Data Processing Agreement
Effective date: July 6, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Controller") and KAAI TECH LLC ("Processor," "we," "us") when you use Founders Build OS or related services where we process personal data on your behalf. If you use the Service only as an individual founder for your own startup planning, you are typically the Controller of your own data and this DPA may not apply unless you onboard team members or end users whose data you control.
2. Scope and roles
- Controller — determines purposes and means of processing (often you, when you invite collaborators or process others' data through exports or shared plans).
- Processor — KAAI TECH LLC processes personal data only on documented instructions from the Controller, as described in the Terms of Use, Privacy Policy, and this DPA.
3. Subject matter and duration
Processing covers account, project, and billing data needed to provide Founders Build OS for the term of your subscription or account, plus any retention period stated in our Privacy Policy or required by law.
4. Processor obligations
We will:
- Process personal data only on documented instructions from the Controller, unless required by law.
- Ensure personnel with access are bound by confidentiality.
- Implement appropriate technical and organizational measures (encryption in transit, access controls, Firebase/Google Cloud infrastructure).
- Use sub-processors listed in Section 5; notify of material changes where contractually required.
- Assist with data subject requests where feasible, consistent with our Privacy Policy and CCPA Notice.
- Delete or return personal data upon account deletion, subject to legal retention (e.g. Stripe invoices).
- Make available information reasonably necessary to demonstrate compliance.
5. Sub-processors
We use the following categories of sub-processors to deliver the Service:
- Google Firebase / Google Cloud (authentication, database, hosting)
- Vercel (application hosting)
- Stripe (payments)
- OpenAI (optional AI features, when you use them)
- Amazon Web Services SES (transactional email)
Current privacy practices are described in our Privacy Policy. Enterprise customers requiring a signed sub-processor list or prior notice may contact us.
6. International transfers
Data may be processed in the United States and other countries where our providers operate. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses offered by major providers) as applicable.
7. Security incidents
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer data, where legally required and to the extent we have sufficient information.
8. Audits
Upon reasonable written request, we will provide information about our security measures or certifications where available. Onsite audits may be agreed separately for enterprise agreements.
9. Executed agreements
For a countersigned DPA or custom data protection terms (enterprise, agency, or accelerator programs), email [email protected] with "DPA request" and your company details.
10. Order of precedence
If this DPA conflicts with the Terms of Use on data protection matters, this DPA prevails for business customers who have accepted it in writing. Otherwise the Terms and Privacy Policy apply.
← Privacy Policy