Capitalised terms used in this Addendum and not otherwise defined have the meaning given in the PDPL and its PDPL Implementing Regulations. For the avoidance of doubt:

• Customer Data means the text submitted by Customer to the KINDI masking API, together with the corresponding placeholdered output and the encrypted envelope returned in response.
• Customer Personal Data means Customer Data, where and to the extent that the submitted text contains personal data as defined by the PDPL.
• Sensitive Personal Data has the meaning given in the PDPL: data revealing racial or ethnic origin; religious, intellectual, or political belief; criminal convictions; biometric or genetic data for identification; health data; or data indicating that one or both of an individual’s parents are unknown.
• Sub-processor means a third party engaged by KINDI to assist in the provision of the service and that, in doing so, has access to Customer Personal Data.

Customer is the Data Controller of Customer Personal Data. KINDI (provisional)(“KINDI”) is the Data Processorof that data, acting on Customer’s behalf. Each party is independently responsible for compliance with the obligations the PDPL places on its respective role.

This Addendum forms part of the Terms of Service between the parties. To the extent of any conflict between this Addendum and the Terms in respect of the processing of Customer Personal Data, this Addendum prevails.

Subject-matter. The detection of personal data in text submitted by Customer, the replacement of detected spans with deterministic placeholders, and the return of the placeholdered text together with an encrypted envelope containing the mapping.

Duration. The processing of any given item of Customer Personal Data is performed for the duration of the corresponding API request only. KINDI retains no copy of Customer Personal Data, the placeholder mapping, or the encrypted envelope after the response has been transmitted. This Addendum continues to apply for the life of the agreement and survives termination to the extent necessary to give effect to the obligations in § XIV.

Nature of processing. Automated detection, replacement, and symmetric encryption. KINDI does not train models on Customer Personal Data and does not use Customer Personal Data for any purpose other than providing the service requested by Customer.

Categories of data subjects.Whichever categories appear in the text Customer submits. KINDI does not, and cannot, restrict the categories of data subject whose data may be processed; that is determined by Customer’s own use of the service.

KINDI will process Customer Personal Data only on Customer’s documented instructions. The Terms of Service, this Addendum, and any API request Customer submits constitute Customer’s documented instructions for the processing they describe. KINDI will inform Customer if, in its opinion, an instruction infringes the PDPL, and may refuse to act on that instruction.

KINDI ensures that any of its personnel authorised to process Customer Personal Data are bound by a written confidentiality obligation that survives the end of their engagement with KINDI. Access to production systems is granted only on a least-privilege basis, recorded in an access-review log, and revoked promptly on role change or departure.

KINDI maintains technical and organisational measures designed to align with the Essential Cybersecurity Controls, the Cloud Cybersecurity Controls, and the Data Cybersecurity Controls issued by the National Cybersecurity Authority. These measures include, at a minimum:

• Encryption of the placeholder-to-original mapping under a key derived from the requesting API key, such that KINDI itself cannot decrypt the mapping after issuing it.
• Encryption in transit (TLS 1.2 or later) for every connection that carries Customer Personal Data.
• Encryption at rest for all persistent storage backing the service.
• Pseudonymisation of identifiers in operational logs; exclusion of request text, response text, and bearer tokens from logs at INFO level or above.
• Network segmentation, role-based access control, centralised audit logging, and multi-factor authentication for administrative access.
• Regular vulnerability scanning, dependency-audit gates in the CI pipeline, and an incident-response process owned by named individuals.

The current state of these measures is published at kindi.me/security and is updated as the measures evolve.

Customer grants KINDI a general authorisation to engage Sub-processors, subject to the conditions in this section. KINDI’s current Sub-processors are listed at kindi.me/legal/subprocessors. That list is the authoritative record of authorised Sub-processors and is updated as the list changes.

KINDI will (i) impose on each Sub-processor written terms that are no less protective than this Addendum, (ii) remain responsible to Customer for the performance of each Sub-processor’s obligations, and (iii) give Customer at least 14 daysnotice before adding or replacing a Sub-processor. Customer’s right of objection is stated on the Subprocessor List page.

