Kanaries Inc Master Service Agreement

Kanaries Inc. d/b/a Kanary ("Kanary") is pleased to provide you ("You" or "Client") with the technology & support described below. This Agreement ("Agreement") confirms our understanding of the terms and objectives of our engagement and the nature and limitations of the technology & support we will provide to You. The engagement will be governed by the terms of this Agreement, which is effective as of the date You accept it (whether by signing an order form, executing a separate agreement that incorporates these terms by reference, or by using the Solutions).

Scope

Kanary will provide their product and customer support for the benefit of Client and Client's employees, directors, and fellows (each a "member"), which covers monitoring & removals from covered data brokers, social media sites, and search engines.

Kanary Application Features

1. Fast set up; minimum data required is name, email, birth date, city, and state.

2. Support across names, emails, phone #s, addresses, usernames.

3. Automatic scans of site list every 30 days, configurable to daily/weekly.

4. Automatic removal requests and rescans to verify data removal on a cadence between 5-20 days depending on the site and their removal or escalation process.

5. Monthly reports on exposures & removal progress sent to each member via email.

6. Suggest new sites that are not yet covered by Kanary through the software.

7. Access to the Kanary mobile app, a first-of-its-kind app that makes reviewing and escalating issues transparent, secure, and fast.

Kanary Administrator Portal

Administrators have access to a portal at no extra cost that allows them to invite team members, terminate inactive accounts, and understand the overall exposure of the organization. To access, the Client needs to appoint a member/multiple members of their staff or a partner organization to be the Administrator. Kanary is not able to staff someone to do this on your behalf.

1. Send an email invite by entering the name and email of their team member.

2. Terminate an account with 1 click.

3. Request invoices and receipts.

4. Dashboard for reviewing total number of exposures, removal, and members.

5. Monthly email updates on overall organization progress.

6. Set up SSO. For SSO clients, onboarding and offboarding can be automated.

Invoicing

Both monthly and annual accounts renew automatically unless terminated. Pricing may be subject to change as Kanary improves the service. A written notification about price changes will be sent at least 30 days in advance of the effective date of any such pricing change(s). A standard 8% increase in yearly subscription price may be applied each year on renewal. This covers internal and external costs likely to increase, and standard to the cybersecurity industry. Internally, this may include but is not limited to updates to core automation technology, new features, and new integrations. Externally this may include adaptation to existing bad actors, R&D to cover new bad actors, and changes in regulations. For the avoidance of doubt, Client reserves the right to immediately terminate the Agreement in the event of any increase in the pricing for services provided hereunder.

Organizations may be required to include a credit card on their organization's profile for billing.

Payment and invoicing is flexible. You can pay up front for your team and take advantage of scheduling an onboarding session with Kanary support to make sure folks complete the 5 minute set up. Accounts in the invited state will automatically get friendly reminder emails to activate their account every 2 weeks. Our team is always available for questions about set up via email, live chat, or during a live onboarding session. Regardless of the payment and invoicing option that is selected by Client, an invoice and/or receipts of purchased subscriptions will be available for download through the Administrator Portal. For the monthly service, Kanary does not support sending invoices manually.

Family members can be added to a subscription at 50% off the price of a yearly subscription. These can be covered by the individual on the plan or by an organization. Any decision to add family members to an account will be charged or invoiced in the same manner as the Client's other subscriptions.

Advance add ons

Kanary's Advanced tier comes with optional add ons like authorized agent registration, address confidentiality program enrollment, decoy information set up, and scan/removal cadence increases (daily, weekly, monthly), and dedicated support. These are scoped and invoiced either up front as a store of credits to be used as needed, or invoiced separately for individuals who need the additional support, based on their threat model. Certain Advanced add ons will not be available to individuals depending on location and threat profile. Pricing for any advanced add-ons will be communicated to Client in writing in advance of any billing for such add-ons. Advanced add ons will be invoiced to Client.

Refunds

Refunds are not possible after the first 30 days after signing the Agreement, due to the intensity of initial removal work for new members. Accounts cannot be swapped across new members of the organization due to the personalized nature of the service. For example, if employee B is on an annual plan and leaves after 3 months, a new employee A cannot fill the remaining 9 months of employee B's plan. Employee A must onboard with a new Kanary account.

