This Data Processing Addendum ("DPA") forms part of and is incorporated into the agreement between Kronisys Inc. ("Kronisys", "we", "Processor") and the customer organization identified in the applicable Order Form ("Customer", "Controller") governing Customer's use of the Strata platform and related services (the "Services"). That agreement consists of our Terms of Service, together with the Privacy Policy, the Usage Policy, the Service Level Agreement, and any executed Order Form or enterprise agreement (collectively, the "Agreement").
This DPA applies where Kronisys processes Personal Data on behalf of Customer through the Services. In the event of a conflict between this DPA and the rest of the Agreement with respect to the processing of Personal Data, this DPA controls. In all other respects, the Agreement remains in full force and effect.
How to put this DPA in place. Enterprise customers may execute this DPA as part of their Order Form, or request a counter-signed copy, by contacting legal@kronisys.com. Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.
With respect to Personal Data processed in connection with the Services, Customer is the Controller and Kronisys is the Processor. Where Customer acts as a processor on behalf of a third-party controller, Kronisys acts as a sub-processor, and Customer is responsible for the third-party controller's authorizations and instructions.
Kronisys processes Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law — in which case Kronisys will inform Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
The Agreement, this DPA, and Customer's configuration and use of the Services (including connecting integrations, deploying agents, defining roles, and setting retention and lock policies) constitute Customer's complete and final processing instructions. Additional instructions outside the scope of the Agreement require a separate written agreement.
Subject matter. Provision of the Strata AI enterprise intelligence platform and related support, as described in the Agreement.
Nature and purpose. Kronisys processes Customer Data to: authenticate users via Microsoft Entra ID Single Sign-On; provide AI chat and analysis by routing prompts to AI models through Microsoft Foundry; execute live queries against Customer-connected SQL Server databases; search, read, and (where authorized) save files in connected OneDrive; index and read documents from connected SharePoint sites for the organization knowledge base; search, read, draft, and send email via connected Outlook; create meetings and post messages via connected Microsoft Teams; generate charts, Excel, PDF, and other deliverables; run scheduled and on-demand agents; and produce usage, audit, and billing records.
Duration. Kronisys processes Personal Data for the term of the Agreement, plus the retention periods described in Section 11 and Annex I.
Categories of Data Subjects and Personal Data. As determined by Customer's configuration and use of the Services. See Annex I. Customer is responsible for ensuring it has a lawful basis to submit Personal Data to the Services and, consistent with the Usage Policy, for not submitting special-category or specially regulated data (for example, data subject to HIPAA, PCI-DSS, FERPA, or GLBA) unless Customer has executed an enterprise agreement that expressly permits such data and Kronisys has implemented the corresponding controls.
Kronisys will:
Kronisys maintains appropriate technical and organizational measures designed to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures, described in full in the Privacy Policy and the Security & Responsible Disclosure Policy, include without limitation:
No certifications are claimed. Strata runs on Microsoft Azure and inherits the platform security of the underlying Azure services, but Kronisys does not represent that it holds any independent certification (such as SOC 2, ISO 27001, or FedRAMP). Those are Microsoft's to certify for the platform, not ours to claim.
Kronisys ensures that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory), receive appropriate data-protection training, and are granted access only where needed to provide and support the Services. These obligations survive the end of each individual's engagement.
General authorization. Customer provides general written authorization for Kronisys to engage Sub-processors to process Personal Data, subject to this Section.
Flow-down and responsibility. Kronisys imposes on each Sub-processor data-protection obligations that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance of its obligations.
Current list. The authoritative, current list of Sub-processors is maintained in the Privacy Policy and reproduced in Annex II. It includes Microsoft Azure (hosting, database, file storage, and transactional email), Microsoft Foundry (AI model routing), the AI model providers reached through Foundry (OpenAI, Anthropic, and xAI), Stripe, Inc. (payment processing), and ipapi.co (IP geolocation). Microsoft 365 / Microsoft Graph services (Outlook, OneDrive, SharePoint, and Teams) act as data sources connected at Customer's direction. Where Customer brings its own Microsoft Foundry deployment, AI model inference is routed to that Customer-controlled resource.
Change notice and objection. Kronisys will provide enterprise customers at least 30 days' notice before adding or replacing a Sub-processor, by email to designated administrators. Customer may object in writing on reasonable data-protection grounds within 30 days of notice by emailing legal@kronisys.com. If Kronisys cannot reasonably accommodate the objection, Customer may terminate the affected portion of the Services without penalty by giving written notice within 30 days of Kronisys's response.
Taking into account the nature of the processing, Kronisys will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests to exercise rights of access, rectification, erasure, restriction, portability, and objection.
Strata provides Customer and its administrators with self-service tooling that supports these obligations, including in-product deletion of individual conversations, viewing and deletion of memory entries, disconnection and deletion of database credentials, administrator management and deletion of user accounts, configurable audit-log retention, and export of conversation history, memory entries, and account data in a structured machine-readable (JSON) format.
