Legal
Last updated: April 19, 2026
This Data Processing Agreement ("DPA") forms part of the kavachOS Cloud Terms of Service between GLINR (the "Data Processor") and the customer entity ("Data Controller") and sets out the terms under which GLINR processes personal data on behalf of the customer in connection with the kavachOS Cloud service.
This DPA is intended to comply with the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection legislation in other applicable jurisdictions.
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given to them in applicable data protection law. "Customer Data" means any personal data submitted to or generated by the kavachOS Cloud service by or on behalf of the customer.
GLINR processes Customer Data solely to provide the kavachOS Cloud service as described in the Terms of Service and as further documented in our Privacy Policy. Processing activities include storing user account credentials, session tokens, audit logs, and authentication event records in the customer's tenant database.
Categories of data subjects: the customer's end users who authenticate via the kavachOS platform. Categories of personal data: email addresses, hashed credentials, session metadata, and IP addresses associated with authentication events.
GLINR processes Customer Data only on documented instructions from the customer, including as set out in this DPA and the Terms of Service. GLINR will promptly notify the customer if it believes an instruction infringes applicable data protection law, unless prohibited from doing so.
GLINR ensures that personnel authorized to process Customer Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
GLINR implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
The customer provides general authorization for GLINR to engage sub-processors to deliver the kavachOS Cloud service. GLINR will notify the customer of intended changes to sub-processors (additions or replacements) by updating this page and providing at least 30 days notice before any new sub-processor begins processing Customer Data.
Current sub-processors
Cloudflare, Inc.
Infrastructure provider. kavachOS Cloud runs on Cloudflare Workers (compute), D1 (SQL database), KV (key-value store), and Durable Objects (stateful coordination). Cloudflare processes Customer Data as part of serving API requests and storing tenant databases.
Location: USA (global edge network)
Stripe, Inc.
Payment processing. Stripe processes billing information including customer name, billing address, and payment method details. kavachOS does not store raw card data. Stripe is PCI-DSS Level 1 certified.
Location: USA
PostHog, Inc.
Product analytics. PostHog processes anonymized usage events and session telemetry to help us improve the product. Analytics data is routed through a first-party proxy and does not include Customer Data from tenant databases.
Location: USA
Vercel, Inc.
Dashboard and marketing site hosting. Vercel processes request metadata (IP addresses, headers) for the dashboard and marketing applications. Vercel Analytics collects aggregate page-level metrics without cookies or PII.
Location: USA
Resend, Inc.
Transactional email. Resend processes the recipient email address and email content for magic-link authentication emails and account notifications. Resend does not use this data for its own purposes.
Location: USA
GLINR enters into data processing agreements with each sub-processor that impose data protection obligations at least as protective as those in this DPA.
GLINR will assist the customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, and portability). Customers may submit data subject requests to hello@kavachos.com.
GLINR will notify the customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. Notifications will include the information required under Article 33(3) of the GDPR to the extent available at that time.
Where Customer Data is transferred to countries outside the European Economic Area, such transfers are made pursuant to Standard Contractual Clauses adopted by the European Commission or another lawful transfer mechanism. Cloudflare, Stripe, PostHog, Vercel, and Resend are all covered by Standard Contractual Clauses or equivalent safeguards.
Upon termination of the service or at the customer's request, GLINR will delete or return all Customer Data within 30 days, and delete existing copies unless applicable law requires retention. Customers can also initiate account deletion at any time from the dashboard settings.
GLINR will make available to the customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits and inspections conducted by the customer or its designee, subject to reasonable notice and confidentiality obligations.
Enterprise customers requiring a countersigned DPA for procurement purposes can request an executed copy by emailing hello@kavachos.com with the subject line "DPA request". Please include your company name, primary contact, and any jurisdiction-specific requirements. We aim to turn these around within 5 business days.