Data Processing Agreement

Last updated: March 24, 2026

This DPA governs how KBPipe processes personal data on behalf of its customers, in compliance with GDPR, CCPA/CPRA, and applicable US state privacy laws.

1. Definitions

  • “Controller” / “Business” — The KBPipe customer (the organization subscribing to the service).
  • “Processor” / “Service Provider” — KBPipe, the entity operating the video-to-article pipeline.
  • “Data Subject” / “Consumer” — Any individual whose personal data is processed through the service.
  • “Personal Data” — Any information relating to an identified or identifiable person submitted to or processed by KBPipe.
  • “Processing” — Any operation performed on personal data, including transcription, AI article generation, and storage.
  • “Sub-processor” — A third party engaged by KBPipe to process personal data on its behalf.
  • “Applicable Privacy Law” — GDPR (EU 2016/679), CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), and any substantially equivalent US state privacy law in force (VA CDPA, CO CPA, TX TDPSA, CT CTDPA, etc.).

2. Scope & Nature of Processing

Data that is processed:

  • Video URLs — links submitted by the Controller for transcription
  • Audio streams — fetched from video URLs, processed entirely in memory, never written to disk or stored
  • Transcripts — generated from audio, held in memory during processing only, discarded after pipeline completion
  • Generated articles — stored in the database, scoped to the Controller's workspace
  • Account data — email address, workspace name, company context
  • API keys — stored as SHA-256 hashes only; raw keys are never recoverable

Data NOT stored by KBPipe:

  • Raw video or audio files are never persisted
  • Transcripts are deleted immediately after article generation
  • No biometric data, payment data, government IDs, or health information is collected

Purpose limitation: Personal data is processed solely to provide the KBPipe service. No secondary use, no profiling, no targeted advertising.

Processing method: Fully automated with no human review of video content or transcripts.

3. Controller Obligations

As the Controller, you are responsible for:

  • Having a lawful basis under GDPR Art. 6 for submitting data to KBPipe
  • Obtaining necessary consents from individuals appearing in submitted videos
  • Ensuring submitted videos do not contain special category data (health, biometric, political opinions) unless expressly agreed in writing
  • Providing privacy notices to data subjects and responding to data subject requests
  • Ensuring video URLs are either publicly accessible with the data subject's knowledge, or shared internally within the Controller's organization

4. Processor Obligations & Security

Instruction compliance (GDPR Art. 28(3)(a)): KBPipe processes personal data only on documented instructions from the Controller. If an instruction appears to violate Applicable Privacy Law, KBPipe will notify the Controller before proceeding.

Confidentiality (GDPR Art. 28(3)(b)): Personnel with access to personal data are bound by confidentiality obligations. Access is restricted on a need-to-know basis.

Technical & Organizational Measures:

MeasureImplementation
Data minimizationAudio and transcripts exist only in memory; never stored
Encryption in transitTLS 1.2+ enforced on all connections
Encryption at restAES encryption via AWS/Supabase infrastructure
Access controlRow-Level Security (RLS) isolates each workspace
AuthenticationSupabase Auth with email/password and Google OAuth
API authorizationSHA-256 hashed bearer tokens; raw keys never stored
Network securitySSRF protection, rate limiting on all endpoints
Workspace isolationDatabase-level RLS policies prevent cross-tenant access

5. Data Subject & Consumer Rights

GDPR rights (Art. 15–22): KBPipe will provide reasonable technical assistance to the Controller to fulfill access, rectification, erasure, restriction, portability, and objection requests within 5 business days.

Self-service deletion: Users can delete their account through Settings, which permanently removes all articles, workspaces, preferences, API keys, and the authentication record. Deletion is immediate and irreversible.

