Confidentiality and Privacy Commitments (DPA)

Dear Customer,

Valencia (Spain), 01/05/2024

Kumori has maintained its firm commitment to confidentiality, security and respect for privacy since its incorporation and is firmly committed to complying with the regulations that affect it, its activities and services, in order to provide a quality, secure and reliable service to its clients. 

The General Data Protection Regulation (GDPR) established a new framework of principles, rights and obligations for companies in the area of privacy, in the processing of the data of the natural persons with whom they relate, and represented an important change in the regulatory framework for the protection of personal data. The GDPR is the standard of reference and of direct application in privacy matters in Spain.

The Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) adapted the national legal system to the European framework and establishes complementary rules aligned with the GDPR.

Privacy is a strategic objective for Kumori, so we continuously take the necessary actions to keep up to date with the regulatory frameworks and requirements that affect us and guidelines from the competent authorities.

The GDPR requires, among other things, the formalisation in writing of certain privacy commitments between data controllers (client) and processors (service providers with access to personal data under the responsibility of the client), which we have recently updated.

Therefore, in order to facilitate compliance with these new obligations, we make available to you our essential commitments to our customers.

We have tried to avoid legal jargon as much as possible, but if you have any questions or concerns, please contact us at privacy@, where we will be happy to assist you and clarify any issues.

Best regards,

Carlos Garcia
CEO Kumori

Confidentiality and privacy commitments

FIRST. Kumori is a company specialising in the design, development and deployment of business technology solutions. Kumori markets the cloud platform services called Axebow® (hereinafter, indistinctly, “Axebow” or “the Services”) in PaaS (platform as a service) mode, to meet the needs of its customers at all times in a scalable manner.

SECOND: The Customer has subscribed to Axebow (hereinafter referred to as “the Customer”) to make the above platform services available on demand by subscription.


THIRD. Kumori does not provide personal data management and processing services on behalf of the client, although the provision of the services indicated, depending on the modality, may entail the processing of the client’s data due its hosting in an inherent or circumstantial manner, in order to be able to provide the services contracted in the modality in question and carry out the tasks entrusted by the client.

FOURTH: Without prejudice to the terms and conditions of the services contracted by the client, this document regulates the authorisation of Kumori (in such cases, “data processor”) to process the client’s personal data (“data controller”) on behalf of the client, as necessary within the framework of the services contracted in order to provide them properly, diligently and professionally. 

FIFTH. This document is formalised in order to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and their free movement (General Data Protection Regulation or GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights, which define the confidentiality and privacy commitments to be formalised in the processing of data within the framework of the aforementioned services.

SIXTH. The data and information to which Kumori has access or processes within the framework of the services contracted by the client shall be processed solely and exclusively by the client, to which Kumori shall only have access and, where appropriate, process as “data processor” when necessary for the provision of the services and execution of the tasks entrusted by the client, as indicated below.

SEVENTH. The data that may be processed by Kumori for its hosting on the platform by the client within the framework of the contracted services, if applicable, may refer to the company, its administrators, representatives and, if applicable, depending on the type, its employees, clients, suppliers and users, and may include identifying data such as name, surname, address, telephone or e-mail, as well as academic, employment, professional, commercial, economic data and, if applicable, data relating to personal circumstances required by law or for the fulfilment of public duties or legitimate interests of the client and/or the interested party. They may also include data and technical information on equipment, devices and systems. In any case, Kumori does not monitor or control the data hosted by the customer.

EIGHTH. Kumori shall only access and process (hosting on the platform) personal data for which the customer is responsible if such access or processing is necessary to provide the services requested by the customer or inherent in them, to carry out the tasks and formalities entrusted by the customer in the context of the services contracted by the customer and to fulfil the commitments made, and exclusively for this purpose and in accordance with the customer’s requests and instructions. This may include tasks such as recording, storing, structuring, retaining, copying or destroying.

NINTH: The customer is informed and accepts that the services of Internet connection, access and use of platforms and computer applications hosted on external remote servers, connection with external servers and databases, and downloads and telephone/electronic communications inevitably entail automated technical operations and procedures of interconnection, transit and storage, as well as communications, transfers and interconnections with third parties, especially with platforms, networks and operators, which is informed and consented to by the customer. Access to and availability of the Services entails the use of a cloud infrastructure hosted by specialised providers.

