Kantis Logo

Kantis — Data Processing Agreement

Last updated: April 2026

Legal entity. Kantis is the trading name of We Make Tech Ltd, a company registered in England and Wales (company number 16031474). Registered address: Office 38, Area 1/1 60 Tottenham Court Road, Fitzrovia, London, United Kingdom, W1T 2EW. References to "Kantis," "we," "us," or "our" in this Agreement refer to We Make Tech Ltd trading as Kantis.
Acceptance. This Data Processing Agreement ("DPA") forms part of and is incorporated into Kantis's Terms of Service. By using the Kantis Services, Customer (as defined in the Terms of Service) is deemed to have accepted this DPA on behalf of itself and all Authorised Users. No countersignature is required.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meaning given to them in the Terms of Service.

  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
  • "Processing" (and its variants, including "Process" and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Customer Data" means all data, including Personal Data, submitted to, processed by, or generated through the Services by or on behalf of Customer, as further described in the Terms of Service.
  • "Sub-processor" means any Processor engaged by Kantis who processes Personal Data on behalf of Customer in connection with the Services.
  • "Supervisory Authority" means the relevant data protection regulatory authority with jurisdiction over the processing of Personal Data under applicable Data Protection Laws.
  • "Data Protection Laws" means, as applicable: (a) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; (b) Regulation (EU) 2016/679 (EU GDPR); and (c) any other applicable data protection legislation.
  • "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Kantis or its Sub-processors.

2. Roles and Scope

2.1 In relation to the Processing of Customer Data, the parties acknowledge that: (a) Customer is the Controller; and (b) Kantis is the Processor, Processing Personal Data on behalf of Customer solely to provide the Services.

2.2 This DPA applies where Kantis Processes Personal Data contained in Customer Data in connection with the provision of the Services. This DPA does not apply to Kantis's Processing of Personal Data in its capacity as a Controller (for example, account registration data, billing information, or website visitor data), which is governed by the Privacy Policy.

2.3 Details of the Processing are set out in Schedule 1 (Details of Processing) at the end of this DPA.

3. Duration

3.1 This DPA shall commence on the date Customer first uses the Services and shall continue in force until the termination or expiry of the Terms of Service, after which the provisions of Section 11 (Deletion and Return of Data) shall continue to apply.

4. Processor Obligations

4.1 Documented Instructions. Kantis shall Process Customer Data only on documented instructions from Customer, which shall be the Terms of Service, this DPA, and any other written instructions agreed between the parties. If Kantis is required by law to Process Customer Data otherwise than as instructed, Kantis will notify Customer of that legal requirement before Processing (unless prohibited by law).

4.2 Confidentiality. Kantis shall ensure that all personnel authorised to Process Customer Data are subject to appropriate confidentiality obligations (whether contractual or statutory) in respect of that data.

4.3 Security Measures. Kantis shall implement and maintain appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as further described in Schedule 2 (Technical and Organisational Security Measures). Kantis shall take steps to ensure that any natural person acting under its authority who has access to Customer Data does not Process it except on Customer's instructions.

4.4 Data Subject Rights. Kantis shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). Customer shall be responsible for responding to Data Subject requests; Kantis will promptly notify Customer upon receiving any Data Subject request directly related to Customer Data and will not respond to such a request without Customer's prior written authorisation, except as required by law.

4.5 Compliance Assistance. Kantis shall assist Customer in ensuring compliance with Customer's obligations relating to: (a) the security of the Processing; (b) notification of Security Incidents to Supervisory Authorities and Data Subjects; (c) data protection impact assessments and prior consultation; and (d) any other obligations under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to Kantis.

4.6 Security Incident Notification. Kantis shall notify Customer without undue delay and, in any event, within forty-eight (48) hours after becoming aware of a Security Incident affecting Customer Data. Such notification shall include: (a) a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) contact details of Kantis's data protection point of contact; (c) a description of the likely consequences of the Security Incident; and (d) a description of the measures taken or proposed to be taken by Kantis to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects. Where Kantis is unable to provide complete information within the initial notification, it shall do so in phases as information becomes available. Kantis will co-operate with Customer and take such reasonable steps as Customer may request to assist in the investigation, mitigation, and remediation of each such Security Incident.

4.7 Return and Deletion of Data. Upon expiration or termination of the Terms of Service, Kantis shall, at Customer's election and within thirty (30) days of Customer's written request: (a) return to Customer a complete copy of all Customer Data in a structured, commonly used, and machine-readable format; or (b) securely delete and destroy all Customer Data in Kantis's possession or control. In either case, Kantis shall certify in writing that such return or deletion has been completed. Kantis may retain Customer Data to the limited extent required by applicable law, provided that such retained data remains subject to the confidentiality obligations of this DPA.

