Data Upload and Data-Partner Addendum

Last Updated: 30 March 2026

This Data Upload and Data-Partner Addendum (the “Addendum”) forms part of the Kapsule Terminal Terms of Service and applies to any Customer, data partner, uploader, or other party that submits datasets, files, records, prompts, exports, or other content to the Services.

If a separate signed enterprise agreement applies and conflicts with this Addendum, the signed enterprise agreement controls to the extent of the conflict.

1. Permitted data types

Unless Kapsule expressly agrees otherwise in writing, uploads should be limited to:

  • de-identified datasets;
  • aggregated information;
  • business contact and account information required to operate the Services;
  • operational, administrative, or configuration data;
  • other data categories that Kapsule has expressly approved for the relevant use case.

2. De-identification expectations

Uploaded datasets should be de-identified before submission unless Kapsule has expressly approved another arrangement in writing under signed enterprise terms.

For this Addendum, “de-identified” means data that has been processed so that individuals are not identified or reasonably identifiable, taking into account applicable law and reasonably available means of re-identification.

You must not attempt to re-identify de-identified data, whether inside or outside the Services.

3. Default ban or restriction on identifiable data

3.1 Self-serve customers

Self-serve customers must not upload identifiable personal data through the Services, including identifiable patient data, protected health information, or other identifiable health data.

3.2 Enterprise customers and approved data partners

Enterprise customers and approved data partners may upload identifiable personal, patient, or health data only where:

  • the upload is expressly authorized in signed enterprise documentation;
  • Kapsule has approved that category of data and use case in writing; and
  • any additional security, privacy, operational, or contractual conditions required by Kapsule are satisfied.

Kapsule may condition, narrow, suspend, or withdraw any approval if legal, operational, product, or risk circumstances change.

4. Intake screening, quarantine, remediation, and deletion rights

If prohibited, identifiable, malformed, or otherwise restricted data is uploaded, whether intentionally or accidentally, Kapsule may:

  • reject the upload;
  • quarantine the data;
  • restrict access;
  • suspend related features or workflows;
  • notify the uploader or Customer;
  • sanitize or de-identify the data;
  • require resubmission in an approved format;
  • return the data where appropriate; or
  • delete the data.

Kapsule may implement screening or review measures, but those measures do not transfer legal responsibility for the upload away from the uploader or Customer.

5. Customer and data-partner representations and warranties

Each uploader, Customer, and data partner represents and warrants that:

  • it has all rights, permissions, notices, consents, and lawful bases needed to provide the uploaded data to Kapsule;
  • the upload and Kapsule’s processing of it as contemplated by the Services will not violate applicable law, contract, duty of confidence, or third-party rights;
  • any required approvals for restricted or identifiable data have been obtained before submission;
  • it will not use the Services to attempt re-identification or otherwise defeat privacy controls;
  • it will cooperate promptly with Kapsule in correcting, remediating, or removing problematic uploads.

These obligations are in addition to, and do not limit, any indemnity or compliance obligations under the Terms or any separate agreement.

6. Regional transfer and privacy obligations

The uploader and Customer are responsible for ensuring that the collection, upload, disclosure, and transfer of data to Kapsule comply with applicable law in the originating jurisdiction.

Where required by law or contract, the parties will enter into additional privacy or transfer documentation, which may include a data processing addendum, Standard Contractual Clauses, a UK Addendum, an IDTA, or comparable lawful safeguards.

Nothing in this Addendum obligates Kapsule to accept identifiable or restricted data unless Kapsule has expressly approved that use in writing.

7. Retention and deletion rules

Uploaded data may be retained until deletion, contract end, expiration of the configured retention period, or another agreed retention point, subject to:

  • legal holds;
  • audit and recordkeeping needs;
  • security, fraud-prevention, and backup needs;
  • separate enterprise agreement terms.

Residual copies may remain in backups for a limited period until overwritten or deleted in the ordinary course.

Kapsule may retain de-identified, aggregated, or statistical information that does not identify any person or Customer.

8. Incident cooperation

You must promptly notify Kapsule if you become aware of a known or suspected issue involving uploaded data that may affect legality, confidentiality, security, or accuracy.

You agree to cooperate promptly and reasonably with requests relating to:

  • privacy reviews;
  • data subject requests;
  • regulator or legal inquiries;
  • incident investigation and containment;
  • remediation, deletion, or correction of problematic uploads;
  • verification of upload permissions and approvals.

9. Contact details

For questions about upload approvals, enterprise data use, or this Addendum, contact:

Kapsule Ltd
Kemp House, 124 City Road, London, EC1V 2NX, UK
General: info@kapsuletech.com
Legal: legal@kapsuletech.com
Privacy: privacy@kapsuletech.com