Kenfigure™ is a YAML spec to define Benchling configurations
This DPA forms part of, and is incorporated by reference into, the Kenfigure Subscription Terms between Go2 Software LLC (“Provider,” “Processor”) and the customer named on the Order Form (“Customer,” “Controller”). If it conflicts with the Subscription Terms on data-protection matters, this DPA controls.
A defining feature of the Service is that it operates on Benchling configuration schema — the structure of a deployment — not on scientific, research, clinical, sample, or patient data. The Service is neither designed for nor intended to process special categories of personal data, and Customer agrees not to use it to do so.
The only personal data the Service processes is limited business contact and account information about Customer’s authorized users — names, business email addresses, company affiliation, role, and Benchling tenant identifiers — for the purpose of providing the Service. Customer is the controller of this personal data; Provider is the processor.
| Subject matter | Provision of the Kenfigure Pro™ Service |
| Duration | The subscription term, plus any wind-down period |
| Nature and purpose | Hosting and processing configuration data and account information to provide Kenfigure Tool™ (Export/Import) and Kenfigure Diagram™ features and related support |
| Personal data | Authorized users’ names, business emails, company, role, tenant identifiers |
| Data subjects | Customer’s authorized users and administrators |
Provider will process personal data only on Customer’s documented instructions, including those in the Agreement and this DPA, and as required by applicable law (in which case Provider will inform Customer unless legally prohibited). Provider will promptly tell Customer if, in its opinion, an instruction infringes applicable data-protection law.
Provider ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
Provider maintains reasonable technical and organizational measures designed to protect personal data, as summarized in the Kenfigure Security & Data Handling Overview, including access controls, multi-factor authentication for administrative access, encryption in transit, and least-privilege access.
Provider will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer’s personal data, and will provide information reasonably available to help Customer meet its own notification obligations.
Customer authorizes Provider to engage subprocessors to support the Service. Current subprocessors are:
Provider imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA, and remains responsible for their performance. Provider will give Customer notice of any intended new subprocessor and a reasonable opportunity to object on reasonable data-protection grounds.
Where Provider processes personal data subject to EU or UK data-protection law and transfers it to the United States or another country, the parties will rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.
Taking into account the nature of the processing, Provider will provide reasonable assistance to help Customer respond to data-subject requests and to meet Customer’s obligations regarding security, breach notification, and data-protection impact assessments. Provider will forward to Customer any data-subject request it receives directly that relates to Customer’s data.
Provider will make available information reasonably necessary to demonstrate compliance with this DPA, including responses to a reasonable security questionnaire and relevant documentation, no more than once per year and subject to confidentiality.
On termination of the subscription, Provider will delete or return Customer’s personal data within a reasonable period, except where retention is required by law. Configuration data copies held by the Service are transient and are removed when the subscription ends.
To the extent the California Consumer Privacy Act applies, Provider acts as a “service provider” and will not sell or share personal information, and will not retain, use, or disclose it except as necessary to provide the Service or as permitted by law.
Each party’s liability under this DPA is subject to the limitation of liability in the Subscription Terms.