Kitchen Toolkit documentation

Kitchen Toolkit — Standard Transfer Addendum / SCC Packet (Template)

docs/legal/transfer-addendum-scc.md

# Kitchen Toolkit — Standard Transfer Addendum / SCC Packet (Template)

_Last updated: 2026-03-22_ [source: docs/legal/transfer-addendum-scc.md]

- This template is the standard transfer packet Kitchen Toolkit can hand to procurement/privacy teams before customer-specific redlines. It is not a signed transfer mechanism by itself; it is the repo-backed election schedule and annex set that should travel with the applicable official SCC/addendum text and the standard DPA template. [source: docs/legal/data-processing-addendum.md][source: docs/legal/data-processing-requests.md]
- The repository proves the current hosted routing only to the extent documented in the Privacy Notice, Subprocessor Schedule, and Security & Infrastructure Statement: Vercel hosting, Upstash default KV in AWS `us-east-1`, GitHub-backed content/source workflows, Stripe billing, optional customer-chosen messaging/integration providers, and optional `/help` AI-provider processing. [source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md]

## TL;DR

- Default role assumption: controller-to-processor for most customer engagements, with processor-to-processor only when the customer is itself acting as processor for the submitted data. [source: docs/legal/terms-of-service.md][source: docs/legal/data-processing-addendum.md]
- Default annex references: use the Subprocessor Schedule for Annex I/III provider lists and the Security & Infrastructure Statement for Annex II measures. [source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md]
- Customer-specific inputs still required: legal entity names, exporter/importer contacts, governing-law/forum requirements for the chosen SCC set, and any feature/provider restrictions outside the published stack. [source: docs/legal/data-processing-requests.md][source: pilot-order-form.md]

## Election schedule

| Packet item | Standard position / default text |
| --- | --- |
| Exporter | Customer legal entity named in the signed order form or subscription paperwork. |
| Importer | Kitchen Toolkit contracting entity / operator identified in the order form or legal paperwork. |
| Default transfer path | Hosted service processing in Canada/United States through Vercel, Upstash (AWS `us-east-1` by default), GitHub, Stripe, and any enabled optional support/help providers. |
| Standard module assumption | Controller-to-processor by default; switch to processor-to-processor only when the customer contract states that the customer is itself a processor/service provider for the relevant data. |
| Technical/organizational measures annex | Incorporate the Security & Infrastructure Statement and any customer-approved supplemental questionnaire answers. |
| Subprocessor annex | Incorporate the published Subprocessor Schedule plus any customer-approved service restrictions noted in the signed paperwork. |
| Return/deletion reference | Incorporate the Data Export & Deletion Policy, retention policy, and any customer-specific retention override agreed in writing. |

[source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md][source: docs/legal/data-export-deletion-policy.md][source: docs/reference/retention-policy.md][source: pilot-order-form.md]

## Standard supplemental statements

- If the customer enables `/help`, prompts, attachment metadata/content, and short-lived support-image URLs may flow through the configured AI provider stack and Upstash-backed support storage as disclosed in the Privacy Notice. If the customer disallows that path, the customer should disable or avoid `/help` attachments in the deployment paperwork. [source: docs/legal/privacy-notice.md][source: pages/help.jsx][source: pages/api/support-bot.js]
- If the customer points telemetry to a customer-managed KV endpoint, that endpoint sits outside Kitchen Toolkit's default hosted-stack region statement and should be documented as a customer-managed provider in the signed packet. [source: lib/tenant/env.js][source: pages/admin/settings.js][source: docs/reference/data-and-privacy.md]
- The public docs already say KT does not maintain separate backups of tenant KV data. Any customer requirement for backup/restore, alternate residency, or dedicated-region controls therefore needs an explicit signed exception rather than an assumption based on the standard hosted docs. [source: docs/reference/data-and-privacy.md][source: docs/legal/data-export-deletion-policy.md]

## Customer input checklist

1. Confirm the customer legal entity and the Kitchen Toolkit contracting party. [source: pilot-order-form.md]
2. Confirm whether the customer is acting as controller/business or as processor/service provider for the relevant data. [source: docs/legal/data-processing-addendum.md]
3. Confirm whether `/help`, Stripe billing, customer-managed SMTP/webhooks, or customer-managed KV are in scope, because those choices affect the provider list and transfer description. [source: docs/legal/subprocessor-schedule.md][source: lib/tenant/env.js][source: lib/billing/stripe.js][source: pages/api/support-bot.js]
4. Record any required provider exclusions, governing-law/forum requirements, or local transfer addendum language in the signed packet. [source: docs/legal/data-processing-requests.md]

## Last verified

- Last verified: 2026-03-22 while aligning the transfer packet to the current Privacy Notice, Subprocessor Schedule, security statement, and customer-configurable provider paths. [source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md][source: lib/tenant/env.js][source: pages/api/support-bot.js]