Compliance · Data subject rights
GDPR, UK-GDPR, CCPA.
Last updated 2026-05-02. Kodori implements the data-subject rights established by GDPR Articles 15-22, the UK-GDPR equivalents, and the CCPA / CPRA at the endpoint level. Rights map directly to Kodori MCP tools and REST endpoints — every fulfilment is recorded on the hash-chained audit log.
Lawful basis
Kodori processes customer-controlled data on the lawful basis of contract (GDPR Art. 6(1)(b)) — the data processing agreement between KumoKodo and the customer workspace. KumoKodo acts as a processor; the customer workspace is the controller. For identity claims received at sign-in (email, name, OAuth sub claim) the basis is legitimate interest (Art. 6(1)(f)) for authentication and access control.
Article-by-article rights mapping
Kodori’s data-subject-rights fulfilment is endpoint-level — every right has a concrete API or UI surface that fulfils it. Tenant admins authorize the request; the platform executes it with full audit-log capture.
| Article | Right | Kodori implementation |
|---|---|---|
| Art. 15 | Right of access | GET /api/v1/users/me/data-export — JSON export of every record where the requester is the subject (profile, audit-event subject, agent-conversation participant). Tenant admins can additionally request a full-tenant export via security@kumokodo.ai for SAR fulfilment on behalf of an employee. Responded within 30 days. |
| Art. 16 | Right to rectification | Document metadata (display name, custodian, sensitivity, classification) is mutable from the document detail UI and via the MCP `setDocumentMetadata` tool. User profile fields are sourced from the SSO provider — corrections happen there and propagate at next sign-in. Every rectification emits a `document.metadata-changed` event on the hash-chained audit log so the before/after is auditable indefinitely. |
| Art. 17 | Right to erasure (right to be forgotten) | `tombstoneDocument` MCP tool flips the document to tombstoned. Hard-purge of bytes from object storage runs at retention-class expiry (default 90 days for non-regulated). For external-connector content (Slack / Outlook / Gmail / SharePoint / OneDrive / Drive synced data), the typed-confirmation purge on /integrations/[id] permanently deletes every external_messages + external_documents row associated with the connector. Erasure is suspended for documents on active legal hold per Art. 17(3)(e) — overriding legal obligation. The hold-deny-wins gate enforces this automatically. |
| Art. 18 | Right to restriction of processing | Per-document sensitivity escalation to "regulated" tier triggers the same deny-wins gate that legal hold uses — the document refuses delete, refuses retention disposal, and refuses sensitivity downgrade. Effectively pauses processing until the data subject confirms how to proceed. Tenant admins can also disable agent processing for a specific user via /admin/permissions — the agent-deny rule blocks every consequential MCP tool call by that principal until lifted. |
| Art. 20 | Right to data portability | GET /api/v1/users/me/data-export (JSON) and per-conversation Markdown / text export at /api/agent/conversations/[id]/export. Document bytes available via /api/v1/documents/[id]/blob. Output is structured, machine-readable, and includes the SHA-256 content hash for every blob so the recipient system can verify integrity. |
| Art. 21 | Right to object | Tenant admins can pause agent processing for any principal via /admin/permissions. Workspace owners can disable specific MCP tool categories via /admin/settings. Kodori does not engage in automated decision-making with legal effect under Art. 22 — the agent only acts on user-initiated prompts and asks for confirmation before consequential actions. |
| Art. 22 | Automated decision-making and profiling | Not applicable. Kodori does not make automated decisions producing legal or similarly significant effects on data subjects. The AI agent is operator-supervised and asks for confirmation before any consequential mutation (delete, sensitivity change, retention change, hold change, bulk operations >10). Auto-classification proposes sensitivity tiers and collection assignments — humans confirm before persistence. The proposal itself is non-binding and does not affect the data subject’s legal status. |
Response timelines
- GDPR / UK-GDPR: 30 days from receipt of the request, extendable by 60 days for complex cases per Art. 12(3).
- CCPA / CPRA: 45 days from receipt, extendable by 45 days per § 1798.130(a)(2).
- Acknowledgment: within 1 business day for any request received at privacy@kumokodo.ai.
Other regional frameworks
UK-GDPR (UK Data Protection Act 2018)
Identical operational implementation to GDPR. The UK Information Commissioner’s Office (ICO) is the supervisory authority for UK-resident data subjects. International data transfers from the UK to Kodori’s US-region sub-processors rely on UK Addendum to the EU Standard Contractual Clauses (Module 2: controller-to-processor) and the UK government’s adequacy regulations.
CCPA / CPRA (California)
California consumers have rights to know, delete, correct, and opt-out under CCPA / CPRA. Kodori is a "service provider" under § 1798.140(j) — we process customer-controlled data only on the documented instructions of the customer (the workspace) and do not "sell" or "share" personal information for cross-context behavioral advertising. CCPA-specific requests route through the same /api/v1/users/me/data-export and tombstone flows as GDPR; the response timeline is 45 days under § 1798.130(a)(2).
PIPEDA (Canada) / LGPD (Brazil) / POPIA (South Africa)
The technical implementation of access / rectification / erasure / portability rights satisfies the data-subject-rights requirements of these frameworks. For commercial customers in these jurisdictions we negotiate the addendum at contract execution.
International data transfers
Kodori’s primary infrastructure runs in US-East. Transfers from the EEA or UK to the US rely on the EU Standard Contractual Clauses (Module 2: controller-to-processor, June 2021) and the UK Addendum. EU-resident sub-processors are available on request (Neon Frankfurt, Cloudflare R2 with EU region, Vercel EU functions); EU-only deployments ship as a per-tenant configuration, not as shared infrastructure.
Data Processing Agreement
Our executable DPA — incorporating the EU SCCs Module 2 and the UK Addendum — is available on request. Email security@kumokodo.ai with your firm name and we respond within one business day with the DPA, the signed sub-processor list (/security/subprocessors), and the CAIQ-LITE questionnaire pre-filled.
Data Protection Officer
KumoKodo has appointed a Data Protection Officer (DPO) for purposes of GDPR Art. 37. Contact: dpo@kumokodo.ai.
Supervisory authority complaints
Data subjects in the EEA, UK, or other GDPR-aligned jurisdictions retain the right to lodge a complaint with the supervisory authority where they reside or work, including the Irish DPC (lead authority for KumoKodo’s representative in the EU on appointment), the UK ICO, or the relevant national authority. A list of EU supervisory authorities is at edpb.europa.eu.
Questions
Email privacy@kumokodo.ai for any data-subject-rights request, or dpo@kumokodo.ai for DPO escalation.