Data Protection Addendum

Last updated: 03-25-2026

This Data Protection Addendum (“DPA”) is incorporated into and forms part of the Service Subscription Agreement or other written agreement between Kobiton and Customer governing Customer’s use of the Services (the “Agreement”).

1. Definitions

1.1 Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.

1.2 For purposes of this DPA, the following terms have the meanings below:

“Agreement” means the Service Subscription Agreement or other written agreement between Customer and Kobiton that incorporates this DPA.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data under Data Protection Legislation.

“Customer Personal Data” means any Personal Information contained in Customer Content and any Personal Information contained in Account-Related Information to the extent Kobiton Processes such Personal Information on Customer’s behalf in connection with the Services.

“Data Protection Legislation” means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, where applicable, the GDPR, the UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and applicable U.S. state privacy laws, in each case as amended, replaced, or superseded from time to time.

“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.

“Delete” means to delete, erase, or render permanently unreadable and incapable of reconstruction.

“EEA” means the European Economic Area.

“EU SCCs” means the European Commission’s standard contractual clauses for the transfer of personal data to third countries adopted pursuant to Commission Implementing Decision (EU) 2021/914, as may be amended, replaced, or superseded from time to time.

“GDPR” means Regulation (EU) 2016/679.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Kobiton in connection with the Services.

“Process” and “Processing” mean any operation or set of operations performed on Customer Personal Data, whether or not by automated means, as defined by Data Protection Legislation.

“Processor” means the entity that Processes Personal Data on behalf of the Controller under Data Protection Legislation.

“Restricted Transfer” means any transfer of Customer Personal Data for which Data Protection Legislation requires appropriate safeguards or another valid transfer mechanism in order for the transfer to lawfully occur.

“Security Incident” means any actual breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Content or Customer Personal Data Processed by Kobiton in connection with the Services.

“Subprocessor” means any third party engaged by Kobiton to Process Customer Personal Data on behalf of Customer in connection with the Services.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018, as may be amended, replaced, or superseded from time to time.

“UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2. Scope, Roles, and Order of Precedence

2.1 This DPA applies only to the extent Kobiton Processes Customer Personal Data on behalf of Customer in connection with the Services.

2.2 For the Processing of Customer Personal Data subject to this DPA, Customer is the Controller and Kobiton is the Processor.

2.3 Notwithstanding Section 2.2, Kobiton acts as an independent Controller, and not as Customer’s Processor, with respect to Account-Related Information that Kobiton Processes for its own business purposes, including account administration, contract management, billing, payment collection, fraud prevention, security, service improvement, marketing, and compliance with law.

2.4 If and to the extent applicable U.S. state privacy laws classify Kobiton as a “service provider,” “contractor,” or “processor,” Kobiton shall not:
(a) sell or share Customer Personal Data;
(b) retain, use, or disclose Customer Personal Data for any purpose other than providing the Services, performing its obligations under the Agreement, or as otherwise permitted by applicable law; or
(c) combine Customer Personal Data received from Customer with personal data received from another source, except as permitted by applicable law.

2.5 In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the subject matter of this DPA. In the event of any conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum, as applicable, control with respect to the relevant Restricted Transfer.

3. Details of Processing

3.1 The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Customer Personal Data Processed under this DPA are described in Schedule 1.

3.2 Kobiton shall Process Customer Personal Data only:
(a) on documented instructions from Customer, including as set out in the Agreement, applicable Order Forms, Customer’s use and configuration of the Services, support requests submitted by Customer, and other documented instructions consistent with the Agreement; or
(b) as required by applicable law, in which case Kobiton shall, unless prohibited by law, inform Customer of that legal requirement before such Processing.

3.3 Kobiton shall promptly inform Customer if, in Kobiton’s opinion, an instruction from Customer infringes Data Protection Legislation.