If Kronisys receives a request directly from a Data Subject relating to Customer's Personal Data, it will, where permitted, promptly forward the request to Customer and will not respond directly except on Customer's documented instructions.
Kronisys will notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data Breach affecting Customer's Personal Data, in accordance with GDPR Article 33 and other applicable Data Protection Laws.
The notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address and mitigate it. Where the information is not all available at once, Kronisys may provide it in phases without further undue delay.
Kronisys will reasonably cooperate with Customer in Customer's investigation and in any notifications Customer is required to make to Supervisory Authorities or Data Subjects. Notification of, or response to, a breach is not an acknowledgment by Kronisys of fault or liability.
Upon termination or expiry of the Agreement, and at Customer's choice, Kronisys will return or delete Customer's Personal Data, unless retention is required by applicable law. Customer may request export of conversation history, saved memory entries, and account data in JSON format within 30 days of termination, consistent with the Terms of Service; requests submitted after that window may not be fulfillable as data may have been purged.
In the ordinary course, deleted conversations and their activity logs are purged within 30 days; memory entries are purged within 30 days of deletion or of disabling the feature. Certain operational records may be retained for the period described in the Privacy Policy — in particular, audit logs for the organization's configured retention period (default 365 days) and data flagged for safety review or required by law for up to three years — after which they are deleted in accordance with the applicable retention policy.
Personal Data may be processed in the United States and other countries where Kronisys or its Sub-processors operate. The Azure region(s) used for hosting and processing are described in Annex I and the Privacy Policy.
Where processing involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, the parties rely on an appropriate transfer mechanism, including European Commission adequacy decisions, the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum to the SCCs for UK transfers, and other legally recognized mechanisms. The applicable mechanism is described in Annex III and incorporated by reference.
Kronisys will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. Audits are subject to reasonable confidentiality obligations and to reasonable limitations on scope, frequency (no more than once per twelve months absent a Supervisory Authority requirement or a confirmed breach), and advance notice. Where available, Kronisys may satisfy an audit request by providing relevant third-party reports, attestations, or summaries of the underlying Azure platform.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, which apply in the aggregate across the Agreement and this DPA.
This DPA is governed by the same law and dispute-resolution provisions as the Agreement (the laws of the State of Florida, United States, as set out in the Terms of Service), except where Data Protection Laws require otherwise. Except as expressly amended by this DPA with respect to the processing of Personal Data, the Agreement remains unchanged and in full force.
| Item | Detail |
|---|---|
| Categories of Data Subjects | Customer's employees, contractors, and authorized users; and individuals whose Personal Data appears in Customer's connected data sources or submitted content (for example, recipients of emails, parties named in documents, or records in connected databases). |
| Categories of Personal Data | Names and business contact details; account identifiers and authentication metadata; the content of prompts, messages, files, and emails; query results; usage, audit, and billing records. |
| Special categories | None. Customer must not submit special-category or specially regulated data except under an enterprise agreement that expressly permits it (see the Usage Policy). |
| Processing operations | Authentication; AI chat and analysis via Microsoft Foundry; SQL query execution; file and email search, read, and authorized write; deliverable generation; agent execution; usage, audit, and billing logging. |
| Frequency | Continuous, for the term of the Agreement. |
| Retention | As described in Section 11 and the Privacy Policy (deleted content purged within 30 days; audit logs default 365 days; safety/legal holds up to 3 years). |
| Hosting region(s) | United States; the specific Azure region varies by deployment. |
The following is a point-in-time snapshot of the Sub-processors engaged to deliver the Services. The authoritative, current list — including change-notice and objection terms — is maintained in the Privacy Policy.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure (App Service, SQL Database, Blob Storage, Communication Services) | Hosting, database, file storage, transactional email | All customer data | United States (Azure region varies by deployment) |
| Microsoft Foundry | AI model routing | Prompts and responses | United States |
| OpenAI | AI model provider (GPT-5.4, GPT-5.4 Mini) | Prompts and responses | United States |
| Anthropic | AI model provider (Claude Sonnet 4.6, Claude Opus 4.8) | Prompts and responses | United States |
| xAI | AI model provider (Grok models via Foundry) | Prompts and responses | United States |
| Stripe, Inc. | Payment processing & invoicing for enterprise subscriptions | Billing contact details, tokenized payment credentials, invoice line items | United States |
| ipapi.co | IP geolocation lookup | IP addresses only | United States |
For transfers of Personal Data subject to GDPR to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), with Kronisys as "data importer" and Customer as "data exporter." The optional docking clause applies; the governing law and competent Supervisory Authority are those of Customer's EU establishment or, where Customer has none, as determined under the SCCs. The technical and organizational measures in Section 6 and the processing details in Annex I serve as the corresponding SCC annexes.
For transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs. For transfers subject to Swiss law, references to the GDPR and the EU Supervisory Authority are read as references to the Swiss FADP and the Swiss Federal Data Protection and Information Commissioner. Where Customer requires a separately executed copy of these clauses, contact legal@kronisys.com.
Questions about this DPA, or requests to execute it, can be sent to: