Data protection Q&A

Specifically for DPOs, procurement and governors.

The questions we get repeatedly from data-protection reviewers, in plain English. If your DPO needs to share this with governors or trustees, this page is designed to be linkable.

Is askKira a data controller or a data processor?

It depends. For individuals signing up directly to a personal Founder OS instance, askKira is the data controller in respect of the founder's account. For users provisioned by an organisation, the organisation is the data controller and askKira is the data processor, acting on documented instructions per UK GDPR Article 28.

What is the lawful basis for processing?

Legitimate interest for B2B operations (with balancing test documented). Contract performance for paid customers. Legal obligation for the audit log under Article 32 (security of processing).

How is personal data minimised?

(1) Foundation model calls anonymise user identifiers before sending. (2) Agents only persist the minimum fields required to track outreach state. (3) Once a contact is added to the do-not-contact list, agents refuse to recontact and historical drafts to that contact are not regenerated.

Is data anonymised in any form?

User identifiers (founder email, name) are removed from prompts sent to foundation models. Internal storage retains identifiers because the founder needs to know who they're emailing. Audit log records security events with IP but not request bodies.

How is data shared with third parties?

Only with the explicit sub-processors listed in the Privacy Policy, each bound by UK GDPR equivalent terms. No data sale, no analytics resale, no marketing partner sharing.

Where are international transfers?

Primary hosting is UK (AWS eu-west-2). Anthropic and Brave Search are accessed via API endpoints that may route through US infrastructure; transfers are protected by Standard Contractual Clauses or UK equivalents.

What are the retention periods?

Project state and contacts: retained while the account is active, deleted on closure. Audit log: 90 days then rotated. Backups: 30 days encrypted then overwritten. Do-not-contact list: retained indefinitely (we cannot honour opt-out without remembering it). Statutory records: held for the legally required period.

Who owns IP submitted to the platform?
"There is no transfer of intellectual property when content is submitted to askKira. The original author or organisation retains full rights over any content submitted."

The interaction is "akin to a teacher reading a piece of work" — askKira processes the content to provide the service but acquires no rights over it.

How are deletion rights honoured?

Self-serve: delete an agent, or delete your whole account. The agent's directory and every file under it is wiped immediately. The do-not-contact list survives deletion (we cannot honour opt-out without remembering it). For complete removal of audit-log references too, email dpo@askkira.com.

How are breaches handled?

Detection through automated monitoring of access logs, sub-processor incident feeds, and internal review. Notification within 72 hours of discovery to affected data controllers per UK GDPR Article 33. Where individuals are directly affected, they are notified without undue delay.

How are safeguarding disclosures handled?

askKira may be under a legal obligation to disclose information to relevant authorities where there is risk of danger to self or others, or where required by law. This applies particularly to the askKira education platform; Founder OS itself is a personal cockpit and the obligation rarely engages.

What cyber security standards apply?

Built to ISO 27001 information security principles. Cyber Essentials certified. Penetration testing on the askKira platform. UK Government Data & AI Ethics Framework alignment. See the Security & Infrastructure Statement for technical details.

What insurance is in place?

Public Liability £2,000,000. Professional Indemnity £2,000,000. Employers' Liability £10,000,000. Certificates available on request for procurement and compliance teams. See Insurance Cover Summary.

What is the cookie position?

Founder OS uses only strictly-necessary cookies — a session cookie (signed) and the CSRF token (stored inside the session). No analytics, no advertising, no behavioural tracking. See Cookie Policy.

Is the platform accessible?

Founder OS targets WCAG 2.1 AA in its public-facing pages (privacy hub, login, FAQ, policies). The internal dashboard is a working cockpit for the founder and is not yet WCAG-audited; this is on the roadmap.

Can a signed DPA be provided?

Yes. Email compliance@askkira.com. Signed copies are typically returned within five working days.