4.8 Audit Rights. Kantis shall make available to Customer all information reasonably necessary to demonstrate Kantis's compliance with the obligations laid down in this DPA and, upon Customer's written request with not less than thirty (30) days' prior notice, shall allow for and contribute to audits, including inspections, conducted by Customer or a reputable third-party auditor mandated by Customer. Audits shall be conducted during normal business hours, shall not unreasonably disrupt Kantis's operations, and shall occur no more than once per calendar year, unless Customer has reasonable grounds to believe there has been a Security Incident or a breach of this DPA. The costs of any audit shall be borne by Customer unless the audit reveals material non-compliance by Kantis with this DPA, in which case reasonable audit costs shall be borne by Kantis. As an alternative to an on-site audit, Kantis may (at its discretion) provide Customer with up-to-date third-party security audit reports or certifications (such as ISO 27001 or SOC 2), which Customer may use to satisfy its audit obligations under applicable Data Protection Laws.

5. Customer Obligations

5.1 Customer warrants, represents, and undertakes that it has a valid legal basis under applicable Data Protection Laws for the Processing of Customer Data as contemplated by the Services and that Customer has fulfilled all applicable transparency, notice, and consent requirements with respect to Data Subjects.

5.2 Customer undertakes that its instructions to Kantis regarding the Processing of Customer Data shall at all times comply with applicable Data Protection Laws and that Customer will not instruct Kantis to Process Customer Data in a manner that would cause Kantis to violate applicable Data Protection Laws.

5.3 Customer is solely responsible for ensuring the accuracy, quality, and legality of Customer Data and the means by which Customer obtained Customer Data.

6. Sub-processors

6.1 General Authorisation. Customer hereby grants Kantis general written authorisation to engage Sub-processors, subject to the requirements of this Section 6. Kantis shall impose data protection obligations on each Sub-processor by way of a written agreement that provides substantially equivalent protections as those set out in this DPA.

6.2 Sub-processor List. Kantis maintains a current list of Sub-processors engaged to Process Customer Data. The list is available to Customers within the Kantis platform or upon written request to support@getkantis.com. Kantis shall keep this list up to date.

6.3 Changes to Sub-processors. Kantis shall notify Customer of any intended addition or replacement of a Sub-processor by sending a notification to the email address associated with Customer's account at least thirty (30) days before the change takes effect. Customer may object to the proposed change within that period by notifying Kantis in writing, providing reasonable grounds for the objection. Where Customer objects, the parties shall negotiate in good faith to resolve the objection. If the parties are unable to resolve the objection within thirty (30) days of Customer's notification, either party may terminate the Services in relation to the affected Processing upon written notice, without liability to the other party for such termination.

6.4 Responsibility for Sub-processors. Kantis shall remain liable to Customer for the performance of each Sub-processor's obligations to the extent that the Sub-processor fails to fulfil its obligations under the relevant agreement between Kantis and that Sub-processor.

7. International Data Transfers

7.1 Kantis shall not transfer Customer Data outside of the United Kingdom or the European Economic Area except where adequate transfer safeguards are in place, as set out in this Section 7.

7.2 EU SCCs. To the extent that Kantis transfers Personal Data of Data Subjects located in the EEA to a country not recognised by the European Commission as providing an adequate level of protection, such transfer shall be governed by the EU SCCs (Controller to Processor, Module 2), which are incorporated into this DPA by reference. For the purposes of the EU SCCs: (a) Customer is the "data exporter" (Controller); (b) Kantis is the "data importer" (Processor); (c) the Annexes of the EU SCCs shall be deemed populated with the information in Schedules 1, 2, and 3 of this DPA; and (d) the governing law and jurisdiction shall be that of England and Wales.

7.3 UK Addendum. To the extent that Kantis transfers Personal Data of Data Subjects located in the United Kingdom to a country not recognised by the UK as providing an adequate level of protection, such transfer shall additionally be governed by the UK Addendum to the EU SCCs, which is incorporated into this DPA by reference. For the purposes of the UK Addendum: (a) Table 1 parties are Customer (exporter) and Kantis (importer); (b) Table 2 refers to the EU SCCs incorporated under Section 7.2; (c) Table 3 is populated with the information in Schedules 1, 2, and 3 of this DPA; and (d) the "change of applicable table" option in Table 4 is "Neither party".

7.4 Japan. Transfers of Personal Data to recipients in Japan are covered by the European Commission's adequacy decision for Japan (Commission Implementing Decision 2019/419). No additional transfer mechanism is required for EU-to-Japan transfers under the EU GDPR. Where UK GDPR applies, Kantis shall ensure appropriate safeguards are in place consistent with the requirements of the UK adequacy regulations.

7.5 Sub-processor Transfers. Where any Sub-processor processes Personal Data outside the scope of adequacy decisions applicable to it, Kantis shall ensure that appropriate transfer safeguards (such as the EU SCCs or UK Addendum, as applicable) are in place between Kantis and that Sub-processor.

8. Liability

8.1 The limitation of liability provisions set out in Section 9 of the Terms of Service apply to this DPA and to any claims arising out of or in connection with this DPA, including in relation to Processing of Customer Data.

8.2 Each party's liability to the other under or in connection with this DPA, in contract, tort (including negligence), breach of statutory duty, or otherwise, is subject to the liability cap set out in the Terms of Service, and excludes the categories of loss that are excluded under the Terms of Service.