Customer Support & Onboarding

Our team is available via email and live chat to support our members. Enterprise members with urgent or escalating threats take priority across our support team. Our standard response time is within 24-48 hours M-F. In certain cases, we make ourselves available to support members after hours or on weekends, but that is not a guaranteed service or an on call arrangement. For dedicated support and incident response SLAs, please ask the team about Kanary's removal escalation add on.

We also offer tutorials, FAQs, and blog posts on our website, youtube, and social media so folks can get answers or learn more about us anytime.

For team onboarding, we offer a 30 minute video intro session with your administrators and any employees onboarding onto Kanary. With clients who set up onboarding sessions, we see the best activation. Accounts take about 10 minutes to set up and scans and removals should be running after 15 minutes, and the remaining time is used for Q&A.

Client Responsibilities

The personal nature of privacy protection can occasionally require assistance from Kanary's clients. When additional identification or verification is required to remove information, You acknowledge that our ability to meet the terms of this agreement relies on your responsiveness & willingness to support our requests for additional information. Any such requests shall be reasonable and necessary and limited to Kanary's provision of the services described in this Agreement.

You also acknowledge that some personal data exposures will not be able to be removed. In these cases, we will inform the affected member through the product interface and/or in writing of the reason(s) precluding removal and work with your team to resolve privacy & security risks caused by data exposures.

Personal Data Management

The scanning and removal request process requires Kanary to share information about individuals with sites. A website or databroker may request a name, email, phone number or address to verify a removal request. In every case, Kanary only sends information that was confirmed to be exposed or on the site. This careful matching process makes sure members are not worsening their exposure by sharing unnecessary data with untrustworthy sites.

For example, if you search yourself on phonelookup.com, and you only see a phone number exposed, you should not send them your full address, even if they ask for it. Poor removal operations can lead to individuals accidentally leaking personal data to risky sites. We've written about this on our blog.

Data Privacy & Retention

Kanary's terms of service and privacy & security policies apply to all individual and enterprise agreements. When our service is no longer used by a member or team, we delete all personal data shared by our client or collected during the monitoring process.

Kanary collects and retains metadata on our system's performance and if a site is in compliance with privacy law and data removal requests.

Except for the limited purpose of providing our scanning and removal services as described in the "Personal Data Management" section above, Kanary never sells, shares or discloses personal information of your employees or other individuals. Throughout the term of this Agreement, Kanary will be and remain in compliance with NIST CSF 2.0.

Data Privacy & Security Policy

Throughout the term of this agreement, Kanary will maintain data privacy and security practices that are at least as protective as the latest public version of its data privacy and security policy at https://www.kanary.com/privacy-and-security or a successor web page. In no event will Kanary reduce or discontinue any of the protections described below with regard to collecting and tracking activity, storing data, protecting data, retaining data, and communicating with you.

Storing data

All data is stored in a separate access-controlled database within Amazon Web Services (AWS) data centers. AWS data centers' operations have been accredited under ISO 27001, SOC 1 and SOC 2. We only store the information we need to complete removals. We create and maintain access requirements internally to limit data access to only the Kanary analysts responsible for reviewing the quality of your results or escalating issues. Once you decide you no longer need Kanary, we delete all of your information.

Protecting data

All data written to disk is automatically encrypted at rest. All database connections require SSL encryption. We rely on Django standards for protecting passwords - the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. Two-factor authentication (2FA) and SSO for Apple, Google, Okta, EntraID and others is available for all accounts as an added layer of security.

Retaining data

We keep application logs for 1 week before they are deleted. Your account data is used to increase the accuracy of scans and removal requests over time. If you choose to leave Kanary, we delete your account data immediately. If you delete pieces of information while using Kanary, that data will be deleted across our system and no longer referenced for removals.

Communication with you

We use email to communicate with you to discuss complex removals. We also require members to verify that they have access to phone numbers and emails before removal. We do this through a phone call, text, and email verification as a safety measure. We use ProtonMail's encrypted email service or another encrypted service to ensure the encrypted messages our members send us stay encrypted. We may use unencrypted channels like Gmail only for less sensitive communications.