4. Customer Obligations

4.1 Customer represents and warrants that:
(a) it has all rights, authority, and lawful bases necessary to disclose Customer Personal Data to Kobiton and to authorize Kobiton to Process Customer Personal Data in accordance with the Agreement and this DPA;
(b) it has provided all notices and obtained all consents, permissions, and authorizations required by Data Protection Legislation for Kobiton’s Processing of Customer Personal Data under the Agreement and this DPA;
(c) its instructions to Kobiton regarding the Processing of Customer Personal Data comply with Data Protection Legislation; and
(d) it will not cause Kobiton to violate Data Protection Legislation.

4.2 Customer is responsible for:
(a) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data;
(b) its decisions regarding the categories of Customer Personal Data it submits to the Services; and
(c) responding to requests from Data Subjects, except to the extent Kobiton is required to assist under this DPA.

5. Confidentiality and Personnel

5.1 Kobiton shall ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

5.2 Kobiton shall take reasonable steps to ensure the reliability of personnel authorized to Process Customer Personal Data and shall limit access to Customer Personal Data to those personnel who have a need to know such data in order to provide the Services or comply with applicable law.

6. Security

    6.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects, Kobiton shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

    6.2 Such measures shall include, as appropriate:
    (a) pseudonymization and encryption of Customer Personal Data where appropriate;
    (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
    (c) the ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
    (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

    6.3 A general description of Kobiton’s technical and organizational measures is set out in Schedule 2. Kobiton may update Schedule 2 from time to time, provided that any such update does not materially diminish the overall security of the Services.

    7. Assistance with Data Subject Rights and Compliance

    7.1 Taking into account the nature of the Processing and the information available to Kobiton, Kobiton shall provide reasonable assistance to Customer, through appropriate technical and organizational measures, to enable Customer to respond to requests by Data Subjects to exercise their rights under Data Protection Legislation.

    7.2 If Kobiton receives a request from a Data Subject relating to Customer Personal Data, Kobiton shall:
    (a) promptly notify Customer, unless prohibited by law; and
    (b) not respond to the request except on Customer’s documented instructions or as required by law.

    7.3 Taking into account the nature of the Processing and the information available to Kobiton, Kobiton shall provide reasonable assistance to Customer with:
    (a) Customer’s security obligations under Data Protection Legislation;
    (b) any required data protection impact assessments;
    (c) any prior consultations with supervisory authorities or regulators; and
    (d) Customer’s reasonable inquiries regarding Kobiton’s Processing of Customer Personal Data.

    7.4 Unless otherwise required by applicable law or caused by Kobiton’s breach of this DPA, Kobiton may charge Customer reasonable costs for assistance provided under this Section 7.

    8. Security Incident and Personal Data Breach Notification

    8.1 Kobiton shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

    8.2 To the extent available to Kobiton and taking into account the nature of the Processing, Kobiton’s notification shall include reasonably available information sufficient for Customer to meet any obligations to report or inform Data Subjects or regulators about the Personal Data Breach, including, where applicable:
    (a) the nature of the Personal Data Breach;
    (b) the categories and approximate number of affected Data Subjects;
    (c) the categories and approximate number of affected personal data records;
    (d) the likely consequences of the Personal Data Breach; and
    (e) the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects.

    8.3 If it is not possible to provide all information at the same time, Kobiton may provide the information in phases without undue further delay.

    8.4 Kobiton shall take reasonable steps to identify, contain, investigate, mitigate, and remediate any Personal Data Breach.

    8.5 Kobiton shall also notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Content, even where the Security Incident does not constitute a Personal Data Breach.

    9. Sub-processors

    9.1 Customer authorizes Kobiton to engage Subprocessors to Process Customer Personal Data on Customer’s behalf in connection with the Services.

    9.2 Kobiton shall maintain an up-to-date list of its Subprocessors at:
    https://www.kobiton.com/sub-processors

    9.3 Kobiton shall provide at least ten (10) days’ notice before authorizing a new Subprocessor to Process Customer Personal Data in connection with the Services by updating the Subprocessor list or by another reasonable notice mechanism.

    9.4 Customer may object in writing to Kobiton’s appointment of a new Subprocessor on reasonable data protection grounds by providing written notice to Kobiton within ten (10) days after Kobiton gives notice under Section 9.3. If Customer objects, Kobiton will use reasonable efforts to make available a commercially reasonable change to the Services to avoid use of the new Subprocessor. If Kobiton cannot make such a change within thirty (30) days, either party may terminate the affected Services by written notice.