CCPA/CPRA Compliance:

  • KBPipe does not sell or share personal information as defined by CCPA §1798.140
  • KBPipe processes personal information solely as a “Service Provider” under CCPA §1798.140(ag)
  • KBPipe will not retain, use, or disclose personal information for any commercial purpose other than providing the contracted service
  • KBPipe certifies it understands and will comply with the restrictions of CCPA §1798.140(ag)

US state privacy laws (VA CDPA, CO CPA, TX TDPSA, CT CTDPA): KBPipe treats all personal data in compliance with equivalent processor obligations under applicable US state laws. KBPipe does not engage in profiling or targeted advertising using Controller data.

6. International Data Transfers

All data is stored and processed in the United States (Supabase on AWS; Vercel serverless functions).

For EU/EEA Controllers, data transfers are governed by the Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914, Module 2 (Controller-to-Processor), incorporated by reference into this DPA.

In any conflict between this DPA and the SCCs, the SCCs prevail. Each sub-processor is bound by equivalent transfer mechanisms.

7. Sub-processors

KBPipe engages the following sub-processors:

ServicePurposeData ProcessedLocation
AssemblyAIAudio transcriptionAudio stream (in-flight only)US
Anthropic (Claude)AI article generationTranscript text as prompt inputUS
Supabase (AWS)Database & authAccount data, articles, API key hashesUS
VercelHosting & serverlessRequest data, transient logsUS

Key data flow notes:

  • AssemblyAI receives only the audio stream, not raw video files
  • Anthropic receives only transcript text to generate articles; not the original video or audio
  • No sub-processor stores raw video content

Change notification: KBPipe will provide at least 30 days' prior written notice of any addition or replacement of sub-processors. Controllers may object in writing within 14 days; unresolved objections entitle the Controller to terminate without penalty.

8. AI Model Training

Zero training guarantee

  • KBPipe does not use any Controller data to train, fine-tune, or improve any AI model
  • All API calls to Anthropic are made via the standard API; Controller data is not fed into any training pipeline
  • Anthropic does not use API inputs for model training
  • AssemblyAI does not use API inputs for model training
  • This prohibition applies to all current and future sub-processors

9. Breach Notification

KBPipe will notify the Controller of any confirmed personal data breach without undue delay, and no later than 72 hours after becoming aware.

Notification will include:

  • Nature of the breach
  • Categories and approximate number of affected records
  • Likely consequences
  • Measures taken or proposed to mitigate

Scope limitation: Because audio and transcripts are never stored, a database breach cannot expose raw video content or transcripts — only stored articles and account data.

10. Audit Rights

Per GDPR Art. 28(3)(h), KBPipe will make available all information necessary to demonstrate compliance with this DPA.

  • Controllers may conduct or commission audits with at least 30 days' written notice
  • Audits are limited to once per calendar year, at Controller's cost
  • KBPipe may satisfy audit requests by providing written questionnaire responses or third-party security assessments in lieu of on-site audit

11. Data Retention & Deletion

Data TypeRetention
Audio streamsIn-memory only (~2-4 min); never stored
TranscriptsIn-memory only; discarded after article generation
Generated articlesUntil user deletes or account deletion
Account dataUntil account deletion (immediate, irreversible)
API key hashesUntil key revocation or account deletion
Rate-limit recordsAuto-expire after 60-second sliding window

Upon termination of the agreement, KBPipe will delete all Controller personal data within 30 days, unless prohibited by law.

12. Liability & Governing Law

Each party is liable for damages caused by its own non-compliance with Applicable Privacy Law. KBPipe's liability is subject to the limitations in the Terms of Service, except where prohibited by applicable law.

Governing law: For EU/EEA Controllers, this DPA is governed by the laws of the Controller's EU member state. For US Controllers, this DPA is governed by the laws of the State of Israel. The SCCs (if applicable) are governed by the laws of the relevant EU member state.

This DPA is co-terminus with the KBPipe Terms of Service. Obligations survive termination to the extent personal data remains in KBPipe's possession.

Questions about this DPA or need a signed copy? Contact us at

privacy@kbpipe.io

See also: Privacy Policy · Terms of Service · Security Overview

← Back to KBPipe