Data about websites

We built Kanary to remove personal data from unwanted sites. We need to hold websites accountable if they do not respond to privacy and data removal requests. To do this, we collect statistics about which sites are responsive and which sites are not. We occasionally share the aggregated statistics about site responsiveness with privacy researchers, advocates, and regulators.

Indemnification

Each of Client and Kanary agree to indemnify, defend, and hold harmless the other, non-indemnifying party and any of its respective partners, principals, shareholders, officers, directors, members, employees, fellows, agents or assigns ("Indemnified Parties") with respect to any and all claims arising from this engagement, regardless of the nature of the claim, and including the negligence of any party, excepting claims arising from the negligence, willful misconduct or intentional acts of any of the non-Indemnifying Parties.

Transfer of Service

An account can be updated to an individual account if a member desires to keep the account after leaving the organization. Individuals will need to select their desired plan and provide a new form of payment to continue using their account.

Logo & Name Use

During the Term of Agreement, Client grants to Kanary a limited, non-transferable, non-exclusive, royalty-free license to use Client's corporate name, logo, and trade marks for the purpose of identifying Client as a customer of Kanary. This may include but is not limited to, website display, press releases, collateral, and sales proposals.

Term of Agreement

Service and application access can be renewed after one year, as determined by the admin. This agreement may be subject to change to cover changes to product, pricing, or other operations. Service may also conclude upon written notification by either party that the engagement is terminated. Either party may terminate this agreement at any time for any reason or no reason by giving the other party at least 30 days' prior written notice.

If Client and Kanary agree to and sign additional Agreements (Contractor Agreement, Statement of Work, Alternate MSA, etc), and there are any conflicts or inconsistencies between the agreements, the client-specific agreements shall control. To the extent not inconsistent with the Agreement, this Agreement shall supplement with respect to service-level terms and operational details. No amendment to the additional Agreements shall be effective unless made in a writing signed by both Parties expressly referencing the applicable provision.

This Agreement shall be governed by the laws of Delaware, without regard to conflict of law principles.

Kanaries Inc Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between Kanaries Inc and Client pursuant to any underlying agreement, between Kanaries Inc and Client for the provision of Solutions and that references and incorporates this DPA (referred to herein in the singular, "Agreement"). This DPA sets out Kanaries Inc's obligations with respect to the Processing of Client Data pursuant to the Agreement.

Compliance with Laws; Compliance Program. Kanaries Inc shall, at all times, comply with all Applicable Laws when Processing Client Data, including the portions of those Applicable Laws governing Processors. Kanaries Inc represents, warrants, and covenants that it will conduct regular risk assessments and implement and maintain a comprehensive data protection program (governing data privacy and data security) to meet its obligations under Applicable Laws and this DPA, and mitigate any threats or risks identified by Client.

Role & Cooperation. With respect to the Processing of Client Data, the parties agree that: (a) Client is the Controller, and Kanaries Inc is the Processor; (b) the details of the processing activities by Kanaries Inc are outlined in the Agreement; and (c) Kanaries Inc shall: (i) inform Client if an instruction violates any Applicable Laws; (ii) provide assistance and relevant information for Client to meet its legal obligations; and (iii) stop processing and inform Client if it cannot meet any obligation under the Agreement (including this DPA) or Applicable Law.

Obligations of Kanaries Inc

Limitations on Processing. Kanaries Inc shall Process Client Data only in strict accordance with Client's written instructions, including those expressly set forth in the Agreement.

Specific Prohibitions. Without limiting the generality of the foregoing, and unless Kanaries Inc has obtained prior express written consent from Client, Kanaries Inc shall not: (a) retain, use, exploit, Sell, disclose, or otherwise Process Client Data, whether or not anonymized, for any other purpose; (b) attempt to or actually re-identify (or re-associate to a Data Subject) any anonymized, de-identified, or pseudonymized data.

Direct Collection of Data. If, pursuant to the Agreement, Kanaries Inc collects Personal Data directly from or generates Personal Data about a Data Subject(s), Kanaries Inc shall: (a) only collect or generate the minimum amount and types of Personal Data necessary to provide its Solutions; and (b) obtain and record, and make available if requested, all necessary consents from and/or provide all necessary notices to such Data Subject(s) as required by Applicable Laws to enable Kanaries Inc to lawfully, fairly, and transparently Process such Personal Data.