    9.5 Kobiton shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA to the extent applicable to the services performed by that Subprocessor.

    9.6 Kobiton remains responsible for the acts and omissions of its Subprocessors to the same extent Kobiton would be responsible if performing the services of each Subprocessor directly under the terms of this DPA.

    10. International Transfers

    10.1 Kobiton may Process Customer Personal Data in the United States and other countries where Kobiton, its Affiliates, or its Subprocessors operate, provided that Kobiton complies with Data Protection Legislation in connection with any Restricted Transfer.

    10.2 If Customer transfers Customer Personal Data subject to the GDPR to Kobiton in a country that is not recognized as providing an adequate level of protection under applicable Data Protection Legislation, and no other lawful transfer mechanism applies, the EU SCCs are incorporated into this DPA by reference and apply as follows:
    (a) Module Two (Controller to Processor) applies;
    (b) in Clause 7, the optional docking clause applies;
    (c) in Clause 9, Option 2 applies, and the time period for prior notice of Subprocessor changes shall be the time period set out in Section 9.3 of this DPA;
    (d) in Clause 11, the optional language does not apply;
    (e) in Clause 17, the governing law shall be the law of Ireland;
    (f) in Clause 18(b), disputes shall be resolved in the courts of Ireland;
    (g) Annex I, Annex II, and Annex III of the EU SCCs are completed with the information set out in Schedule 1 and Schedule 2 of this DPA and the Subprocessor list maintained by Kobiton; and
    (h) if and to the extent the EU SCCs conflict with this DPA, the EU SCCs control.

    10.3 If Customer transfers Customer Personal Data subject to the UK GDPR to Kobiton in a country for which a valid transfer mechanism is required and no other lawful transfer mechanism applies, the EU SCCs as incorporated under Section 10.2 shall apply together with the UK Addendum, which is incorporated into this DPA by reference. For purposes of the UK Addendum:
    (a) Table 1 is completed with the parties’ details set out in the Agreement and Schedule 1;
    (b) Table 2 is completed by selecting the EU SCCs as incorporated by Section 10.2;
    (c) Table 3 is completed with Schedule 1, Schedule 2, and Kobiton’s Subprocessor list; and
    (d) Table 4 shall be deemed completed so that neither party may terminate the UK Addendum solely because it changes.

    10.4 If Customer transfers Customer Personal Data subject to Swiss data protection law to Kobiton in a country for which a valid transfer mechanism is required and no other lawful transfer mechanism applies, the EU SCCs incorporated under Section 10.2 shall apply with the following modifications to the extent required by Swiss law:
    (a) references to “Member State” shall be interpreted to include Switzerland;
    (b) references to the “competent supervisory authority” and “competent courts” shall be interpreted to include the Swiss Federal Data Protection and Information Commissioner and the relevant courts in Switzerland; and
    (c) references to the GDPR shall be interpreted to include the Swiss Federal Act on Data Protection where required.

    10.5 Kobiton shall not participate in any Restricted Transfer except in compliance with Data Protection Legislation and using an authorized transfer mechanism, including adequacy decisions, the EU SCCs, the UK Addendum, or another valid transfer mechanism.

    11. Audits and Information Rights

    11.1 Kobiton shall make available to Customer all information reasonably necessary to demonstrate Kobiton’s compliance with this DPA.

    11.2 Kobiton uses independent third-party auditors to verify the adequacy of its security measures and controls. At Customer’s written request, and subject to confidentiality obligations, Kobiton shall make available to Customer a summary copy of its then-current SOC 2 Type II report or similar third-party audit report, to the extent available.

    11.3 If the information made available under Section 11.2 is not sufficient for Customer to verify compliance with this DPA, Customer may, no more than once per twelve (12) month period and subject to reasonable confidentiality, security, and operational requirements, request an audit of Kobiton’s relevant records, processes, and facilities relating to the Processing of Customer Personal Data.

