Effective Date: 2026-03-26
This Data Processing Agreement ("DPA") forms part of the agreement between Kornucopya and the customer using app.kornucopya.com or related Kornucopya services that involve the processing of personal data.
This DPA applies where Kornucopya processes personal data on behalf of the customer in connection with the provision of Kornucopya's CRM System empowered by AI and related services.
For purposes of this DPA:
Customer means the business, organization, or individual using Kornucopya services and acting as the data controller or business with respect to personal data uploaded to the services.
Kornucopya means the Kornucopya entity providing the service, including where applicable Kornucopya LLC, and any affiliated entity involved in providing operational, technical, or mission-related support under appropriate confidentiality and data protection obligations.
Kornucopya will process personal data only on behalf of and in accordance with the documented instructions of the Customer, except where otherwise required by applicable law.
The subject matter of the processing is the provision of CRM, automation, communication support, AI-assisted features, lead management, calendar tools, and related services.
The duration of processing will continue for as long as Kornucopya provides the services to the Customer, unless otherwise required by law or agreed in writing.
Depending on how the Customer uses the services, Kornucopya may process personal data such as:
Names
Email addresses
Phone numbers
Business names
Contact history
Appointment details
Communication content entered into the platform
Customer notes and CRM records
Data subjects may include:
The Customer's leads
The Customer's clients or prospective clients
The Customer's employees or contractors
Other contacts entered into the CRM by the Customer
The Customer represents and warrants that:
It has a lawful basis for collecting and processing the personal data uploaded to the services
It has provided any required privacy notices to data subjects
It has obtained any required consents where necessary
Its instructions to Kornucopya comply with applicable data protection laws
Kornucopya agrees to:
Process personal data only on documented instructions from the Customer, unless required by law to do otherwise
Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations
Implement appropriate technical and organizational measures to protect personal data
Assist the Customer, taking into account the nature of processing, with reasonable requests related to data subject rights, security, breach notifications, and compliance obligations
Kornucopya will ensure that any person acting under its authority who has access to personal data is bound by a duty of confidentiality, whether by contract, policy, or legal obligation.
Kornucopya will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Such measures may include:
Access controls
Authentication protections
Encryption where appropriate
Secure hosting infrastructure
Logging and monitoring
Backup and recovery practices
The Customer authorizes Kornucopya to engage subprocessors as reasonably necessary to provide the services, including providers of cloud hosting, payment infrastructure, communications, analytics, and technical support.
Kornucopya will require such subprocessors to be subject to data protection obligations substantially consistent with those set out in this DPA.
Upon reasonable written request, Kornucopya may provide information about categories of subprocessors used in connection with the services.
The Customer acknowledges that personal data may be processed in countries other than the country in which it was originally collected, including the United States, Colombia, Spain, and other jurisdictions where Kornucopya or its service providers operate.
Where required by applicable law, Kornucopya will use appropriate safeguards for international data transfers.
Taking into account the nature of the processing, Kornucopya will provide reasonable assistance to the Customer to help the Customer respond to requests from data subjects seeking to exercise their rights under applicable data protection laws.
If Kornucopya becomes aware of a confirmed personal data breach affecting Customer personal data, Kornucopya will notify the Customer without undue delay and provide reasonable information available to help the Customer meet any applicable legal obligations.
Upon termination of the services, and subject to applicable law and legitimate retention needs, Kornucopya will delete or return Customer personal data within a reasonable period, unless continued retention is required by law.
Upon reasonable request and subject to appropriate confidentiality protections, Kornucopya will make available information reasonably necessary to demonstrate compliance with this DPA.
Any audit rights shall be exercised in a manner that does not unreasonably disrupt Kornucopya's operations, compromise the security of other customers, or expose confidential information unrelated to the requesting Customer.
This DPA is subject to the limitations of liability and related provisions set forth in the applicable agreement or Terms & Conditions between the parties, unless otherwise required by law.
Except as expressly stated in this DPA, the main agreement between the parties remains in full force and effect. If there is a conflict between this DPA and the main agreement regarding data protection matters, this DPA will control to the extent of that conflict.
If you have questions about this DPA, you may contact:
Kornucopya
Email: legal@kornucopya.com
Website: https://kornucopya.com