Data Processing Addendum

Last revised: 5 May 2026

1. Scope and roles

This DPA forms part of the agreement between you ("Customer", "Controller") and the operator of the KVM Fleet service ("KVM Fleet", "Processor", "we"), established in Malta. It applies to the processing of personal data carried out by us on your behalf in connection with the Service.

For data we collect directly from you (e.g. account holder email, billing details), we act as controller; that processing is governed by the Privacy Policy. For data your team or end users submit through the Service (e.g. emails of users you invite, audit log entries you generate, device names, console session metadata), we act as processor and that processing is governed by this DPA.

2. Subject matter, nature and purpose of processing

Item	Detail
Subject matter	Provision of the KVM Fleet platform: enrolment of KVM-over-IP devices, remote console access, audit logging, alerts, role-based team management, SIEM webhook export, billing, and supporting services.
Duration	For as long as the Customer's account is active, plus the retention periods set out in the Privacy Policy §8 and below in §6.
Nature of processing	Storage, transmission, organisation, structuring, retrieval, consultation, disclosure (to authorised users via the Service), erasure on request, and other operations strictly necessary to operate the Service.
Purpose	To provide and improve the Service to the Customer, fulfil the Terms of Service, comply with applicable law, and protect the integrity and security of the Service.

3. Categories of data subjects and personal data

Categories of data subjects	Categories of personal data
The Customer's employees, contractors, agents and other authorised users of the Customer's KVM Fleet account Individuals invited to join the Customer's organisation as team members End users of systems remotely managed via KVM Fleet (only insofar as their identifiers appear in audit-log entries the Customer chooses to record)	Identification: email address, name (optional), display name Authentication: password hash, TOTP secret, SSO subject identifier Activity: audit-log entries (action, target, result, IP, timestamp), console-session metadata (start/end, duration, viewer) Technical: IP address, user-agent string Membership: role within the organisation (org_admin, operator, etc.), expiry timestamps for time-limited memberships

Categories of data subjects

Categories of personal data

The Customer's employees, contractors, agents and other authorised users of the Customer's KVM Fleet account
Individuals invited to join the Customer's organisation as team members
End users of systems remotely managed via KVM Fleet (only insofar as their identifiers appear in audit-log entries the Customer chooses to record)

Identification: email address, name (optional), display name
Authentication: password hash, TOTP secret, SSO subject identifier
Activity: audit-log entries (action, target, result, IP, timestamp), console-session metadata (start/end, duration, viewer)
Technical: IP address, user-agent string
Membership: role within the organisation (org_admin, operator, etc.), expiry timestamps for time-limited memberships

Special categories of personal data (Art. 9 GDPR) and criminal-conviction data (Art. 10) are not intended to be processed under this DPA. The Customer must not submit such data through the Service unless we have agreed in writing to additional safeguards.

4. Customer instructions

We will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country, except where required to do so by EU or member-state law to which we are subject. In such a case, we will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The instructions are set out in (i) the Terms of Service, (ii) the Privacy Policy, (iii) this DPA, and (iv) the Customer's lawful use of the Service's configuration options. We will inform the Customer if, in our opinion, an instruction infringes the GDPR or other applicable data-protection law.

5. Confidentiality

We ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is restricted to personnel who require it to perform their duties.

6. Security of processing (Art. 32 GDPR)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, we implement appropriate technical and organisational measures including:

EU-only hosting (Hetzner, Falkenstein, Germany) on hardened infrastructure with non-root containers, capability drops, and rotating secrets
Encryption in transit: HTTPS / TLS for all browser and API traffic; HSTS preload
Postgres row-level security: each tenant's data is isolated at the database level so a query cannot cross organisation boundaries
Tamper-evident audit log: every event is part of a SHA-256 hash chain protected by a database-level write trigger
Bcrypt-hashed passwords and bcrypt-hashed TOTP recovery codes — no plaintext credential is ever stored
Refresh-token rotation with reuse detection; short-lived JWT access tokens with explicit audience claims
Rate limiting and brute-force throttling on authentication endpoints
Single-use opaque password-reset tokens with a fifteen-minute lifetime
Role-based access control for our own personnel; production access is logged and limited to what is needed for support and abuse investigation
Backups taken regularly; restoration drills performed periodically

We will notify the Customer without undue delay (and in any event consistent with our obligations under Art. 33 GDPR) of any personal-data breach affecting Customer Personal Data, including providing the information described in Art. 33(3) GDPR insofar as it is available to us.