Personnel. Kanaries Inc shall ensure it and its personnel (including staff, agents, and Subprocessors) who handle Client Data are subject to a duty of confidentiality and treat Client Data as the proprietary and confidential information of Client in accordance with Kanaries Inc obligations in the Agreement (including this DPA).

Security. Kanaries Inc shall implement and maintain all appropriate physical, technical, and organisational safeguards to: (a) ensure the security and confidentiality Data and the systems used to Process it; (b) protect against any threats or hazards to the security or integrity of Data and systems used to Process it; and (c) protect Data against unauthorized destruction, loss, alteration, use, disclosure, or access.

Access Requests. Kanaries Inc shall promptly provide all information and assistance to enable Client to fulfill a Data Subject Rights Request related to Kanaries Inc Processing of Client Data, including to effectuate any Data Subject Rights Request passed from Client to Kanaries Inc. If Kanaries Inc receives a Data Subject Rights Request directly from a Data Subject or a request, correspondence, inquiry, or complaint from law enforcement or another governmental agency related to Client Data, it will promptly refer the same to Client (to the extent permissible) for handling and Kanaries Inc shall not directly respond to the Data Subject or law enforcement or another governmental agency (unless legally required to do so) without prior written approval from Client.

Deletion and Retention. Throughout the course of the Agreement, Kanaries Inc shall retain each Client dataset only for the minimum period necessary for Kanaries Inc to provide its Solutions; and, thereafter, securely return or delete, at Client's election. Furthermore, upon request and upon the expiration or termination (for any reason) of the Agreement or an applicable Order, Kanaries Inc shall securely return or delete Data in its or its Subprocessors' possession. Kanary may retain a single copy of records such as but not limited to, financial or business records if required by law and agrees to protect and keep private such data for the legal term required.

Subprocessors. Kanaries Inc shall: (a) notify Client before engaging with new Subprocessor; (b) impose data protection terms on any Subprocessor no less protective of Client Data and no less restrictive than the terms of the Agreement (including this DPA); (c) upon request from Client, provide a copy of such data protection terms; and (d) ensure its Subprocessors' compliance with such data protection terms and Applicable Laws, including by auditing or otherwise taking steps in accordance with standard industry practice to confirm such compliance. Client hereby grants consent to the current Subprocessor list, available upon request.

General. All other terms and conditions of the Agreement remain in full force and effect. Unless otherwise agreed in writing in the Agreement, all Client Data is and shall remain the exclusive property of Client. For any inconsistencies between this DPA and the Agreement, this DPA shall prevail as it relates to the Processing of Client Data only, provided that the Agreement will prevail if it expressly identifies the terms of this DPA to be superseded. For any inconsistencies between this DPA and an Applicable Law for a specific jurisdiction, the Applicable Law for that specific jurisdiction shall prevail only as it relates to the Processing activities governed by that specific jurisdiction's Applicable Law.

Incident Response Plan. Kanary must implement and periodically test a formally documented incident management policy that includes:

1. Clearly defined management and user roles and responsibilities.

2. Reporting mechanism for incidents and events affecting the security of Client Data, including Personal Data, and process for reporting incidents to Client.

3. Procedures for assessment of, classification of, and response to, Security Incidents.

4. Procedures for notification to relevant authorities as required by Applicable Law, within the timeframes specified by the law or in the Agreement.

5. Procedures for forensic investigation and evidence preservation.

6. A process for incident and resolution analysis designed to prevent the same, or similar, incidents from happening again.

7. Maintaining a security incident tracking system that documents and describes relevant information for each Security Incident affecting Client Data throughout its life cycle, such as incident type, details, whether there was a data breach, the data affected, remediation actions taken, etc.

8. Timely informing Client of the measures taken or proposed to mitigate, contain, remediate, and fully investigate the Security Incident and provide a detailed report.

