1. Home
  2. Legal
  3. Data Processing Addendum
Legal

Data Processing Addendum

This Data Processing Addendum (the "DPA") governs how AIKAY Technologies Pvt Ltd processes personal data on behalf of customers of Capnode, in accordance with the EU General Data Protection Regulation (GDPR) and equivalent data-protection laws.

Last updated: 5 June 2026

This DPA forms part of the agreement (the "Agreement") between the Capnode customer (the "Customer") and AIKAY Technologies Pvt Ltd ("AIKAY", "we", "us"), the provider of the Capnode platform ("Capnode" or the "Service"). It applies whenever AIKAY processes Personal Data on the Customer's behalf in the course of providing the Service. Capnode is an autonomous AI SRE platform: the Customer installs the Capnode agent into their Kubernetes cluster(s), and the agent streams cluster state and events to the Capnode server for triage, diagnosis, and remediation.

1. Introduction & roles

For the purposes of data-protection law, and with respect to the Personal Data described in Annex 1:

  • The Customer is the Controller (or, where the Customer itself acts as a processor for its own customers, a processor) and determines the purposes and means of processing.
  • AIKAY Technologies Pvt Ltd is the Processor and processes Personal Data only on the Customer's documented instructions, as set out in this DPA and the Agreement.

Each party will comply with its respective obligations under applicable data-protection law, including the GDPR for processing within scope of the EEA, the UK GDPR, and the California Consumer Privacy Act (CCPA) where applicable. Where AIKAY processes Personal Data of California residents, it acts as a "service provider" and does not "sell" or "share" Personal Data as those terms are defined under the CCPA.

2. Definitions

Capitalised terms not defined here have the meaning given in the Agreement or in applicable data-protection law.

  • "Personal Data" means any information relating to an identified or identifiable natural person that AIKAY processes on behalf of the Customer under the Agreement.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, structuring, transmission, or deletion.
  • "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the GDPR.
  • "Sub-processor" means any third party engaged by AIKAY to process Personal Data on its behalf in connection with the Service.
  • "Standard Contractual Clauses" (SCCs) means the clauses adopted by the European Commission in Decision (EU) 2021/914 for the transfer of Personal Data to third countries.

3. Scope & processing instructions

AIKAY will process Personal Data only:

  • to provide, maintain, secure, and support the Service in accordance with the Agreement;
  • on the Customer's documented instructions, including those set out in this DPA and configured through the Service (for example, namespace scoping, RBAC roles granted to the Capnode agent, and which remediation actions are permitted to run automatically); and
  • as required by applicable law, in which case AIKAY will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1. If AIKAY believes an instruction infringes data-protection law, it will inform the Customer without undue delay. By design, the Capnode agent is least-privilege and RBAC-scoped, never mutates its own namespace, and risky remediation actions require explicit human approval before execution.

4. Customer obligations

  • The Customer warrants that it has a valid legal basis for the processing instructed under this DPA and that its instructions comply with applicable data-protection law.
  • The Customer is responsible for the accuracy, quality, and legality of the Personal Data it (or its agent) transmits to the Service, and for the configuration choices it makes — including the RBAC scope it grants the agent and the namespaces it brings into scope.
  • The Customer should avoid sending special categories of Personal Data to the Service and should minimise Personal Data in cluster telemetry, logs, and resource metadata wherever practicable.

5. Sub-processors

The Customer provides general written authorisation for AIKAY to engage Sub-processors to support the provision of the Service. AIKAY's current Sub-processors are listed on the Sub-processors page, which forms Annex 3 of this DPA.

  • AIKAY will impose data-protection obligations on each Sub-processor that are substantially the same as those set out in this DPA, by written contract.
  • AIKAY remains fully liable to the Customer for the performance of each Sub-processor's obligations.
  • AIKAY will give the Customer prior notice of any intended addition or replacement of a Sub-processor (via the Sub-processors page or by email). The Customer may object on reasonable, data-protection grounds within thirty (30) days of notice. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.

6. Confidentiality

AIKAY will treat all Personal Data as confidential and will ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and have received data-protection training. Access to Personal Data is limited to those personnel who need it to provide, secure, or support the Service.

7. Security measures

AIKAY implements and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. These measures are described in Annex 2 and include, at a minimum:

  • Encryption in transit. The agent-to-server connection runs over a long-lived, authenticated WebSocket secured with TLS; control-plane and management traffic is encrypted in transit.
  • Access controls. Role-based access control, least-privilege principles, and authentication on all administrative and tenant interfaces.
  • Least-privilege agent. The Capnode agent operates with narrowly scoped Kubernetes RBAC permissions, never mutates its own namespace, and contains its blast radius by design; risky (ALWAYS_APPROVAL) actions require explicit human authorisation.
  • Tenant isolation. Customer data is logically isolated; state is stored in PostgreSQL with tenant-scoped access controls so that one Customer's data is not accessible to another.

