karta
Sign in Join the waitlist
// dpa

Data Processing Addendum.

Last updated: 2026-06-25

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer") and LifeSage LLC, a Washington limited liability company, operating the Karta service under the Karta brand ("Karta"), governing Customer's use of the Services. This DPA applies when Karta processes Customer Personal Data on behalf of Customer.

In the event of a conflict, the following order of precedence applies, to the extent of the conflict: (1) the Standard Contractual Clauses, where they apply; (2) this DPA; and (3) the Agreement. The DPA otherwise supplements the Agreement and does not modify its other terms.

Karta may amend this DPA on reasonable notice to Customer to the extent the amendment is required to reflect changes in Applicable Data Protection Law, guidance from a supervisory authority, or changes to the Services that do not materially reduce the protections afforded to Customer Personal Data.

1. Definitions

"Applicable Data Protection Law" means privacy, data protection, and data security laws applicable to Karta's processing of Customer Personal Data, including where applicable the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other U.S. state privacy laws.

"Customer Personal Data" means personal data Karta processes on behalf of Customer through the Services, including End-User Data.

"End-User Data" means prompts, messages, files, transcripts, Outputs, tool inputs/outputs, hosted-chat content, and durable workspace state relating to Customer's end users.

"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Subprocessor" means a third party Karta engages to process Customer Personal Data.

"SCCs" means the European Commission Standard Contractual Clauses under Implementing Decision (EU) 2021/914, Modules Two and Three as applicable.

Terms such as controller, processor, data subject, personal data, processing, business, service provider, consumer, sell, and share have the meanings given under Applicable Data Protection Law. Capitalized terms used but not defined in this DPA (including "Agreement," "Services," "Customer Content," "Outputs," and "Authorized Users") have the meanings given in the Agreement.

2. Roles

Customer is the controller of Customer Personal Data and Karta is the processor. If Customer acts as a processor for another controller, Karta acts as Customer's subprocessor and Customer represents that it has authority to appoint Karta and instruct the processing.

Karta is a controller for Customer account, billing, dashboard, website, support, and platform-administration data. That data is governed by Karta's Privacy Policy, not this DPA.

3. Instructions and Processing

Karta will process Customer Personal Data only:

  • to provide, secure, support, maintain, and improve the Services;
  • as documented in the Agreement, this DPA, and Customer's use/configuration of the Services;
  • to prevent or address fraud, abuse, security incidents, technical issues, and policy violations;
  • to comply with law; and
  • as otherwise instructed by Customer in writing.

Customer's documented instructions include Customer's configuration of Agents, model mode, BYOK keys, tools, MCP servers, external integrations, retention/export settings, access controls, spend caps, and embeds.

Where Karta is required by EU or Member State law, or other Applicable Data Protection Law, to process Customer Personal Data other than on Customer's instructions, Karta will inform Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.

Karta will inform Customer if, in Karta's opinion, an instruction violates Applicable Data Protection Law, unless law prohibits that notice. Karta will also promptly inform Customer if it determines that it can no longer meet its processing obligations under this DPA, in which case Customer may, as its remedy, suspend the affected processing or terminate the affected Services. Customer is responsible for the lawfulness of its instructions and for providing notices, consents, and lawful bases to end users.

Customer will defend, indemnify, and hold harmless Karta and its affiliates from and against any claim, demand, fine, or proceeding by a third party, data subject, end user, or supervisory authority, and any resulting losses, to the extent arising from Customer's instructions, Customer's configuration or use of the Services, or Customer's failure to obtain or maintain the notices, consents, lawful bases, or rights required under Section 14.

Karta will not sell or share Customer Personal Data, use it for targeted advertising or cross-context behavioral advertising, or use it to train or fine-tune models unless Customer expressly opts in.