8.3 As between the parties, Customer shall be liable for (and shall indemnify Kantis against) any claim or liability arising from Customer's failure to comply with its obligations under Section 5 of this DPA or from Customer Data that does not comply with applicable Data Protection Laws.

9. Conflict

9.1 In the event of any conflict or inconsistency between this DPA and the Terms of Service with respect to the subject matter of data protection or the Processing of Personal Data, the provisions of this DPA shall prevail.

9.2 In the event of any conflict or inconsistency between this DPA and the EU SCCs or the UK Addendum (where applicable), the EU SCCs or UK Addendum shall prevail to the extent required by applicable Data Protection Laws.

10. Governing Law

10.1 This DPA, and any dispute or claim arising out of or in connection with it or its subject matter or formation, shall be governed by and construed in accordance with the laws of England and Wales, subject to the mandatory provisions of applicable Data Protection Laws that cannot be derogated by contract.

10.2 The courts of England and Wales shall have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA, provided that nothing shall prevent either party from applying for injunctive or other equitable relief before any competent court.

11. Deletion and Return of Data

See Section 4.7 above. The obligations of Section 4.7 survive expiration or termination of this DPA and the Terms of Service.

Schedule 1 — Details of Processing

Subject matter

Processing of Customer Data by Kantis to provide the Kantis compliance management platform, including automated compliance checks, evidence collection, audit preparation, policy drafting, and managed services, as described in the Terms of Service.

Duration

For the duration of the Terms of Service, and thereafter as required by Section 4.7 (deletion/return obligations).

Nature of processing

Collection, storage, organisation, retrieval, use, disclosure (to authorised Kantis personnel and Sub-processors), and deletion of Personal Data, including automated processing using AI and machine learning features of the Platform.

Purpose of processing

To provide and operate the Kantis platform and related services, including:

  • Automated compliance checks and continuous monitoring of Customer's cloud infrastructure and third-party tools
  • Evidence collection and audit trail management
  • Policy and document drafting assistance (including AI-generated outputs)
  • Risk assessment and gap analysis
  • User identity and access management within the platform
  • Managed compliance advisory and support services
  • Security monitoring, incident detection, and response

Types of personal data

  • Names and email addresses of Customer's Authorised Users and personnel
  • Job titles and organisational roles
  • IP addresses and device/browser metadata
  • Cloud infrastructure configuration data (which may incidentally include personal data such as usernames, resource tags, or access logs)
  • API access tokens and credentials provided by Customer for integration purposes (treated as Confidential Information)
  • Audit evidence and compliance documentation uploaded by Customer (which may contain personal data of Customer's employees, contractors, or other individuals)
  • Usage logs and activity records within the platform

Categories of data subjects

  • Customer's employees, officers, and directors
  • Customer's contractors and consultants
  • Customer's Authorised Users
  • Individuals whose personal data appears incidentally in Customer's audit evidence, cloud configurations, or compliance documentation

Schedule 2 — Technical and Organisational Security Measures

Kantis has implemented and maintains the following technical and organisational measures to ensure an appropriate level of security for Customer Data:

Encryption

  • All Customer Data is encrypted in transit using TLS 1.2 or higher
  • All Customer Data is encrypted at rest using AES-256 or equivalent
  • API tokens, credentials, and secrets are encrypted at rest and are not accessible to Kantis personnel in plaintext

Access controls

  • Access to production systems and Customer Data is restricted to authorised Kantis personnel on a need-to-know basis
  • Multi-factor authentication (MFA) is required for all access to production infrastructure
  • Role-based access controls (RBAC) are enforced across all production systems
  • Access rights are reviewed and revoked upon change of role or termination of employment

Monitoring and logging

  • All access to Customer Data by Kantis personnel is logged and monitored
  • Security event logging is maintained and reviewed regularly
  • Anomalous access patterns are subject to automated alerting

Incident response

  • Kantis maintains a documented incident response policy and procedure
  • Security incidents are escalated, investigated, and documented
  • Customer notification procedures are in place as described in Section 4.6

Vendor and supply chain security

  • All Sub-processors are subject to due diligence and contractual data protection obligations
  • Infrastructure providers are selected on the basis of their security posture and certifications (including ISO 27001 and SOC 2 where applicable)

Business continuity and backup

  • Customer Data is backed up regularly with backups encrypted and stored separately from primary data
  • Recovery time and recovery point objectives are reviewed periodically

Schedule 3 — Sub-processors

Kantis maintains a current list of Sub-processors engaged to Process Customer Data on behalf of Customers. The list includes each Sub-processor's name, the purpose of the processing, and the processing location(s).

The Sub-processor list is available to Customers:

  • Within the Kantis platform (Settings → Security → Sub-processors); or
  • Upon written request to support@getkantis.com.

Kantis will notify Customer of any intended changes to Sub-processors in accordance with Section 6.3.

Contact:
We Make Tech Ltd trading as Kantis
Office 38, Area 1/1 60 Tottenham Court Road, Fitzrovia, London, United Kingdom, W1T 2EW
Company number: 16031474
Email: support@getkantis.com
Web: https://getkantis.com

We use cookies for analytics (PostHog, Google Analytics) to improve our website. Privacy Policy