Legal / Data Protection
GDPR and Data Protection at KaizenFlow
This page explains how KaizenFlow approaches the EU General Data Protection Regulation and the UK GDPR. It is a plain-language overview of our data-protection posture, not legal advice. A signed data-processing addendum is available on request, and it governs the specifics for your account.
What this statement covers
KaizenFlow is a manufacturing intelligence platform. It connects on top of the systems your plant already runs, including MES, SCADA, ERP, and historians, reads operational data, and returns ranked improvement opportunities. Most of what we process is machine and process telemetry, not personal data. Where personal data is involved, it is usually limited to the named users who log in to the platform.
For the personal data of your workforce or customers that may pass through your source systems, you act as the data controller and KaizenFlow acts as a data processor. We process that data only to deliver the service you have asked for, under the written instructions in our agreement.
This is an overview written for operations, engineering, and finance leaders evaluating the platform. It is not legal advice and it does not replace our contractual terms. The signed data-processing addendum (DPA), available on request, is the document that governs data protection for your account.
How we protect EU and UK data
Manufacturing software data protection starts with keeping data confidential in transit and at rest. KaizenFlow encrypts data in transit with TLS 1.3 and at rest with AES-256. Connector credentials for your MES, SCADA, ERP, and historian systems are encrypted and are never written to logs in plaintext.
- Multi-tenant isolation: every query is scoped by tenant ID, so one organization's data is never reachable by another.
- Least-privilege access: role-based access control and audit logging keep every recommendation and action attributable to a user.
- Data minimization: we ingest the operational signals needed to model your lines and avoid collecting personal data we do not need.
- Cookieless analytics: our marketing site uses Plausible, which sets no personal-data cookies and does not track visitors across sites.
Our controls are aligned to the SOC 2 and ISO 27001 frameworks. We are design-partner stage and do not claim formal certification against them. The security overview describes tenant isolation, encryption, and access control in more detail.
Data-processing addendum and subprocessors
A data-processing addendum is available on request. It sets out the roles of controller and processor, the categories of data and data subjects, the purpose and duration of processing, the security measures in place, subprocessor terms, and how we handle deletion and return of data at the end of the agreement.
We keep the list of subprocessors short and disclosed. GDPR-relevant analysis may use vetted AI model providers under contractual data-protection obligations. We do not sell your data and we do not use it to train third-party models. AI output is advisory, and final decisions stay with your team. The current subprocessor list lives in our privacy policy, and we give notice before adding a new subprocessor that processes personal data.
Data-subject rights
GDPR gives individuals rights over their personal data. Because KaizenFlow usually acts as a processor, a request from one of your employees or customers is normally handled by you as the controller, and we support you in responding. Where we are the controller, for example for the account details of your platform users, you can exercise these rights directly with us.
- Access: confirmation of whether we process personal data about you, and a copy of it.
- Rectification: correction of inaccurate or incomplete personal data.
- Erasure: deletion of personal data where there is no lawful reason to keep it.
- Restriction and objection: limiting or objecting to certain processing.
- Portability: receiving your data in a structured, machine-readable format.
We aim to acknowledge requests promptly and to respond within the statutory time frame. We may need to verify identity before acting on a request so that we do not disclose data to the wrong person.
International transfers and retention
Where personal data is transferred outside the EU or the UK, we rely on recognized safeguards such as the Standard Contractual Clauses and the UK addendum, and we describe the specifics in the DPA. Enterprise deployments can support data-residency requirements and private isolation where your policies call for it.
We retain data only as long as needed to provide the service. Operational metrics follow your organization settings, and on termination your data is deleted within a defined window after an export period. Retention specifics are covered in the security overview and the DPA.
How to make a request or reach us
For a DPA, a subprocessor list, a security brief, or any data-protection question, email [email protected] or use the contact page. Tell us your organization and the nature of the request so we can route it to the right owner.
For suspected security issues, email [email protected]. We acknowledge reports promptly and will not pursue good-faith researchers who follow coordinated disclosure.
Frequently asked
Does KaizenFlow offer a data-processing addendum (DPA)? Yes. A DPA is available on request and governs data protection for your account. It covers controller and processor roles, security measures, subprocessors, international transfers, and deletion or return of data at the end of the agreement.
Is KaizenFlow GDPR certified? GDPR does not offer a formal product certification. We align our controls to GDPR requirements and to the SOC 2 and ISO 27001 frameworks. As a design-partner-stage company, we do not claim formal certification against those frameworks.
What data does KaizenFlow actually process? Primarily machine and process telemetry from your MES, SCADA, ERP, and historian systems, plus limited account data for the named users who log in. We practice data minimization and do not collect personal data we do not need.
How do individuals exercise data-subject rights? Because we usually act as a processor, requests from your employees or customers are handled by you as the controller, with our support. For personal data where we are the controller, email [email protected] and we will verify identity before acting.
Data protection
Ask for our DPA and security brief
Tell us about your environment and we will share the data-processing addendum, the current subprocessor list, and a security overview for your review.