Karta may create and use aggregated, anonymized, and de-identified data derived from the processing, and operational and telemetry data about the Services (such as usage volumes, error rates, latency, and security signals), to provide, secure, monitor, support, and improve the Services. Karta will not attempt to re-identify de-identified data, and such data does not identify Customer, any data subject, or any end user. This data is not Customer Personal Data.

4. Personnel and Confidentiality

Karta will ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations and access data only as needed for their duties.

Karta operator access to End-User Data is restricted, logged, and limited to support, security, abuse, legal, or service-operation needs. Where product controls support it, transcript access is subject to customer-configurable access settings, dual-audited, and customer-visible.

5. Security Measures

Karta will maintain technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, alteration, or disclosure. Current measures include:

  • TLS for data in transit;
  • encryption at rest for designated stores and provider-managed encryption for cloud storage;
  • AES-256-GCM encryption for BYOK provider keys;
  • bcrypt hashing for API keys;
  • role-based access control and scoped keys;
  • MFA/passkey support and step-up checks for sensitive actions;
  • per-session isolated runtime environments;
  • tenant and workspace partitioning;
  • audit logging for account and operator actions;
  • vulnerability management and dependency review;
  • backup and recovery processes; and
  • least-privilege access practices.

Karta may update measures if the overall protection is not materially reduced. Karta is not currently SOC 2 certified and has not yet begun a SOC 2 examination; Karta intends to begin pursuing SOC 2 Type I in Q4 2026.

6. Subprocessors

Customer gives Karta general authorization to engage Subprocessors. Karta's current Subprocessor list is published in the Sub-processor List and currently includes Stripe, Anthropic, Hetzner Online GmbH, AWS, Postmark, and Sentry (application error monitoring and performance telemetry; United States).

Karta will impose written obligations on Subprocessors that are substantially similar to this DPA where applicable. Karta remains fully liable to Customer for the performance of each Subprocessor's data-protection obligations, subject to the monetary liability limitations in the Agreement.

Karta will provide at least 30 days' notice before authorizing a new Subprocessor to process Customer Personal Data, unless immediate onboarding is required for security, legal, continuity, or urgent operational reasons, in which case Karta will provide notice as soon as reasonably practicable thereafter. The objection right below applies in either case. Customer may object within 15 days on reasonable data-protection grounds by emailing privacy@karta.sh. The parties will work in good faith to resolve objections. If unresolved, Customer's sole remedy is to terminate the affected Services within 30 days after the objection and receive any refund available under the applicable Karta refund and billing terms; if Customer does not terminate within that window, the new Subprocessor is deemed accepted.

BYOK Model Providers are Customer-selected providers and are not Karta Subprocessors for BYOK traffic. Customer is responsible for its own provider agreement, DPA, costs, and compliance.

7. Data Subject Requests

Karta will assist Customer, taking into account the nature of processing, with data subject requests. If Karta receives a request relating to Customer Personal Data, Karta may direct the requester to Customer or forward the request to Customer if identifiable. Karta will not respond directly except as authorized by Customer or required by law.

Customer is responsible for responding to data subject requests relating to Customer Personal Data. Karta may charge reasonable fees for assistance that exceeds self-service functionality or ordinary support.

8. Security Incident Notice

Karta will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data.

Notice will include available information about the nature of the incident, affected data and data subjects, likely consequences, and mitigation steps, and may be provided in phases as information becomes available. Karta will reasonably cooperate with Customer's investigation and notification obligations. As between the parties, Customer is solely responsible for determining whether, and for fulfilling any obligation to, notify supervisory authorities, affected data subjects, or others; Karta will not make such notifications on Customer's behalf, or identify Customer in a notification, except as required by law or as Customer directs in writing. Karta's notification of, or response to, a Security Incident is not an acknowledgment of fault or liability.

9. DPIAs and Regulatory Assistance

Karta will provide reasonable assistance with data protection impact assessments, transfer impact assessments, and regulator consultations required by Applicable Data Protection Law, taking into account the nature of processing and information available to Karta. Karta may charge reasonable fees for such assistance, and for audit-support and similar regulatory assistance, that exceeds Karta's standard documentation and reports.

