Legal

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement (DPA) forms part of the agreement between Klaro Digital and the customer ('Controller') for the processing of personal data under GDPR.

Roles

The customer acts as the Controller. Klaro Digital acts as the Processor for the personal data the customer puts into the platform.

Subject and duration

Klaro Digital processes personal data only to provide the services described in our Terms — AI registry management, risk scoring, monitoring, and reporting. Processing lasts for the duration of the subscription plus 30 days for data export.

Categories of data

  • Account identifiers (email, role).
  • AI tool metadata configured by the customer.
  • AI usage telemetry collected by the AI Monitor module.

Sub-processors

We use a limited number of vetted sub-processors (managed database hosting, email delivery, payment processing). A current list is available on request.

Security

Data is encrypted in transit (TLS), encrypted at rest, and protected by row-level security so each customer can only see their own data. Access is logged and limited to staff who need it.

Data location

Customer data is stored in the European Union. International transfers, if any, are governed by Standard Contractual Clauses.

Breach notification

We notify affected customers without undue delay — and within 72 hours — of becoming aware of a personal data breach.

Customer rights

We assist controllers in responding to data subject requests (access, correction, deletion, portability) and in completing DPIAs where relevant.

Signature

This DPA is incorporated into the Terms of Service by reference. Customers requiring a counter-signed copy can request one at privacy@klarodigital.com.