where required by Applicable Data Protection Laws or a signed agreement, Ken will provide more detailed subprocessor information to Client upon written request, subject to confidentiality, security, and third-party restrictions.

A. AI and Model Providers

  • Anthropic - AI generation, evaluation, classification, and personalization - United States/global.
  • OpenAI - AI generation, evaluation, classification, and personalization - United States/global.
  • OpenRouter - model routing and AI infrastructure - United States/global.
  • Together AI - AI generation and inference infrastructure - United States/global.
  • Fireworks AI - AI generation and inference infrastructure - United States/global.

Ken does not currently use Google Gemini or other Google AI model services for Campaign generation, evaluation, classification, or personalization.

B. Cloud, Hosting, Database, and Infrastructure Providers

  • Cloud, hosting, compute, database, storage, backup, security, logging, monitoring, and infrastructure providers - hosting, storage, compute, backups, monitoring, security, and related infrastructure operations - United States, Netherlands, Germany, and/or other regions where permitted by the Agreement and Applicable Data Protection Laws.

C. Email, Domain, and Deliverability Infrastructure

  • Google / Google Workspace - email, authentication, and Google Ads integrations where enabled - United States/global. This does not include Google Gemini or Google AI model services.
  • Microsoft / Outlook - email, authentication, or integration services where enabled - United States/global.
  • Domain registrars, DNS providers, SMTP providers, email infrastructure providers, deliverability providers, email verification providers, and warmup or reputation-monitoring providers - domain registration, DNS, email sending, email verification, deliverability monitoring, and related operations - United States, European Union, and/or global.

D. Data, Enrichment, and Verification Providers

  • Business data, enrichment, email verification, public web data, qualification, segmentation, and data-validation providers - B2B data sourcing, enrichment, verification, validation, and qualification - United States, European Union, and/or global.

E. Advertising and Retargeting Platforms

  • Meta - advertising, audience matching, retargeting, lookalike audiences, and measurement where enabled - United States/global.
  • Google - advertising, audience matching, retargeting, Customer Match, lookalike/similar functionality where available, and measurement where enabled - United States/global. This does not include Google Gemini or Google AI model services.
  • Other ad platforms, if enabled by Client or agreed in a Service Agreement - advertising, audience matching, measurement, and retargeting - locations depend on the platform.

F. Payments, Support, Analytics, and Business Operations

  • Stripe - payment processing, billing, invoicing, and fraud prevention - United States/global.
  • Customer support, analytics, CRM, sales, customer operations, security, document-management, and internal collaboration providers - support communications, product analytics, customer operations, security, contracts, and business administration - United States, European Union, and/or global.

Annex IV - SCC Appendix Information

A. Data Exporter

The data exporter is the Client entity identified in the Agreement. Contact details are set out in the Agreement or Order Form.

B. Data Importer

Ken Technology LLC
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Contact: [email protected]
Privacy and Security Representative: Colton Sumners

C. Description of Transfer

The categories of data subjects, categories of personal data, sensitive data, frequency of transfer, nature of processing, purposes, retention, and subprocessors are described in Annexes I and III.

D. Technical and Organizational Measures

The technical and organizational measures are described in Annex II.

E. Docking Clause

The optional docking clause applies.