Data Processing Agreement (DPA)

Effective Date: July 8, 2026

This Data Processing Agreement ("DPA") supplements the Krenalis Terms of Service or other main commercial agreement ("Agreement") entered into by and between Open2b Software snc ("Krenalis") and the entity agreeing to these terms ("Customer").
This DPA governs the processing of personal data in connection with the Krenalis Managed Cloud service. By subscribing to or using the Service, Customer agrees to be bound by this DPA.

1. Definitions

  • "Applicable Data Protection Laws" means all privacy and data protection laws applicable to the processing of Personal Data under the Agreement, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA"), as amended.
  • "Customer Personal Data" means any Personal Data processed by Krenalis on behalf of the Customer through the deployment and execution of the Managed Cloud orchestration service.
  • "Data Controller", "Data Processor", "Data Subject", "Processing", and "Supervisory Authority" shall have the meanings ascribed to them under the GDPR.

2. Roles and Scope of Processing

2.1 Role Alignment:

The parties acknowledge and agree that with respect to the Customer Personal Data, Customer acts as the Data Controller and Krenalis acts strictly as a Data Processor.

2.2 Instructions:

Krenalis shall process Customer Personal Data only on behalf of and in accordance with the documented instructions of the Customer, including with respect to transfers of Personal Data to a third country. The Agreement and this DPA constitute the Customer’s complete instructions.

2.3 Purpose:

The scope, nature, and purpose of the processing are strictly limited to providing the warehouse-native Customer Data Platform (CDP) orchestration services, pipeline executions, and dashboard access as defined in the main Agreement.

3. The Warehouse-Native & Zero-Retention Principle

3.1 In-Flight Processing Only:

The parties expressly acknowledge that Krenalis operates on a warehouse-native architecture designed to avoid persistent ingestion or storage of Customer's end-user Personal Data. Any end-user data passing through Krenalis connectors is processed strictly "in-flight" within volatile server memory or computed directly inside the Customer's own connected data warehouse environment (e.g., Snowflake, BigQuery).

3.2 Zero Persistence:

Krenalis does not copy, replicate, or archive end-user personal profiles permanently on its own storage systems. Once a pipeline sync concludes, zero persistent end-user data remains on Krenalis infrastructure.

3.3 Infrastructure Metadata:

Customer acknowledges that Krenalis stores system configuration metadata, execution logs (row counts, timestamps), schemas, and encrypted warehouse credentials strictly necessary to manage the orchestration service.

4. Technical and Organizational Security Measures

4.1 Security Framework:

Krenalis shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4.2 Core Safeguards:

Such measures include, but are not limited to:

  • Industry-standard encryption of connection credentials and API keys at rest (AES-256).
  • Strict encryption of all automated pipeline traffic in transit (TLS 1.3).
  • Role-Based Access Controls (RBAC) ensuring only authorized systems or explicit Customer actions trigger operations.
  • Routine monitoring, logging, and infrastructure patching.

5. Sub-processors

5.1 Appointment

Customer grants Krenalis general authorization to engage third-party infrastructure providers ("Sub-processors") to support the delivery of the Managed Cloud environment.

5.2 Obligations

Krenalis shall enter into a written agreement with each Sub-processor imposing data protection obligations no less restrictive than those imposed on Krenalis under this DPA. Krenalis remains fully liable to the Customer for the performance of the Sub-processor’s obligations.

5.3 Current List

Krenalis currently engages the following core sub-processors:

  • Amazon Web Services EMEA SARL (AWS): Cloud hosting and compute infrastructure.

6. Data Subject Rights and Cooperation

6.1 Data Subject Requests

Given the warehouse-native nature of the service, Krenalis does not maintain a permanent database of end-users and cannot directly delete or modify end-user profiles. Customer, as the Controller, maintains full control over the data stored within their warehouse.

6.2 Assistance

To the extent feasible, Krenalis shall provide reasonable assistance to help Customer respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (e.g., access, rectification, or erasure requests fulfilled inside the Data Warehouse).

7. Personal Data Breaches

7.1 Notification

Krenalis shall notify Customer without undue delay, and in any event within forty-eight (48) business hours, after becoming aware of a confirmed Personal Data Breach affecting Krenalis infrastructure that impacts Customer’s service metadata or credentials.

7.2 Mitigation

Krenalis shall take immediate, reasonable steps to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

8. International Data Transfers

8.1 Location

Krenalis hosts its core dashboard applications and metadata storage systems on secure servers located within the European Economic Area (EEA).

8.2 Safeguards

If any processing involves a transfer of Customer Personal Data outside the EEA to a country not recognized as providing an adequate level of data protection, the parties agree to rely on Standard Contractual Clauses (SCCs) approved by the European Commission, which are hereby incorporated by reference.

9. Deletion of Data

9.1 Termination

Upon termination or expiration of the main Agreement, Krenalis shall securely delete all encrypted warehouse credentials, user logins, pipeline configurations, and metadata logs within thirty (30) days, unless applicable law requires retention of certain technical logs.

10. Governing Law

This DPA shall be governed by and construed in accordance with the law of the jurisdiction specified in the main Agreement, or where no such jurisdiction is specified, the laws of Italy.

Appendix: Details of Processing

Categories of Data Subjects: Customer’s employees/users (platform operators) and Customer's end-user customers (whose data transits transiently via connectors).

Types of Personal Data:

  • For Operators: Names, professional emails, corporate roles, access logs.
  • For End-Users: Structural schema metadata, identifiers transit in-flight during sync pipelines.

Frequency of Processing: Continuous and automated, based on the schedules configured by the Customer.