7. Sub-processors

The Customer provides general written authorisation for us to engage sub-processors. We maintain an up-to-date list of sub-processors at the Privacy Policy §6, currently:

Sub-processor	Purpose	Location
Hetzner Online GmbH	Cloud hosting (compute, storage, network)	Falkenstein, Germany (EU)
Stripe Payments Europe Ltd.	Subscription billing and customer portal	Ireland (EU); limited US transfers under EU–US Data Privacy Framework
Sendinblue SAS (Brevo)	Outbound transactional email	France (EU)
ImprovMX SRL	Inbound mail forwarding for KVM Fleet aliases	Belgium (EU)
Google Ireland Ltd. (only if Customer enables Google SSO)	Authentication	Ireland (EU); standard Google sub-processor chain

We will inform the Customer of any intended changes concerning the addition or replacement of sub-processors with reasonable prior notice (at least 30 days), giving the Customer the opportunity to object. Each sub-processor is bound by data-protection obligations no less protective than those in this DPA, including the security measures in §6 to the extent applicable.

8. Assistance to the Customer

Taking into account the nature of the processing and the information available to us, we will:

Assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to data-subject requests under Chapter III GDPR. The Service exposes self-service export and deletion of audit logs, device lists and team membership through the dashboard and API; further requests can be addressed to privacy@kvmfleet.io.
Assist the Customer in ensuring compliance with Art. 32-36 GDPR (security, data-breach notification, data-protection impact assessments and prior consultation), taking into account the nature of processing and the information available to us.

9. Deletion or return at end of services

On termination of the agreement, the Customer may export Customer Personal Data through the Service for thirty (30) days. Thereafter, we delete Customer Personal Data within ninety (90) days of account closure, except (i) where we are required by EU or member-state law to retain certain data (for example billing records subject to ten-year accounting retention under Maltese law) or (ii) where data is held in routine encrypted backups and will be overwritten in accordance with backup-retention policy.

10. Audits and inspections

We make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable advance notice, no more than once per twelve-month period (except where required by a competent supervisory authority or following a personal-data breach), confidentiality obligations, and reimbursement of our reasonable costs in providing such cooperation. Where appropriate, we may satisfy this obligation by providing third-party audit reports (e.g. SOC 2, ISO 27001) under non-disclosure.

11. International transfers

The Service is hosted in the EU and Customer Personal Data is kept in the EU wherever possible. Limited transfers to non-EU countries occur only in connection with the sub-processors listed in §7 (Stripe and Google sub-processor chains may involve transfers to the United States). Such transfers rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module 2 (controller-to-processor), which are incorporated into this DPA by reference, and on the EU–US Data Privacy Framework where the receiving organisation is certified.

For the purposes of the Standard Contractual Clauses:

Module 2 (Controller-to-Processor) applies, with the Customer as data exporter and KVM Fleet as data importer.
Clause 7 (docking clause) applies.
Clause 9 option (a) applies — general written authorisation for sub-processors with a 30-day notification period (see §7).
The optional language of Clause 11(a) (independent dispute resolution) does not apply.
The governing law for the Clauses is the law of Malta (Clause 17, Option 1) and the competent forum is the courts of Malta (Clause 18).
Annex I.A (parties), I.B (description of transfer) and I.C (competent supervisory authority — Office of the Information and Data Protection Commissioner, Malta) are populated by the agreement, this DPA, and the Privacy Policy.
Annex II (technical and organisational measures) is populated by §6 of this DPA.
Annex III (sub-processors) is populated by §7 of this DPA.

12. Liability

Each party's liability under this DPA is governed by, and subject to the limitations and exclusions set out in, the limitation-of-liability provisions of the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable mandatory law (including Art. 82 GDPR claims by data subjects).

13. Conflicts and order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of that conflict on matters of personal-data protection. The Standard Contractual Clauses prevail over both this DPA and the Terms of Service to the extent of any conflict on matters within their scope.

14. Lawyer-review notice

This DPA is a first-pass draft published 5 May 2026. It has been written to satisfy Art. 28 GDPR and to incorporate the EU Standard Contractual Clauses Module 2, but it has not yet been reviewed by external counsel. We are working with a Maltese-licensed law firm to validate it; revisions may follow without changing the substantive protections offered to the Customer. Customers requiring a counter-signed DPA before contracting are invited to write to legal@kvmfleet.io.