10. Return and Deletion

On termination or Customer request, Karta will delete or return Customer Personal Data as instructed, subject to product functionality, backups, legal holds, security, fraud, abuse, dispute, and statutory retention.

Customer is responsible for exporting or requesting return of Customer Personal Data during the post-termination export window provided in the Agreement or through available self-service functionality. Unless Customer requests return during that window, termination is a standing instruction to delete Customer Personal Data. Karta will use commercially reasonable efforts to delete active Customer Personal Data within a reasonable period, on Karta's ordinary deletion cycles, after termination or request, with archival and backup copies aging out on Karta's ordinary backup cycles and remaining subject to this DPA's confidentiality and security protections until deleted. Karta is not required to return or delete data in a form, format, or schedule that is technically impracticable or that would require Karta to compromise the security or integrity of its systems. On request, Karta will certify deletion in writing.

11. Audits

Karta will make information reasonably necessary to demonstrate compliance available to Customer. Where Karta has a current third-party audit report or certification, Karta may provide it under confidentiality to satisfy audit obligations.

If available information is insufficient, Customer may audit Karta's relevant controls no more than once per 12 months, on at least 30 days' notice, during business hours, at Customer's expense, under confidentiality, and without unreasonable disruption, except where a more frequent audit is required by a supervisory authority or following a Security Incident affecting Customer Personal Data. The audit scope and duration must be reasonable and mutually agreed in advance, are limited to a reasonable number of business days, and must not require Karta to disclose information that would compromise the security of other customers or breach Karta's confidentiality or legal obligations. Inspection of physical data-center controls of Karta or its Subprocessors is satisfied by the applicable third-party audit reports or certifications; Karta is not required to provide physical access to data centers except to the extent a supervisory authority requires on-site inspection of Karta's own controls or such reports are demonstrably insufficient to provide equivalent assurance, in which case the parties will agree reasonable terms for a narrowly scoped on-site inspection of Karta's own controls. Karta may reject auditors that are competitors of Karta or not reasonably qualified, and may require the auditor to execute Karta's confidentiality agreement directly before the audit. Customer bears its own costs and Karta's reasonable costs of supporting the audit. Customer may use audit results only to confirm Karta's compliance with this DPA, to meet Customer's own regulatory requirements, and as required to comply with Applicable Data Protection Law or a supervisory-authority request, and the results are the Confidential Information of both parties.

12. International Transfers

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the SCCs are incorporated into this DPA by reference and deemed executed by the parties, completed as follows. Customer (and any controller on whose behalf Customer acts) is the data exporter; Karta is the data importer. Where the Customer Personal Data is also transferred onward to a Subprocessor, the relevant transfer terms apply between Karta and that Subprocessor.

  • Module Two applies where Customer is controller and Karta is processor.
  • Module Three applies where Customer is processor and Karta is subprocessor.
  • Clause 7 (docking clause) applies.
  • Clause 9 Option 2 (general written authorization) applies, with the Subprocessor notice period set out in Section 6.
  • Clause 11 (independent dispute resolution) optional wording does not apply.
  • Clause 17 (governing law) is the law of Ireland.
  • Clause 18 (choice of forum and jurisdiction) is the courts of Ireland.
  • Annex I.A (parties) is completed by the preamble and Schedule 1; Annex I.B (description of transfer) by Schedule 1; Annex I.C (competent supervisory authority) by Schedule 1; Annex II (technical and organizational measures) by Schedule 2; and Annex III (Subprocessors) by Schedule 3.
  • For UK transfers, the UK International Data Transfer Addendum (the UK Addendum) applies, the EU SCCs as completed above are the Approved Addendum's incorporated clauses, and Karta as data importer may end the UK Addendum as permitted by its Table 4.
  • For Swiss transfers, the SCCs apply with the FADP adaptations: references to the GDPR are read as references to the FADP; the competent authority is the Swiss Federal Data Protection and Information Commissioner; and, until the revised FADP is in force, the SCCs also protect the data of legal entities.

