Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the agreement between Klaro Digital and the customer ('Controller') for the processing of personal data under GDPR.
Roles
The customer acts as the Controller. Klaro Digital acts as the Processor for the personal data the customer puts into the platform.
Subject and duration
Klaro Digital processes personal data only to provide the services described in our Terms — AI registry management, risk scoring, monitoring, and reporting. Processing lasts for the duration of the subscription plus 30 days for data export.
Categories of data
- Account identifiers (email, role).
- AI tool metadata configured by the customer.
- AI usage telemetry collected by the AI Monitor module.
Sub-processors
We use a limited number of vetted sub-processors (managed database hosting, email delivery, payment processing). A current list is available on request.
Security
Data is encrypted in transit (TLS), encrypted at rest, and protected by row-level security so each customer can only see their own data. Access is logged and limited to staff who need it.
Data location
Customer data is stored in the European Union. International transfers, if any, are governed by Standard Contractual Clauses.
Breach notification
We notify affected customers without undue delay — and within 72 hours — of becoming aware of a personal data breach.
Customer rights
We assist controllers in responding to data subject requests (access, correction, deletion, portability) and in completing DPIAs where relevant.
Signature
This DPA is incorporated into the Terms of Service by reference. Customers requiring a counter-signed copy can request one at privacy@klarodigital.com.