KINDI will, taking into account the nature of the processing, assist Customer with appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising the rights granted by Article 4 of the PDPL, including the rights of access, rectification, and erasure.

Because KINDI does not retain Customer Personal Data after the round-trip of a request, KINDI is generally not in a position to fulfil access, rectification, or erasure requests directly: there is nothing in KINDI’s storage to access, correct, or erase. KINDI will, on written request from Customer, confirm this position in writing for the benefit of the relevant data subject or the supervisory authority.

KINDI will notify Customer in writing of any confirmed Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of confirmation. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects, consistent with Article 24 of the PDPL Implementing Regulations.

The notification is provided to enable Customer, as Controller, to meet its own obligation to notify the SDAIA breach-notification service within the 72-hour window set by the PDPL Implementing Regulations and, where applicable, to notify affected data subjects without undue delay. KINDI will cooperate reasonably with Customer in meeting that obligation.

By default, KINDI processes Customer Personal Data inside the Kingdom of Saudi Arabia and does not transfer it outside the Kingdom in the course of providing the masking service. Where a Sub-processor listed in § VII operates outside the Kingdom for a function ancillary to the masking itself (for example, transactional email), KINDI applies the safeguards required by the Transfer Regulation, including, as appropriate, Saudi standard contractual clauses for the relevant Controller-to-Processor or Processor-to-Processor relationship, and a Transfer Risk Assessment under Article 7 of the same regulation.

For the avoidance of doubt: where Customer instructs its own client to send the masked text returned by KINDI to a frontier language model outside the Kingdom, that onward transfer is performed by Customer, not by KINDI. Customer remains the Controller for that transfer and is responsible for the corresponding safeguards.

KINDI maintains an internal record of its processing activities sufficient to demonstrate compliance with this Addendum and the PDPL. On reasonable written request, and subject to confidentiality, KINDI will provide Customer with the information from that record necessary for Customer to satisfy its own Record-of-Processing-Activities obligation as Controller.

On reasonable written request, no more than once per twelve-month period save in response to a confirmed breach, KINDI will make available to Customer (or to an independent auditor mandated by Customer and bound by equivalent confidentiality obligations) the information necessary to demonstrate compliance with this Addendum. KINDI may satisfy this obligation by providing the most recent third-party attestation it holds, where the attestation addresses the relevant controls. Audit activities will be conducted during normal business hours, with reasonable advance notice, and in a manner that does not unreasonably interfere with KINDI’s operations.

Where Customer submits Sensitive Personal Data, including health data, Customer represents that it has (i) a lawful basis for the processing under the PDPL, (ii) obtained any explicit consent required, and (iii) applied any additional safeguards expected by the PDPL Implementing Regulations for Sensitive Personal Data, including the access-control minimisation expected of health data.

KINDI applies enhanced access controls to systems that process Sensitive Personal Data: a smaller authorised set, a shorter session lifetime, and additional logging. Because KINDI retains no Sensitive Personal Data after the round-trip of a request, the practical exposure of Sensitive Personal Data within KINDI’s estate is limited to the in-memory lifetime of a single request.

On termination of the agreement, KINDI will, at Customer’s choice, return or delete all Customer Personal Data in its possession, save to the extent that applicable law requires KINDI to retain a copy. Because KINDI does not retain Customer Personal Data in the ordinary course of providing the service, this obligation is generally limited to closing Customer’s account and revoking outstanding API keys, with the corresponding invalidation of every encrypted envelope previously issued under those keys.

The limitations and exclusions of liability stated in the Terms of Service apply equally to the parties’ obligations under this Addendum, save to the extent that applicable law prohibits a contractual limitation of liability for the relevant breach.

This Addendum is governed by the laws and regulations of the Kingdom of Saudi Arabia, including the PDPL and its PDPL Implementing Regulations. The competent courts of Riyadh have exclusive jurisdiction over any dispute arising out of or in connection with this Addendum.