8. Data subject requests assistance

Taking into account the nature of the processing, AIKAY will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data-protection law (including access, rectification, erasure, restriction, portability, and objection). If AIKAY receives a request directly from a Data Subject relating to Personal Data processed on the Customer's behalf, it will, without undue delay, forward the request to the Customer and will not respond directly except on the Customer's documented instruction or as required by law.

9. Personal data breach notification

AIKAY will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate it. AIKAY will reasonably cooperate with the Customer in investigating and remediating the breach.

10. Data protection impact assessments

Taking into account the nature of processing and the information available to it, AIKAY will provide reasonable assistance to the Customer with any data protection impact assessments and any prior consultations with Supervisory Authorities that the Customer is required to carry out under applicable data-protection law.

11. International transfers

Where AIKAY processes Personal Data originating in the EEA, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, such transfers are governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed by reference to the details in Annex 1 and Annex 2. For transfers from the United Kingdom, the UK International Data Transfer Addendum applies; for transfers from Switzerland, the SCCs apply with the adaptations required by Swiss law. AIKAY will implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

12. Return & deletion of data

Upon termination or expiry of the Agreement, and at the Customer's choice, AIKAY will delete or return all Personal Data processed on the Customer's behalf and delete existing copies, unless applicable law requires continued storage. Cluster state and telemetry held by the Service for a disconnected or removed agent are cleared from the active stores as part of disconnect cleanup. Deletion of routine operational data is completed within ninety (90) days of termination, subject to backup-rotation cycles after which residual copies are overwritten.

13. Audits

AIKAY will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. To minimise disruption, the Customer will give reasonable prior notice, audits will occur no more than once per twelve-month period (unless required by a Supervisory Authority or following a Personal Data Breach), and the parties will agree the scope and timing in advance. AIKAY may satisfy audit requests by providing relevant third-party certifications or reports where available.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable data-protection law.

15. Order of precedence

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail with respect to international transfers. The Annexes form an integral part of this DPA.

Annex 1 — Details of processing

Subject matter

Provision of the Capnode autonomous AI SRE platform, including monitoring, incident detection, diagnosis, and human-in-the-loop remediation of the Customer's Kubernetes cluster(s).

Duration

For the term of the Agreement, plus the retention and deletion periods set out in Section 12.

Nature & purpose

Collection and storage of cluster state and event data streamed by the Capnode agent; analysis to detect, diagnose, and remediate cluster issues; right-sizing of workloads; cost optimisation; security-posture scanning; and provision of the conversational AI layer (Aria) for triage. Processing is performed to deliver, secure, and support the Service.

Types of Personal Data

  • Account data — names, business email addresses, and authentication identifiers of Customer personnel who administer or access the Service.
  • Cluster telemetry metadata — Kubernetes resource metadata, workload names, namespaces, labels, annotations, events, and log excerpts that may incidentally contain identifiers if the Customer's own configuration or application logs include them.

Categories of Data Subjects

  • Customer personnel (administrators, engineers, and other authorised users of the Service).
  • End-users or other individuals whose identifiers may appear incidentally in the Customer's cluster telemetry, logs, or resource metadata.

AIKAY does not intentionally collect special categories of Personal Data. The Customer is responsible for minimising Personal Data in the telemetry and logs it transmits to the Service.

Annex 2 — Technical & organisational measures

AIKAY maintains the following measures, reviewed periodically and updated as the state of the art evolves:

  • Encryption. TLS for the agent-to-server WebSocket and for management traffic; encryption of data in transit across the platform.
  • Access management. Role-based access control, least-privilege provisioning, and authentication for administrative and tenant interfaces; access to production Personal Data limited to authorised personnel on a need-to-know basis.
  • Agent containment. The Capnode agent is RBAC-scoped and least-privilege, is hard-blocked from mutating its own namespace, and routes risky actions through human approval (the SAFE_AUTO / ALWAYS_APPROVAL safety tiering).
  • Isolation & segregation. Logical, tenant-scoped isolation of Customer data within PostgreSQL; separation of duties across environments.
  • Resilience & recovery. Backups, monitoring, and disconnect cleanup that clears state for removed or disconnected agents from active stores.
  • Organisational measures. Confidentiality obligations and data-protection awareness for personnel; vendor due-diligence and contractual data-protection terms for Sub-processors; an incident-response process aligned with the breach-notification commitment in Section 9.

Annex 3 — Approved sub-processors

The current list of approved Sub-processors engaged by AIKAY to deliver the Service, including the processing activity and location of each, is maintained on the Capnode Sub-processors page. That list is incorporated into this DPA by reference and may be updated in accordance with the notice and objection process described in Section 5.

Questions about this DPA?

To request a counter-signed copy of this DPA, raise a sub-processor objection, or ask any data-protection question, contact our privacy team at support@capnode.io. AIKAY Technologies Pvt Ltd, India (registered office available on request).