Kitchen Toolkit documentation
Kitchen Toolkit — Standard Transfer Addendum / SCC Packet (Template)
docs/legal/transfer-addendum-scc.md
# Kitchen Toolkit — Standard Transfer Addendum / SCC Packet (Template) _Last updated: 2026-03-22_ [source: docs/legal/transfer-addendum-scc.md] - This template is the standard transfer packet Kitchen Toolkit can hand to procurement/privacy teams before customer-specific redlines. It is not a signed transfer mechanism by itself; it is the repo-backed election schedule and annex set that should travel with the applicable official SCC/addendum text and the standard DPA template. [source: docs/legal/data-processing-addendum.md][source: docs/legal/data-processing-requests.md] - The repository proves the current hosted routing only to the extent documented in the Privacy Notice, Subprocessor Schedule, and Security & Infrastructure Statement: Vercel hosting, Upstash default KV in AWS `us-east-1`, GitHub-backed content/source workflows, Stripe billing, optional customer-chosen messaging/integration providers, and optional `/help` AI-provider processing. [source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md] ## TL;DR - Default role assumption: controller-to-processor for most customer engagements, with processor-to-processor only when the customer is itself acting as processor for the submitted data. [source: docs/legal/terms-of-service.md][source: docs/legal/data-processing-addendum.md] - Default annex references: use the Subprocessor Schedule for Annex I/III provider lists and the Security & Infrastructure Statement for Annex II measures. [source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md] - Customer-specific inputs still required: legal entity names, exporter/importer contacts, governing-law/forum requirements for the chosen SCC set, and any feature/provider restrictions outside the published stack. [source: docs/legal/data-processing-requests.md][source: pilot-order-form.md] ## Election schedule | Packet item | Standard position / default text | | --- | --- | | Exporter | Customer legal entity named in the signed order form or subscription paperwork. | | Importer | Kitchen Toolkit contracting entity / operator identified in the order form or legal paperwork. | | Default transfer path | Hosted service processing in Canada/United States through Vercel, Upstash (AWS `us-east-1` by default), GitHub, Stripe, and any enabled optional support/help providers. | | Standard module assumption | Controller-to-processor by default; switch to processor-to-processor only when the customer contract states that the customer is itself a processor/service provider for the relevant data. | | Technical/organizational measures annex | Incorporate the Security & Infrastructure Statement and any customer-approved supplemental questionnaire answers. | | Subprocessor annex | Incorporate the published Subprocessor Schedule plus any customer-approved service restrictions noted in the signed paperwork. | | Return/deletion reference | Incorporate the Data Export & Deletion Policy, retention policy, and any customer-specific retention override agreed in writing. | [source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md][source: docs/legal/data-export-deletion-policy.md][source: docs/reference/retention-policy.md][source: pilot-order-form.md] ## Standard supplemental statements - If the customer enables `/help`, prompts, attachment metadata/content, and short-lived support-image URLs may flow through the configured AI provider stack and Upstash-backed support storage as disclosed in the Privacy Notice. If the customer disallows that path, the customer should disable or avoid `/help` attachments in the deployment paperwork. [source: docs/legal/privacy-notice.md][source: pages/help.jsx][source: pages/api/support-bot.js] - If the customer points telemetry to a customer-managed KV endpoint, that endpoint sits outside Kitchen Toolkit's default hosted-stack region statement and should be documented as a customer-managed provider in the signed packet. [source: lib/tenant/env.js][source: pages/admin/settings.js][source: docs/reference/data-and-privacy.md] - The public docs already say KT does not maintain separate backups of tenant KV data. Any customer requirement for backup/restore, alternate residency, or dedicated-region controls therefore needs an explicit signed exception rather than an assumption based on the standard hosted docs. [source: docs/reference/data-and-privacy.md][source: docs/legal/data-export-deletion-policy.md] ## Customer input checklist 1. Confirm the customer legal entity and the Kitchen Toolkit contracting party. [source: pilot-order-form.md] 2. Confirm whether the customer is acting as controller/business or as processor/service provider for the relevant data. [source: docs/legal/data-processing-addendum.md] 3. Confirm whether `/help`, Stripe billing, customer-managed SMTP/webhooks, or customer-managed KV are in scope, because those choices affect the provider list and transfer description. [source: docs/legal/subprocessor-schedule.md][source: lib/tenant/env.js][source: lib/billing/stripe.js][source: pages/api/support-bot.js] 4. Record any required provider exclusions, governing-law/forum requirements, or local transfer addendum language in the signed packet. [source: docs/legal/data-processing-requests.md] ## Last verified - Last verified: 2026-03-22 while aligning the transfer packet to the current Privacy Notice, Subprocessor Schedule, security statement, and customer-configurable provider paths. [source: docs/legal/privacy-notice.md][source: docs/legal/subprocessor-schedule.md][source: docs/legal/security-and-infrastructure.md][source: lib/tenant/env.js][source: pages/api/support-bot.js]