№ 008 / Data processing
How we handle your data, in writing.
This is the Data Processing Addendum (DPA) between you, the controller, and KiwiStack, the processor, written in plain English. The signed PDF below is the operative legal text. If the two disagree, the PDF wins, and we'll fix this page.
Version
v2026.05
Effective 2026-05-11
Jurisdiction
Luxembourg law
Supervisory authority: CNPD
Counter-signed PDF
Email hello@kiwistack.io.
This page is the canonical text. A counter-signed PDF is issued per customer on request.
01 / Roles
You (the customer) are the controller for personal data inside your KiwiStack tenant: your team's mailboxes, files, calendars, chat rooms, meeting recordings, project records, and the rest. You decide what goes in and why.
We (KiwiStack, operated by Corentin Dekimpe from Luxembourg) are the processor. We run the infrastructure and the open-source software stack documented on /architecture. We act on your instructions, plus what is needed to keep the service running and to comply with EU law.
The sub-processors listed below are sub-processors in the sense of GDPR Article 28(2). Every other component of the stack (Nextcloud, OX, Synapse, Jitsi, OpenProject, XWiki, Vaultwarden, CryptPad, Onyx, Keycloak, and the rest) is open-source software operated by us inside your tenant; the upstream projects do not see your data and are not sub-processors.
02 / What we process
The data categories below cover everything the suite touches. Data subjects are your employees and any third party they correspond with through the service. Processing runs for the duration of the service contract.
Capability
Data categories
Legal basis
Inbox content, headers, attachments, contacts referenced in messages
Performance of the service contract (Art. 6(1)(b) GDPR)
Files
Document content, versions, sharing metadata, comments
Performance of the service contract
Calendar
Event details, attendees, free/busy data
Performance of the service contract
Contacts
Names, email addresses, organisations, free-form notes
Performance of the service contract
Chat
Messages, presence, room membership. End-to-end encrypted by default; the operator cannot read message content.
Performance of the service contract
Videoconference
Real-time audio/video (peer-to-peer or via SFU bridge), participant list, optional server-side recording
Performance of the service contract
Projects
Work packages, time entries, comments, attachments
Performance of the service contract
Knowledge
Wiki pages, edit history, attachments
Performance of the service contract
Notes
Personal notes (end-to-end encrypted, operator cannot read), team notes (server-readable)
Performance of the service contract
Intelligence (add-on)
Indexed content from the capabilities above, plus user queries and meeting transcripts. Per-user opt-in.
Performance of the service contract, plus customer-controlled per-user opt-in
We do not process special-category data (GDPR Article 9) unless you submit it as part of normal use of the suite (for example, an HR file in Files), in which case the same encryption, access control, and audit logging apply. If your sector requires more, ask: we'll document the additional safeguards in writing before you start.
03 / Where data lives
Primary processing happens at Contabo Nürnberg, Germany. Off-site backup is a second EU region via Restic, with encryption keys held by you. The contract is governed by Luxembourg law, with the CNPD as supervisory authority. No schedule II "international transfer" annex is required: there is no transfer outside the EU. See /security for the operator's own statement on this.
04 / Sub-processors
Two tables: who handles your data on every tenant, and who handles it only when the Intelligence add-on is enabled.
We notify you at least 10 business days before we add or replace a sub-processor. You have 30 days to object in writing, in which case we work out an alternative or you may terminate the affected service with a pro-rata refund of prepaid fees.
Active for every tenant
Entity
Role
Location
Data access
Compute, storage and networking
Nürnberg, Germany
All customer content at rest and in transit, encrypted on disk and in flight
DNS authoritative hosting
Roubaix, France
Customer domain DNS records only. No mailbox, file, or message content.
Active only with the Intelligence add-on
Entity
Role
Location
Data access
LLM inference: chat completions, summaries, Voxtral meeting transcription
Paris, France
Indexed content and user queries submitted via the Intelligence workspace. Not used for training (per Mistral La Plateforme contractual terms).
Intelligence is opt-in. If you do not enable it, no data leaves the tenant cluster for inference. Live captions in videoconferences run inside the tenant via Skynet (open-source, Apache-2.0), and audio for live captioning does not leave the tenant. See /architecture/decisions, ADR-11 and ADR-12, for the full design.
05 / Annex II security measures
The technical and organisational measures required by GDPR Article 32. Mirrors the /security page so the two cannot drift.
01
Encryption in transit
TLS on every customer-facing endpoint, certificates auto-renewed via Let's Encrypt. Internal cluster traffic encrypted via WireGuard overlay.
02
Encryption at rest
Per-tenant volume encryption at the storage layer. etcd encrypted at the cluster level. Backups encrypted before they leave the cluster, encryption key held by the customer.
03
Pseudonymisation
Operational logs strip direct identifiers before retention; mailbox content is never logged.
04
Phishing-resistant access
Hardware-key sign-in (YubiKey 5 Series, PIV plus FIDO2) is the operator default. Customer-side TOTP minimum, hardware key option enabled in every tier.
