Skip to main content

Kinsta DPA Example

9. Audit and Inspection

  1. Subject to and conditioned on a written confidentiality and non-disclosure agreement, Kinsta shall provide Customer with information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA.
  2. Any audits requested by Customer to assess and verify compliance with this DPA shall be (i) subject to and conditioned on reasonable advance written notice, not less than sixty (60) days, to Kinsta; (ii) subject to and conditioned on a written confidentiality and non-disclosure agreement and a detailed written audit plan reviewed and pre-approved by Kinsta; (iii) limited to once every twelve (12) month period; (iv) at Customer’s sole cost and expense; (v) limited in scope and purpose to evaluate a specifically identified suspected failure by Kinsta to comply with the provisions of this DPA and only after Customer has exhausted all other reasonable means as determined by Kinsta; and (vi) in the virtual or physical presence of a Kinsta representative without unreasonably disrupting Kinsta’s business operations.

SCCs Annex I

A. LIST OF PARTIES

Data Exporter:

** Name**: The entity identified as the Customer.

** Address**: The address for Customer recorded in MyKinsta or as otherwise specified in the Agreement.

** Contact name, position, and contact details**: The contact details of the Company Owner associated with Customer’s Account, or as otherwise specified in the Agreement.

** Activities related to the data transferred under the Clauses**: Operation of Customer Applications(s) on Kinsta’s hosting platform

** Signature and date**: The parties agree that acceptance or executions of the Agreement, as applicable, shall constitute execution of these SCCs by both parties.

Role: Controller

Data Importer:

** Name**: Kinsta Inc. Address: 8605 Santa Monica Blvd #92581, West Hollywood, CA 90069, USA Contact name, position, and contact details: Kinsta Data Privacy team privacy@kinsta.com or by mail at the address above

** Activities related to the data transferred under the Clauses**: Provision of the Services Signature and date: The parties agree that acceptance or executions of the Agreement, as applicable, shall constitute execution of these SCCs by both parties.

** Role**: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred *

Any individuals who may visit, use, or access Customer Applications, or whose personal data is transmitted, stored, or otherwise processed through Customer Applications by the Customer, including, for example: employees and other staff, customers and clients (including their staff), website visitors or end users, suppliers (including their staff), relatives and associates of the above, advisers, consultants and other professional experts, shareholders, members or supporters, and students and pupils.

Categories of personal data transferred *

Any categories permitted by Customer to be transmitted, stored, or otherwise processed through the Customer Applications. Such categories may include, for example, contact information, employment details, financial information, education and training details, identifiers by a public authority, family, lifestyle and social circumstances.

Sensitive data transferred (if applicable) and applied restrictions *

Customer may permit sensitive data to be transmitted, stored, or otherwise processed through the Customer Applications. The restrictions and safeguards specified in Annex II apply to these categories of personal data (if any). Customer shall be responsible for informing Kinsta of the specific categories of sensitive data transferred and any additional applied restrictions.

The frequency of the transfer *Continuous

Nature of the processing* Processing in connection with the provision of the Services, including hosting of the Customer Applications and related support.

Purpose(s) of the data transfer and further processing *Provision of the Services

The period for which the personal data will be retained* Pursuant to DPA, Section 10

For transfers to (sub-) processors, specify the subject matter, nature, and duration of the processing *The subject matter, nature, and duration of the processing by sub-processors are set forth in this Annex I, Section B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 *Irelan

(Standard Contractual Clauses) SCCs Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA.

  • All Customer Personal Data transferred by Kinsta is encrypted in transit.
  • All Customer Personal Data stored on Google Cloud infrastructure (all Customer Applications and access logs) is encrypted at rest.
  • Cloudflare’s security features, including their web application firewall (WAF) and DDoS protection, are integrated into the Services.
  • We have information security policies which restrict our team members’ activities related to the processing of Customer Personal Data to only those processing activities which are necessary for the provision of the Services.
  • All team members sign an agreement inclusive of non-disclosure provisions prior to gaining access to any Customer Personal Data.
  • We have a dedicated full time Security team.
  • We have identified a Security oversight group that includes members of our Engineering, Operations, Legal, and Executive teams.
  • Sub-processors of Customer Personal Data are only used after formal review and approval.
  • We make reasonable efforts to process, transfer, and retain only the amount and type of data required to provide the Services.
  • We have established identity and access management policies and practices, following the principles of least privilege and role-based access control (RBAC).
  • All team members receive training on matters of data privacy and our policies.
  • Physical access controls have been implemented by Google Cloud to limit access to physical hardware at data centers. Google Cloud has also received multiple security-related certifications and audits including a SOC 2 Type II report and ISO 27001 certification.
  • Where applicable, two-factor authentication has been enabled on all team member accounts with access to Customer Personal Data.
  • Root access to client containers and servers is by unique private key only, and team members are only provided the minimum access necessary to perform their duties.
  • Root access is only possible via dedicated network access points and not the same access points as regular client access.
  • Kinsta offers free SSL certificates and makes it possible for Customers to force HTTPS connections to encrypt all Customer Application traffic in transit.
  • Kinsta limits non-HTTP connections to secure protocols only (SSH, SFTP).
  • Customer Applications are protected by a custom firewall managed by Kinsta’s Engineering team.
  • Multiple forms of regular backups are created. Customers are able to easily download backups for transfer to other hosts (portability) or for storage on other services.
  • Customers are able to initiate deletion of Customer Applications from the platform. Upon termination of the Services, Kinsta makes reasonable efforts to delete all Customer Personal Data within 45 days.
  • Server packages and software are kept up to date by our Engineering team. Security updates are applied promptly.