The parties acknowledge that the third-party-beneficiary rights of data subjects under Clause 3 of the SCCs apply as set out in the SCCs. To the extent the SCCs conflict with this DPA, the SCCs control. Karta will, on Customer's reasonable request, provide information reasonably necessary for Customer to complete a transfer impact assessment, and may satisfy its transfer-mechanism and transfer-impact obligations through published documentation. If the SCCs or any other transfer mechanism relied on here is invalidated, superseded, or amended, or an adequacy decision (including any applicable data privacy framework) changes, Karta may adopt an alternative lawful transfer mechanism or successor clauses, which will apply automatically without re-execution of this DPA. Schedules 1, 2, and 3 below complete the SCC annexes.

13. U.S. State Privacy Terms

For Customer Personal Data subject to U.S. state privacy laws, Karta acts as service provider/processor and Customer acts as business/controller. Customer's disclosure of Customer Personal Data to Karta is not a sale or share and is made for the business purposes of providing the Services.

Karta processes Customer Personal Data only for the business purposes specified in this DPA and the Agreement and to perform the Services. Karta will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in this DPA, including outside the direct business relationship, except as permitted by Applicable Data Protection Law; (c) combine it with other personal information except as permitted by Applicable Data Protection Law; or (d) use it for targeted advertising or cross-context behavioral advertising. Karta certifies that it understands and will comply with the restrictions in this Section.

Karta will notify Customer if it determines that it can no longer meet its obligations under Applicable U.S. state privacy law. Customer may take reasonable and appropriate steps to (i) ensure that Karta uses Customer Personal Data in a manner consistent with Customer's obligations under Applicable U.S. state privacy law, including by monitoring Karta's compliance with this Section, and (ii) stop and remediate any unauthorized use of Customer Personal Data. Karta engages Subprocessors only under a written contract requiring them to provide the same level of protection as required of Karta under this Section.

14. Customer Obligations

Customer represents that it has all rights, notices, consents, permissions, and lawful bases required for Karta to process Customer Personal Data under this DPA. Customer is responsible for determining whether the Services are suitable for Customer's data, industry, jurisdictions, and use case.

Customer will not submit protected health information, payment-card data, Social Security numbers, government identifiers, or other regulated data unless Karta expressly agrees in writing to support it. Karta has no liability arising from Customer's submission of such data in breach of this Section, Karta may suspend processing of or delete such data, and Customer will defend, indemnify, and hold harmless Karta and its affiliates from and against any claim or losses arising from that submission.

15. Government and Third-Party Requests

If Karta receives a legally binding request for Customer Personal Data, Karta will, where legally permitted, notify Customer, direct the requester to Customer where appropriate, challenge requests that appear unlawful or overbroad where it has reasonable grounds to do so, and disclose only what Karta reasonably believes is legally required.

16. Liability

Each party's and its affiliates' total aggregate liability arising out of or related to this DPA and the Standard Contractual Clauses, whether in contract, tort, or any other theory, is subject to the limitations and exclusions of liability (including the aggregate liability cap and the exclusion of indirect, consequential, and similar damages) set out in the Agreement. Any reference in the Agreement's liability provisions to the liability of a party means the aggregate liability of that party and its affiliates under the Agreement, this DPA, and the SCCs taken together. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law or excludes a data subject's rights under the SCCs. The liability limitations and exclusions in the Agreement do not apply to, and do not limit, (a) either party's liability to a data subject under the SCCs; (b) the parties' allocation between themselves of liability for compensation owed to a data subject as required by Clause 12 of the SCCs; or (c) any liability that the SCCs prohibit from being limited. For any claim governed by the SCCs, the liability regime of the SCCs controls over the Agreement's liability provisions to the extent of any conflict.

