Last updated May 17, 2026
kippie.AI | Operated by Aeterna LLC
Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service ("Agreement") entered into by and between Aeterna LLC, a South Carolina Limited Liability Company ("Data Processor"), and the entity utilizing the kippie.AI system ("Data Controller").
This DPA governs the processing of all Customer Personal Data and confidential enterprise financial documents uploaded, processed, or generated through the kippie.AI platform.
1. Definitions and Jurisdictional Framework
- "Customer Personal Data" means any personal or proprietary business data, including corporate credit card statements, financial transaction rows, project tracking associations, and receipt image files uploaded into the platform by the Data Controller.
- "Data Controller" means the customer, institution, or entity that determines the legal purposes and procedural means of the data processing tasks.
- "Data Processor" means Aeterna LLC, which manipulates, maps, and processes data strictly on behalf of and according to the technical configurations established by the Data Controller.
- "Subprocessor" means any third-party infrastructure entity engaged by Aeterna LLC to execute core computational or storage utilities, including Vercel, Supabase, Stripe, and the Google Gemini API.
2. Scope and Instructions of Processing
The Data Processor agrees to manipulate Customer Personal Data strictly in accordance with documented instructions provided by the Data Controller, including systemic execution of the automated expense reconciliation pipeline. The Data Processor shall not sell, retain, use, or disclose Customer Personal Data for any secondary purpose outside the explicit functional scope of the Agreement.
3. Technical and Organizational Security Commitments
The Data Processor shall implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental, unauthorized, or unlawful acquisition, destruction, alteration, or exposure.
- Network encryption frameworks: the Data Processor mandates HTTPS enforcement across application routing environments, securing data in transit via Transport Layer Security protocols.
- Storage cryptography: statement files, ledger items, and uploaded receipt images are encrypted at rest using secure cloud storage sectors managed via Supabase.
- Model access constraints: system calls to the Google Gemini API must use isolated API keys, and data routed to AI models must occur under API parameters that restrict use of such files for base foundation model training where available.
4. Subprocessor Authorization
The Data Controller grants general written authorization to the Data Processor to engage the third-party subprocessors specified within our Privacy Policy, including Vercel, Supabase, Stripe, and the Google Gemini API. The Data Processor will seek to ensure that any engaged subprocessor is bound by data protection obligations at least as restrictive as those outlined within this DPA.
5. Data Breach Notification Protocol
In the event of a confirmed, verified security incident resulting in unauthorized access, exfiltration, or compromise of Customer Personal Data stored within production databases or application instances, the Data Processor shall reasonably cooperate with the Data Controller's investigative teams to assist in mitigating potential financial or reputational risks stemming from such security anomalies.
6. Audits, Deletion, and System Return
The Data Processor shall make available to the Data Controller information reasonably required to demonstrate compliance with the technical obligations in this DPA. Upon termination of the Agreement, or upon a direct systemic command from the user interface, the Data Processor shall permanently erase, overwrite, and delete legacy copies of Customer Personal Data from active production environments within 48 hours, unless applicable federal or state laws mandate a prolonged retention window.