Data Processing Agreement

Last updated: March 2025

1. Purpose and Scope

This Data Processing Agreement ("DPA") applies when Kliovo ("Processor") processes personal data on behalf of the Customer ("Controller") in the course of providing services under the Terms of Service. This DPA supplements and forms part of the Terms of Service and sets out the parties' obligations with respect to the protection of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • Data Controller: The entity that determines the purposes and means of processing personal data (the Customer).
  • Data Processor: The entity that processes personal data on behalf of the Data Controller (Kliovo).
  • Data Subject: The identified or identifiable natural person to whom the personal data relates.
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
  • Supervisory Authority: An independent public authority responsible for monitoring the application of data protection laws.

3. Roles and Responsibilities

The Customer acts as the Data Controller and determines the purposes and means of processing personal data. Kliovo acts as the Data Processor and processes personal data solely on the documented instructions of the Customer, unless required to do so by applicable law. In such a case, Kliovo shall inform the Customer of that legal requirement before processing, unless prohibited by law.

4. Processing Details

  • Subject matter: Provision of WhatsApp Business messaging services, including message delivery, automation, and analytics.
  • Duration: For the term of the service agreement between the Customer and Kliovo, plus any applicable data retention period.
  • Nature of processing: Automated processing, storage, retrieval, and transmission of personal data as necessary to provide the services.
  • Categories of data: Contact information (phone numbers, names), message content, usage data, device and browser metadata, and any other personal data submitted by the Customer through the platform.
  • Data subjects: The Customer's end users, contacts, and any individuals whose personal data is submitted to the platform by the Customer.

5. Security Measures

Kliovo implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption: AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit.
  • Access controls: Role-based access control (RBAC) with multi-factor authentication (MFA) enforced for all personnel with access to personal data.
  • Monitoring and logging: Comprehensive audit logging of all access to and operations on personal data, with real-time monitoring for anomalous activity.
  • Incident response: A documented incident response plan with breach notification to the Customer within 72 hours of becoming aware of a personal data breach.
  • Security assessments: Regular vulnerability assessments and penetration testing conducted by qualified personnel.
  • Employee training: All personnel with access to personal data receive regular training on data protection and information security.

6. Sub-processors

The Customer authorizes Kliovo to engage the following sub-processors for the purpose of delivering the services:

  • Meta Platforms / WhatsApp: Message delivery and WhatsApp Business API infrastructure.
  • Cloud hosting provider: Secure hosting, storage, and compute infrastructure.
  • Payment processor: Processing of subscription payments and billing.

Kliovo will notify the Customer at least 30 days in advance of any intended addition or replacement of sub-processors. The Customer has the right to object to the appointment of a new sub-processor on reasonable grounds. If the Customer objects and Kliovo cannot reasonably accommodate the objection, either party may terminate the affected services.

7. Data Subject Rights

Kliovo will assist the Customer in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection. Kliovo will promptly notify the Customer if it receives a request directly from a data subject and will not respond to such requests independently unless authorized by the Customer. Kliovo will use reasonable efforts to assist the Customer in responding to such requests within 30 days.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, Kliovo ensures that appropriate safeguards are in place. These safeguards include the use of Standard Contractual Clauses (SCCs) adopted by the European Commission, reliance on adequacy decisions where applicable, and any additional measures necessary to ensure an essentially equivalent level of protection for the transferred data.

9. Data Breach Notification

In the event of a personal data breach, Kliovo will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Kliovo will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audit Rights

The Customer may audit Kliovo's compliance with this DPA once per calendar year, upon reasonable written notice of at least 30 days. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to Kliovo's operations. Kliovo will make available all information necessary to demonstrate compliance and will cooperate with the audit. The Customer may also engage a qualified independent third-party auditor, subject to reasonable confidentiality obligations.

11. Data Return and Deletion

Upon termination or expiry of the service agreement, Kliovo will, at the Customer's election, return all personal data to the Customer in a commonly used, machine-readable format or securely delete all personal data within 30 days. Kliovo will provide written confirmation of deletion upon request. Kliovo may retain personal data to the extent required by applicable law, in which case it will continue to protect such data in accordance with this DPA.

12. Term

This DPA is effective for the duration of the service agreement between the Customer and Kliovo. The obligations of Kliovo under this DPA shall survive termination of the service agreement to the extent necessary to fulfill any data retention obligations or to complete the return or deletion of personal data as described herein.

Contact

For questions about this Data Processing Agreement, please contact us at privacy@kliovo.com.