The customer is informed that the cloud services associated with the deployment, availability and use of the Axebow platform under online PaaS modality, in particular, the cloud infrastructure services, are by OVH HISPANO, S.L. (OVH), domiciled in Madrid (Spain), calle Alcalá, n°21, 5th floor, a provider specialised in cloud infrastructure services, which holds ISO/IEC 27001:2017 information security certification for the provision of such service, and which has its registered office, operations and infrastructure in the EU. Kumori has the required data processor contract with such provider. Kumori may contract these or other specialised resources or services that it needs to provide in order to provide the services contracted by the client, with other suppliers in the future, especially in the event of new needs, for the appropriate management or improvement of the services, or for reasons of optimisation of resources, economic, commercial or legal reasons. Any change in the aforementioned suppliers shall be duly communicated to the client, and the client’s authorisation shall not be necessary. Kumori undertakes to ensure that the aforementioned services are provided at all times by suppliers whose processing infrastructure is located in the EU or in countries with an officially recognised equivalent level of protection.

TENTH. Without prejudice to the Register of Processing Activities to be kept by the client, Kumori shall keep a register of all categories of processing activities carried out on behalf of the client in those cases where this is mandatory in accordance with the provisions of Article 30.2 of the GDPR.


ELEVENTH. When the purpose of the services contracted or the processing of the client’s personal data by Kumori is necessary or inherent to the same, Kumori undertakes, in particular, to the following:

1) To use the personal data to which it has access during the provision of the service solely and exclusively to fulfil its contractual obligations to the customer and to provide the services entrusted to it in accordance with the customer’s orders and instructions;

2) Not to apply or use personal information for any purpose other than that intended for the development and execution of the contract and provision of the service;

3) Not to communicate or transfer under any circumstances to third parties the personal data to which it has access, not even for conservation purposes, except in the cases provided for in the client’s orders, in the terms and conditions of the services, in this document, in the cases expressly requested and formally authorised by the client or in the cases provided for in the legislation in force;

4) To apply the security measures legally required of it as the party responsible, as well as those contracted by the client depending on its orders and services requested especially as the party responsible for the processing of the data, both technical and organisational, aimed at guaranteeing the confidentiality, availability and integrity of the data, avoiding its alteration, loss, processing or unauthorised access. The client is responsible for knowing and complying with the regulatory requirements that may be applicable depending on the use that may be made of the Services, the processing foreseen and the risks related to the same that must be adequately managed, and must provide the necessary solutions and resources for this purpose, whether in-house or external, contracting, where appropriate, the specific options that may be required for this purpose. The articulation of certain technical security measures in solutions, applications and services may entail additional costs for the customer depending on its requirements and orders, the contracting of which shall be the responsibility of the customer.

5) To make available to the client the information necessary to demonstrate compliance with the commitments contained in this document when required to do so by the client. Notwithstanding the foregoing, Kumori undertakes to cooperate in the performance of audits by the client or auditor authorised by the same for this purpose, with respect for confidentiality, privacy and other rights that may be held by Kumori or third parties related to the same.

6) Collaborate with the Client in carrying out risk assessments and impact analyses where appropriate.

7) Communicate to the Client the identity and contact details of its Data Protection Officer (DPO), in the event that it is legally obliged to appoint one in accordance with the legislation in force.

8) To process the data on servers, whether our own or those of third parties, located in the EU or in countries with an assimilated level of protection, unless expressly and formally authorised otherwise by the customer.

TWELFTH. Access to and processing of data by Kumori will be extended during the provision of the services requested by the client that require it.

THIRTEENTH. Kumori shall keep the due confidentiality and duty of secrecy regarding the personal data to which it has access or processes on behalf of the Client during the provision of its services, undertaking to adopt the necessary measures, both with regard to its employees and professionals and to third parties who may have any relationship with the provision of its services, to ensure compliance with the provisions of these terms and conditions, and shall guarantee that they are aware of and assume this commitment to compliance expressly and in writing.

