Data Processing Agreement (DPA)

Last Updated: January 04, 2026

Stateless Architecture

KineticMCP operates on a "Bring Your Own Infrastructure" model. Technically, KineticMCP does not "process" your data in the traditional Cloud SaaS sense, as the software resides on your servers. However, this document formally defines the security guarantees of the provided code.

1. Definitions and Roles

For the purposes of GDPR and applicable privacy regulations:

Controller: The Customer who downloads and installs the Software.
Processor: KineticMCP (limited to providing updates and licenses).
Customer Data: Any information processed by the Software instance installed by the Customer.

2. Nature of Processing (Zero-Retention)

The Software is designed to operate in an ephemeral mode:

Transit: Data transits from the volatile memory (RAM) of the Customer's server directly to Third-Party APIs (Salesforce, LLM Providers).
No Remote Storage: KineticMCP does not own, manage, or have access to remote databases containing Customer Data.
Local Logs: Any operational logs are saved locally on the Customer's filesystem and are not sent to KineticMCP, unless explicitly done for technical support.

3. Security Measures

Licensor guarantees that the Software incorporates security measures by design (Privacy by Design):

Exclusive use of HTTPS/TLS 1.3 protocols for all external connections.
Credential management via Environment Variables (.env) and not hard-coded.
No hidden telemetry mechanisms on the content of processed data.

4. Sub-processors

Since the Software is self-hosted, the Customer has direct control over Sub-processors (e.g., OpenAI, Anthropic, Salesforce) by configuring the respective API keys. KineticMCP does not act as a contractual intermediary towards these providers.

5. Audits and Compliance

The Customer has the right to perform security audits on the provided source code (for Enterprise Source-Available licenses) to verify the absence of backdoors or data exfiltration mechanisms.