05
Role-based access on the operator side
Per-role YubiKey, cryptographic role separation. Two-person rule for Critical operations on customer tenants.
06
Audit logs
Every privileged action against a customer tenant is logged with key serial, admin name, timestamp, and target. Logs are read-only to the customer admin.
07
Backup and recovery
Daily Restic snapshots to a second EU region. Documented restore procedure exercised on a rolling sample of tenants.
08
Disaster recovery
Per-tenant restore window: 8 hours target, 24 hours hard ceiling. Smaller in dedicated tiers.
09
Network segmentation
Per-customer Kubernetes namespace with NetworkPolicy isolation on Core, dedicated cluster on Mesh and Fleet.
10
Vulnerability management
Renovate-driven dependency upgrades on the platform repo. CVE feed monitored; high-severity items patched within 7 days of upstream release.
11
Logging and monitoring
Prometheus, Loki, Grafana on the operator side; Uptime Kuma drives the public status page. Customer admin gets quarterly access reports.
12
Data minimisation
Operator collects only what is needed to run the service. The signup form is the full data-collection surface before contract signature.
13
Personnel
Operator personnel: one (Corentin Dekimpe), bound by the same confidentiality undertaking that this DPA imposes on KiwiStack.
14
Subcontracting controls
Sub-processor list maintained on this page. Customers are notified of additions or replacements 10 business days in advance, with a 30-day objection window.
15
Physical security
Sub-processors host the physical estate. Contabo operates ISO 27001-certified data centres in Nürnberg, Germany.
16
Accountability
Records of processing activities maintained under GDPR Article 30. Available to the supervisory authority on request, available to the customer on reasonable request.
06 / Personal data breach
If we become aware of a personal data breach affecting your tenant, we notify you without undue delay and at the latest within 72 hours of becoming aware (GDPR Article 33(2)).
The notice includes: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. We help you prepare your own notice to the supervisory authority (Article 33) and, where applicable, to data subjects (Article 34).
Notifications go to the admin email you provide at onboarding (the same address that receives the quarterly access review).
07 / Audit rights
You may request, once per twelve-month period: our security questionnaire (CAIQ-Lite shape), the latest sub-processor list, our records of processing activities under Article 30, and any internal audit reports we have on our own controls.
An on-site audit is available with at least 30 days' notice, scoped jointly to avoid disrupting other customers, at your reasonable expense. We keep records relevant to this DPA for three years after the contract ends.
08 / Return and deletion
You can request a full data export at any time during the contract: mailboxes as EML and maildir, files in their original formats, calendars as iCal, contacts as vCard, database rows in standard SQL. Exports are encrypted at rest during preparation and provided over an authenticated channel of your choosing.
On termination, you have 60 days to retrieve a final export. After that, customer personal data is deleted from primary storage. Backups are purged on their normal rotation (Restic snapshot retention, customer-controlled). A written confirmation of deletion is issued on request.
Where we are legally required to retain something beyond that window (for example, invoicing records under Luxembourg tax law), we keep only what is strictly required, separated from operational data, and not used for any other purpose.
09 / Assistance to controller
We help you meet your own GDPR obligations: responding to data-subject requests (Articles 15 to 22), conducting data protection impact assessments (Article 35), prior consultation with the supervisory authority (Article 36), and demonstrating compliance (Article 5(2)).
Requests routed through your admin to hello@kiwistack.io. Tier response targets apply (see /security).
10 / International transfers
None. All processing and all sub-processors are inside the European Union. We do not invoke Standard Contractual Clauses, Adequacy Decisions, or the EU-US Data Privacy Framework, because we do not transfer your data outside the EU.
If a downstream contractual relationship of yours requires that we sign SCCs anyway (Module 3, processor-to-sub-processor), we will, without modifying our actual processing location.
11 / Term, liability, law
Term. This DPA runs concurrent with the service contract. Obligations on deletion, audit, and confidentiality survive termination for as long as we hold any of your data.
Liability. Capped at the limit set in the Terms of Service (currently twelve months of fees paid), in line with GDPR Article 82. The cap does not apply to gross negligence, wilful misconduct, or breach of confidentiality.
Governing law and venue. Luxembourg law. Exclusive jurisdiction: the courts of Luxembourg. Supervisory authority: Commission nationale pour la protection des données (CNPD), Luxembourg. You retain the right to lodge a complaint with your local supervisory authority under GDPR Article 77.
Changes. If we change this DPA in a way that increases your obligations or reduces ours, we notify you at least 30 days in advance by email and on this page. Material disagreement allows you to terminate the affected service with a pro-rata refund.
12 / Contact
KiwiStack
Sole proprietorship, Luxembourg. VAT-registered in Luxembourg. Postal address available on request for contractual purposes.
Data protection contact: Corentin Dekimpe
At the scale at which KiwiStack operates, a formal DPO under GDPR Article 37 is not required. Corentin Dekimpe is the named point of contact for all data-protection matters.