    11.4 Any audit under Section 11.3 shall:
    (a) be conducted during normal business hours;
    (b) be limited in scope to matters directly relevant to Kobiton’s compliance with this DPA;
    (c) avoid unreasonable disruption to Kobiton’s business operations;
    (d) be conducted by Customer or an independent auditor bound by confidentiality obligations; and
    (e) be at Customer’s expense, unless the audit reveals a material breach of this DPA by Kobiton.

    11.5 Kobiton may object to an auditor appointed by Customer if the auditor is, in Kobiton’s reasonable opinion, not suitably qualified, not independent, a competitor of Kobiton, or otherwise manifestly unsuitable. In that case, Customer shall appoint another auditor or conduct the audit itself.

    12. Return and Deletion

    12.1 During the term of the Agreement, Kobiton shall make Customer Content available to Customer in accordance with the functionality of the Services and the Agreement.

    12.2 Upon termination or expiration of the Agreement, Customer may instruct Kobiton to return or Delete Customer Content and Customer Personal Data, except to the extent Kobiton is required or permitted by applicable law to retain such data.

    12.3 If Customer does not request return of Customer Content or Customer Personal Data within thirty (30) days after termination or expiration of the Agreement, Kobiton may Delete the relevant Customer Content and Customer Personal Data in accordance with its standard retention practices, unless applicable law requires or permits retention for a longer period.

    12.4 Notwithstanding the foregoing:
    (a) Kobiton may retain Customer Personal Data and Customer Content in archived or backup systems until such data is deleted in the ordinary course of Kobiton’s retention cycle, provided that such retained data remains subject to the protections of this DPA;
    (b) Kobiton may retain Account-Related Information it Processes as an independent Controller in accordance with its privacy policy and applicable law; and
    (c) Kobiton may retain Customer Personal Data or Customer Content to the extent required to establish, exercise, or defend legal claims or comply with applicable law.

    13. Records

    13.1 To the extent required by Data Protection Legislation, Kobiton shall maintain records of its categories of Processing activities carried out on behalf of Customer.

    13.2 Such records shall include, where applicable:
    (a) the name and contact details of Kobiton and any Subprocessors;
    (b) the categories of Processing carried out on behalf of Customer;
    (c) transfers of Customer Personal Data to a third country and the documentation of suitable safeguards; and
    (d) a general description of the technical and organizational security measures referred to in Section 6.

    14. Liability

    14.1 Except as otherwise expressly stated in this DPA, the liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

    14.2 Nothing in this DPA limits either party’s liability to Data Subjects or regulators to the extent such limitation is prohibited by Data Protection Legislation, the EU SCCs, or the UK Addendum.

    15. Miscellaneous

    15.1 This DPA remains in effect for as long as Kobiton Processes Customer Personal Data on Customer’s behalf.

    15.2 Except as amended by this DPA, the Agreement remains in full force and effect.

    15.3 This DPA may be executed in counterparts, including by electronic signature, each of which is deemed an original and all of which together constitute one instrument.

    SCHEDULE 1
    DETAILS OF PROCESSING

    A. List of Parties

    Data Exporter:
    Customer, as identified in the Agreement and applicable Order Form(s).

    Contact details:
    Customer’s contact details as set out in the Agreement, applicable Order Form(s), or as otherwise provided by Customer to Kobiton for privacy matters.

    Role:
    Controller.

    Data Importer:
    Kobiton, as identified in the Agreement.

    Contact details:
    Kobiton privacy contact: legal@kobiton.com

    Role:
    Processor.

    B. Subject Matter of the Processing

    Kobiton provides the Services to Customer and Processes Customer Personal Data as necessary to provide, secure, support, and maintain the Services in accordance with the Agreement and Customer’s documented instructions.

    C. Duration of the Processing

    The Processing will continue for the duration of the Subscription Term and any period thereafter during which Kobiton Processes Customer Personal Data on Customer’s behalf in accordance with the Agreement, this DPA, or applicable law.