FOURTEENTH. The confidentiality commitments shall survive the termination of the contractual relationship and services with Kumori.

FIFTEENTH. If Kumori uses the data for any other purpose or uses them in breach of the provisions of this document, it shall be considered for all purposes as the data controller, and shall be personally liable for any infringements it may have incurred. However, Kumori shall not incur any liability when the data is communicated to a third party in the context of the software functionalities used by the Client, in the provision of the contracted services or tasks entrusted to it, because it is inherent to the same, because it is requested by the Client, because it is necessary to properly carry out the procedures and formalities requested by the Client, to comply with its contractual and professional obligations or to provide its services.

SIXTEENTH. Kumori may not subcontract the processing entrusted to it by the client to a third party, except in the cases reported in this document or in other documents, or in any other case for which it has obtained prior specific or general authorisation to do so from the client. Kumori shall require its suppliers related to the services to comply with the security measures legally required of them.


SEVENTEENTH. Once the subscription/activation period of the services contracted by the client has ended or once these have been terminated in advance for any reason, Kumori will proceed to destroy the information and documents stored by the client by means of appropriate technical procedures, for which reason it is recommended that the client makes a backup copy of the same beforehand in order to safeguard all information considered to be of interest to the client. Data shall not be deleted when there is a legal provision that requires it to be kept. Both the client and Kumori may keep strictly that information received and/or produced within the framework of their relations that is legally obligatory or required to be kept in order to meet or respond to any contractual obligation or responsibility according to the Law, and only that which is necessary and obligatory to keep for the time strictly necessary, which must be blocked and subject to the confidentiality and security obligations established in this document and in the legislation in force.


EIGHTEENTH. The rights of any person interested in the data for which the customer is responsible, including the rights of access, rectification, erasure, portability, limitation of processing or opposition, shall be exercised by the interested parties before the customer himself as responsible, by written request addressed to him at the address below or at any other address that he may have designated for that purpose, unless otherwise indicated by the same, in accordance with the provisions of the RGPD. However, Kumori may assist the customer in responding to the request to exercise any of the aforementioned rights, in those aspects that may be related to the processing carried out by Kumori within the framework of the services provided, depending on the nature of the processing, the right exercised by the data subject and the processing concerned.

NINETEENTH. Kumori shall notify the client, as soon as possible and in any case within a maximum period of 72 hours from its knowledge, of any possible security breaches of its personal data that it may suffer, unless it is unlikely that these involve a risk to the rights and freedoms of the persons affected, in accordance with the provisions of the legislation in force.  

TWENTY. The customer is informed and consents that telephone or electronic conversations with Kumori’s technical assistance and support service may be recorded in the future in order to improve the quality of its services and the security of their provision. However, prior to any recording, the customer will be informed of this.


TWENTY-FIRST. The client is informed that the data provided to Kumori to activate the Services, whether provided directly by the client or by a partner or distributor, are necessary to formalise their subscription to and activation of the Services and will be processed by Kumori for this purpose and to provide and execute the services requested, this being the main legal basis for their processing, together with our legitimate interest. The data will be processed during the period of subscription and activation of the services, and will be deleted once they have been completed, with the exception of those data that it is legally necessary to keep in order to meet any obligation or responsibility. The customer may exercise the legally recognised rights with respect to their personal data that may be processed within the framework of the services, among others, the rights of access, rectification and, where appropriate, deletion, limitation of processing, portability or opposition, by means of a request to Kumori. The request must state your name, surname, address and the request you are making. All of the above is without prejudice to your rights to make any claim in defence of your rights and interests before the Spanish Data Protection Agency.

TWENTY-SECOND: Subscription to our services implies full and unreserved acceptance of their terms and conditions and, in particular, of these confidentiality and privacy conditions, which constitute our commitments in this matter to our clients.

Further information

Operational headquarters

Kumori Systems, S.L.

VAT B98684624

Avenida de Menéndez y Pelayo, 5

46010 Valencia (Spain)

Mail contact

Support mail

Mail privacy