17. Term and General

This DPA takes effect on the effective date of the Agreement and continues until the Agreement terminates or expires and Karta has completed its deletion and return obligations under Section 10. This DPA is governed by, and construed in accordance with, the governing law and venue of the Agreement, except where the SCCs or Applicable Data Protection Law require otherwise. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force, and the invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its intent.

Notices to Karta under this DPA are given to privacy@karta.sh or to LifeSage LLC, 600 1st Ave Ste 102, PMB 2132, Seattle, WA 98104, USA; notices to Customer are given to the contact and method specified in the Agreement.

Any provision that by its nature should survive termination survives, including Sections 4 (confidentiality), 10 (return and deletion, and audit of deletion), 11 (audit, as to the surviving obligations), 13, 16 (liability), 17, the Customer indemnities in Sections 3 and 14, and the international-transfer terms in Section 12 for so long as Karta retains Customer Personal Data.

Schedule 1 - Processing Details

List of parties (SCC Annex I.A). The data importer is LifeSage LLC (operating as Karta), 600 1st Ave Ste 102, PMB 2132, Seattle, WA 98104, USA; data-protection contact: privacy@karta.sh; role: processor (Module Two) or subprocessor (Module Three). The data exporter is the Customer identified in the Agreement (and any controller on whose behalf Customer acts); its contact, and any data protection officer or Article 27 representative, are as set out in the Agreement or provided to Karta on request; role: controller or processor.

Item Description
Subject matter Provision of Karta's managed agent productization platform.
Duration Term of the Agreement plus deletion/return period and lawful retention.
Nature and purpose Hosting, executing, routing, storing, securing, supporting, metering, and debugging Customer Agents and end-user sessions.
Data subjects Customer's end users and individuals whose personal data is included in Customer Content.
Categories of data Prompts, messages, files, transcripts, Outputs, tool I/O, workspace state, session identifiers, routing metadata, and data determined by Customer.
Special categories Not intended; prohibited unless Karta separately agrees in writing. No additional safeguards apply because special-category data is not contemplated.
Frequency of transfer Continuous, for the duration of the Agreement, as determined by Customer's configuration and use of the Services.
Locations Control plane (accounts, organizations, billing, audit log, primary Postgres) hosted by Hetzner Online GmbH in the United States (Hillsboro, Oregon); data plane (agent session compute, S3 workspace/merge store, RDS session/transcript database) on AWS in us-east-1, United States.
Competent supervisory authority Determined under Clause 13 of the SCCs by reference to the data exporter's place of establishment or appointed representative; where the data exporter is established outside the EEA and has no representative, the supervisory authority of Ireland.

Schedule 2 - Technical and Organizational Measures

The measures described in Section 5 are Karta's binding technical and organizational measures for purposes of GDPR Article 32 and SCC Annex II. Karta will maintain measures providing a level of protection appropriate to the risk, and any replacement measures will be no less protective overall. Measures include encryption, access control, MFA/passkeys, scoped keys, microVM/session isolation, tenant partitioning, audit logs, vulnerability management, backup/recovery, and subprocessor risk management.

Schedule 3 - Subprocessors

The authoritative, current list is the Sub-processor List published by Karta. As of the date above it comprises:

Subprocessor Location Processing activity Privacy contact
Stripe United States Payments and subscription billing privacy@stripe.com
Anthropic United States LLM inference for Karta-managed (non-BYOK) requests privacy@anthropic.com
Hetzner Online GmbH United States Control-plane hosting and primary Postgres data-protection@hetzner.com
AWS United States (us-east-1) Data-plane agent session compute, S3 workspace/merge store, and RDS session/transcript database aws-privacy@amazon.com
Postmark United States Transactional email privacy@postmarkapp.com
Sentry United States Application error monitoring and performance telemetry privacy@sentry.io

BYOK Model Providers selected by Customer are not Karta Subprocessors for BYOK traffic and are not listed here.