    D. Nature and Purpose of the Processing

    The nature and purpose of the Processing may include:
    (a) hosting, storing, organizing, retrieving, transmitting, displaying, and otherwise making available Customer Content within the Services;
    (b) providing remote access, automation, testing, analytics, support, troubleshooting, security, and related functions of the Services;
    (c) generating logs, records, and operational telemetry necessary to provide and secure the Services;
    (d) performing support, implementation, training, and Professional Services where applicable;
    (e) using Subprocessors, including hosting, infrastructure, communications, support, and AI/model providers engaged to support features enabled by Customer; and
    (f) Processing otherwise necessary to perform Kobiton’s obligations under the Agreement or Customer’s documented instructions.

    E. Categories of Data Subjects

    The categories of Data Subjects may include:
    (a) Customer’s employees, contractors, agents, and authorized users;
    (b) Customer’s end users, testers, developers, business contacts, suppliers, and customers;
    (c) individuals whose Personal Information is contained in Customer Content submitted to the Services; and
    (d) Customer’s account contacts and representatives, but only to the extent such information is Processed by Kobiton on Customer’s behalf.

    F. Categories of Customer Personal Data

    The categories of Customer Personal Data may include:
    (a) identifiers and contact details, such as name, email address, phone number, username, account identifier, or similar identifiers;
    (b) device, application, and usage information;
    (c) screenshots, videos, logs, test scripts, prompts, view trees, metadata, and other diagnostic or support data submitted to or generated through the Services;
    (d) communications and support records;
    (e) any Personal Information contained in Customer Content, including information Customer chooses to submit to the Services; and
    (f) any other categories of Personal Information described in the Agreement, applicable Order Forms, or documented instructions from Customer.

    G. Sensitive Data

    Customer may submit sensitive or special categories of personal data only where permitted by the Agreement and Data Protection Legislation and only where strictly necessary for Customer’s use of the Services. Customer is responsible for ensuring that any such submission is lawful and supported by an appropriate legal basis and safeguards.

    H. Frequency of the Transfer

    Customer Personal Data may be transferred on a continuous basis during Customer’s use of the Services.

    SCHEDULE 2
    TECHNICAL AND ORGANIZATIONAL MEASURES

    Kobiton maintains technical and organizational measures designed to protect Customer Personal Data, including as appropriate:

    1. Access Controls

    • Role-based access controls designed to limit access to authorized personnel with a business need to know.
    • Authentication controls for internal systems and administrative access.
    • Processes for provisioning, modifying, and revoking personnel access.

    2. Confidentiality

    • Confidentiality obligations for personnel with access to Customer Personal Data.
    • Security awareness and privacy training for relevant personnel.

    3. Network and Infrastructure Security

    • Network protections and monitoring designed to detect and respond to unauthorized access.
    • Segmentation, hardening, and other protective measures for relevant production systems where appropriate.

    4. Encryption

    • Encryption of Customer Personal Data in transit using industry-standard protocols where appropriate.
    • Encryption of Customer Personal Data at rest where appropriate, taking into account the nature of the Services and the data involved.

    5. System Resilience and Availability

    • Measures designed to support system availability, fault tolerance, backup, and disaster recovery appropriate to the Services.
    • Processes to restore access to Customer Personal Data following an incident where appropriate.

    6. Logging and Monitoring

    • Logging and monitoring of relevant systems and events to support security operations, troubleshooting, and incident response.

    7. Vulnerability and Change Management

      • Processes for vulnerability management, security testing, patching, and change control appropriate to the Services.

      8. Incident Response

      • Incident response processes for identifying, escalating, investigating, containing, mitigating, and remediating Security Incidents and Personal Data Breaches.

      9. Vendor and Sub-processor Management

      • Due diligence and contractual controls for Subprocessors that Process Customer Personal Data on Kobiton’s behalf.

      10. Data Minimization and Retention

      • Processes designed to support deletion, return, or retention of Customer Personal Data in accordance with the Agreement, Customer instructions, and applicable law.

      11. Audit and Assurance

      • Independent third-party audits or assessments, including SOC 2 Type II or similar assurance activities, where available.

      Ready to accelerate delivery of
      your mobile apps?

      Request a Demo