Legal
DATA PROCESSING AGREEMENT
Last updated: July 2026 · legal@kernlapp.com
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between KERNL, LLC ("KERNL," "we," or "us") and the franchisor customer that has accepted the Agreement ("Customer," "you"). It applies whenever KERNL processes Personal Data on your behalf through the KERNL platform. Where this DPA conflicts with the rest of the Agreement on the subject of data protection, this DPA controls.
Roles. For personal data your organization uploads or generates in KERNL about your franchisees, staff, and invited users, you are the data controller (GDPR) or business (CCPA/CPRA) and KERNL is the data processor (GDPR) or service provider (CCPA/CPRA). KERNL processes that data only to provide the Service, on your documented instructions — never for its own purposes.
Contact: legal@kernlapp.com · KERNL, LLC · 2108 N St #15945 · Sacramento, CA 95816. To request a countersigned copy of this DPA for your records, email us at the address above.
1. Definitions
"Applicable Data Protection Law"means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"). "Personal Data," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law. "Sub-processor" means any third party engaged by KERNL to process Personal Data on your behalf.
2. Scope and Processing Instructions
KERNL processes Personal Data only on your documented instructions. The Agreement, this DPA, and your use and configuration of the Service constitute your complete and final instructions. KERNL will inform you if, in its opinion, an instruction infringes Applicable Data Protection Law (though KERNL is not obliged to provide a legal review of your instructions).
3. Nature, Purpose, and Duration
Nature and purpose: hosting and operating a franchise document, compliance, training, and AI question-answering platform on your behalf. Duration: the term of your subscription, plus the wind-down period described in Section 10.
4. Categories of Data Subjects and Personal Data
| Data Subjects | Types of Personal Data |
|---|---|
| Your franchisees, location staff, administrators, and other users you invite to KERNL | Names, email addresses, role, and location assignment; authentication identifiers; training completions, compliance acknowledgments, and checklist activity; the contents of documents you upload (which may contain personal data such as employee names in handbooks); usage and log data (IP address, timestamps, actions taken). |
KERNL does not require or request special-category (sensitive) personal data. You are responsible for the content you choose to upload and should not include special-category data unless you have a lawful basis to do so.
5. KERNL's Obligations as Processor
KERNL will:
- process Personal Data only on your documented instructions (Section 2);
- ensure personnel authorized to process Personal Data are bound by confidentiality;
- implement the technical and organizational security measures in Section 6;
- respect the conditions for engaging Sub-processors in Section 7;
- assist you, taking into account the nature of the processing, in responding to Data Subject requests (Section 8);
- assist you with security, breach notification, data protection impact assessments, and prior consultations, taking into account the information available to KERNL;
- notify you of a Personal Data Breach as described in Section 9; and
- delete or return Personal Data at the end of the Agreement (Section 10).
6. Security Measures
KERNL maintains technical and organizational measures appropriate to the risk, including: TLS encryption in transit and AES-256 encryption at rest; row-level security enforcing tenant isolation across all multi-tenant database tables; role-based access controls and least-privilege access; timestamped audit logging; secret management; and periodic review of these measures. No system is perfectly secure, but KERNL works to maintain a level of security appropriate to the risk to Data Subjects.
7. Sub-processors
You provide general authorization for KERNL to engage the Sub-processors listed in the "Sub-Processors" section of our Privacy Policy. KERNL imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable for its Sub-processors' performance. KERNL will give you reasonable notice of any intended addition or replacement of a Sub-processor, and you may object on reasonable data-protection grounds by emailing legal@kernlapp.com.
8. Assistance with Data Subject Requests
The Service provides functionality that helps you access, correct, export, and delete Personal Data. Taking into account the nature of the processing, KERNL will assist you in fulfilling your obligation to respond to Data Subject requests. If KERNL receives a request directly from one of your Data Subjects, it will, where legally permitted, direct that person to you as the controller.
9. Personal Data Breach Notification
KERNL will notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf, and will provide information reasonably available to it to help you meet your own notification obligations under Applicable Data Protection Law.
10. Return and Deletion of Data
On termination of the Agreement, your Personal Data remains available for export for 30 days, after which KERNL deletes it, except where retention is required by law (for example, payment and ToS-acceptance records, as described in our Privacy Policy). KERNL will confirm deletion in writing on request.
11. International Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States, KERNL relies on the Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference.
12. Audit and Information Rights
On reasonable prior written request, and subject to confidentiality, KERNL will make available information necessary to demonstrate compliance with this DPA. KERNL may satisfy audit requests by providing relevant documentation, reports, or third-party certifications where available.
13. CCPA/CPRA Service-Provider Terms
With respect to Personal Data governed by the CCPA/CPRA, KERNL acts as a Service Provider. KERNL will not sell or share Personal Data, will not retain, use, or disclose it for any purpose other than performing the Service (the business purpose) or as otherwise permitted by the CCPA/CPRA, and will not combine it with data from other sources except as permitted by law. KERNL certifies that it understands and will comply with these restrictions.
14. Liability and Order of Precedence
This DPA is incorporated into and forms part of the Agreement. Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Except as expressly modified here, the Agreement remains in full force.
15. Governing Law
This DPA is governed by the law of the State of California, without prejudice to any mandatory rights of Data Subjects under Applicable Data Protection Law.
16. How to Reach Us
Questions about this DPA, or requests for a countersigned copy, can be sent to legal@kernlapp.com.