Reporting Incidents. Client, Kanary Staff, or third party researchers may report incidents to our support, sales, and leadership email addresses, through internal channels, or through the anonymous reporting form. These reports are distributed to management and follow an escalation procedure outlined in Kanary's SOC2 documentation.

Business Continuity and Disaster Recovery. Kanary will conduct an annual test and review of Business Continuity and Disaster Recovery (BC/DR) plans to validate the ability to restore availability and access to Client Data in a timely manner, in the event of a physical or technical incident that results in loss or corruption.

Definitions & Interpretations

"Applicable Law" means any law or regulation, including any data privacy and cybersecurity law, to the extent applicable to a party's Processing of Client Data. Applicable Law includes applicable data privacy and cybersecurity law of the jurisdiction where Kanaries Inc's Processing activities actually occur.

"Controller" (also referred to as "Business" or "Operator" under certain Applicable Laws) means the natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

"Data Subject" (also referred to as "Consumer" under certain Applicable Laws) means the natural person to whom the Personal Data pertains.

"Data Subject Rights Request" means a request from a Data Subject to exercise a right afforded to them under an Applicable Law with respect to the control or use of, or disclosures relating to, their Personal Data (including the right to access, correct, delete, or require an entity to stop the Processing of their Personal Data).

"Personal Data" (also referred to as "Personal Information" or "Personally Identifiable Information" under certain Applicable Laws) means any information relating to an identified or identifiable natural person, in which an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Personal Data includes information that could reasonably be linked, directly or indirectly, or inferred with a particular individual or household.

"Process" means any operation or set of operations performed upon data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, Transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

"Processor" (also referred to as "Service Provider" or "Entrusted Party" under certain Applicable Laws) means the natural person or legal entity, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

"Security Incident" means, collectively: (a) the reasonably suspected or actual unauthorized access, use, disclosure, modification, loss, or destruction of Client Data, whether originating with Kanaries Inc, its affiliate, or its Subprocessor; (b) any breach of Applicable Laws by Kanary or any of its Subprocessors as it relates to data protection (including data security and privacy); (ii) any breach of this DPA. For clarity, a Security Incident includes, but is not limited to: a 'personal data breach' as that term is defined under GDPR; 'breach of system security' (or analogous term) under U.S. state data breach notification laws; or similar terms under Applicable Laws.

"Sell" or "Selling" means selling, renting, releasing, disclosing, disseminating, making available, Transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject's Personal Data to another party for monetary or other valuable consideration.

"Sensitive Personal Data" is a subset of Personal Data and means any Personal Data that requires additional or enhanced protection under Applicable Laws as a result of its sensitive nature. Examples of Sensitive Personal Data include 'special categories of data' under the General Data Protection Regulation ("GDPR"), 'protected health information' under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 'biometric under the Illinois Biometric Information Privacy Act ("BIPA"), and government-issued identification numbers (such as U.S. Social Security numbers or other national insurance or identification numbers, driver's license numbers, and passport numbers).

"Solutions" means the technology and support services provided by Kanary as described in the Agreement.

"Subprocessor" means any subcontractor, including an affiliate of Kanary, providing products or services where such subcontractor Processes any Client Data.

Interpretation. Unless otherwise defined in this DPA, any capitalized terms used have the meanings ascribed to them in the Agreement. The words "include", "includes", and "including" as used herein shall not be construed to be limiting, but instead be deemed to be followed by the words "without limitation". The section headings in this DPA are for convenience only and shall not be used for interpretive purposes. The word "or" as used herein is not exclusive and is deemed to have the meaning "and/or". References in this DPA to any agreement, instrument, or other document mean such agreement, instrument, or other document as amended, supplemented, and modified from time to time to the extent permitted by the Agreement. No provision, uncertainty or ambiguity in or with respect to this DPA shall be construed or resolved against any party hereto, whether under any rule of construction or otherwise. On the contrary, this DPA has been reviewed by each of the parties hereto and shall be construed and interpreted according to the ordinary meaning of the words used so as to fairly accomplish the purposes and intentions of the parties.

By signing an order form, executing a separate agreement that incorporates these terms, or otherwise indicating Your acceptance, You agree to the foregoing Agreement and DPA.

Last updated: 2026-05-05