Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service, order form, or other agreement between the customer and Decods LLC when Kanvly processes personal data on behalf of the customer. It applies to personal data contained in customer workspaces, public intake submissions, boards, cards, documents, comments, note images, card attachments, member records, and related product metadata.

For customer workspace content, the customer is the controller or business and Kanvly is the processor or service provider. For Kanvly account administration, billing, security, analytics, website, and support operations, Kanvly may act as an independent controller as described in the Privacy Policy.

Kanvly will process customer personal data only to provide, secure, maintain, support, and improve the service; follow the customer documented instructions; comply with applicable law; and fulfill the agreement. Customer use of product settings, APIs, account actions, public links, member invitations, AI requests, and support instructions are documented instructions.

Kanvly restricts access to customer personal data to personnel, contractors, and subprocessors who need access to operate, secure, support, or improve the service and who are subject to appropriate confidentiality obligations.

• HTTPS/TLS for traffic to production services.
• Secure, HTTP-only session cookies for authentication.
• Password hashing using a memory-hard password hashing approach.
• Workspace roles and visibility controls enforced by the application.
• Rate limits on sensitive entry points such as authentication, contact, intake, avatar upload, AI, and import workflows.
• Audit-friendly operational event logging for key account, workspace, billing, and security actions.
• Production backups and operational restore procedures.
• Limited access to production infrastructure and secrets.
• Input validation, file type checks, and upload size limits for supported upload flows.

Kanvly may use subprocessors to provide hosting, payment processing, email delivery, analytics, OAuth/SSO, AI, and infrastructure services. Current subprocessors are listed on the Subprocessors page. Kanvly remains responsible for subprocessor performance to the extent required by applicable data protection law.

Customers may object to a new subprocessor through Kanvly support with a reasonable data protection basis. If Kanvly cannot reasonably resolve the objection, the customer remedy is to stop using the affected service or terminate the affected subscription according to the agreement.

Kanvly provides in-product export and deletion controls for authenticated users and will provide reasonable assistance for data subject requests where the customer cannot fulfill the request using the service. Customers remain responsible for validating requester authority and deciding how to respond to requests concerning their workspace content.

If Kanvly becomes aware of a confirmed security incident affecting customer personal data, Kanvly will notify affected customers without undue delay and provide information reasonably available to help customers meet their own legal obligations. Notification is not an admission of fault or liability.

Kanvly is a United States company and uses subprocessors that may process data outside the EEA, UK, or Switzerland. Where required, Kanvly relies on appropriate transfer safeguards such as standard contractual clauses, subprocessor data processing terms, and equivalent contractual protections.

During the subscription, customers may export data through available product controls. After account deletion or termination, Kanvly will delete or de-identify customer personal data from active systems according to the Privacy Policy, except where retention is required for legal, security, billing, tax, backup, or dispute purposes. Backup copies are removed through normal backup rotation.

Kanvly will provide reasonable information about its security and data processing practices. Formal audits or security reviews are available only where required by law or a signed enterprise agreement, and must avoid disrupting the service or exposing other customer data.

If this DPA conflicts with the Terms, this DPA controls for processor obligations concerning customer personal data. If a signed customer agreement or order form includes stricter privacy or security terms, the signed agreement controls for that customer.