Data Processing Agreement

Last updated: April 23, 2026

1. Purpose and Scope

This Data Processing Agreement ("DPA") applies when Kliovo ("Processor") processes personal data on behalf of the Customer ("Controller") in the course of providing services under the Terms of Service. This DPA supplements and forms part of the Terms of Service and sets out the parties' obligations with respect to the protection of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • Data Controller: The entity that determines the purposes and means of processing personal data (the Customer).
  • Data Processor: The entity that processes personal data on behalf of the Data Controller (Kliovo).
  • Data Subject: The identified or identifiable natural person to whom the personal data relates.
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
  • Supervisory Authority: An independent public authority responsible for monitoring the application of data protection laws.

3. Roles and Responsibilities

The Customer acts as the Data Controller and determines the purposes and means of processing personal data. Kliovo acts as the Data Processor and processes personal data solely on the documented instructions of the Customer, unless required to do so by applicable law. In such a case, Kliovo shall inform the Customer of that legal requirement before processing, unless prohibited by law.

4. Processing Details

  • Subject matter: Provision of Kliovo services, including messaging, commerce and order management, automation, reporting, and integrations with third-party platforms and service providers designated by the Customer.
  • Duration: For the term of the service agreement between the Customer and Kliovo, plus any applicable retention, security, legal, accounting, or backup period.
  • Nature of processing: Collection, storage, organization, retrieval, synchronization, transmission, deletion, and other processing necessary to provide the services.
  • Categories of data: Account and administrator information, contact information, customer data, message content, order data, product data, shipment and tracking data, platform identifiers, webhook payloads, usage data, device and browser metadata, and other personal data submitted to or made available through the services by the Customer.
  • Data subjects: Customer personnel, the Customer's end users, customers, prospects, delivery recipients, and any other individuals whose personal data is submitted to or made available through the services by or on behalf of the Customer.

4A. Connected Platforms and Customer Instructions

Where the Customer instructs Kliovo to connect to a third-party platform or service, including commerce platforms, logistics providers, messaging providers, or payment-related services, the Customer authorizes Kliovo to receive data from and transmit data to that platform or service as necessary to provide the requested functionality. Such connections form part of the Customer's documented instructions under this DPA.

4B. Commerce and Shopify Processing Details

  • Subject matter: Connecting merchant commerce platforms to Kliovo Shop and Kliovo Connect.
  • Nature and purpose: Store authorization, product synchronization, order synchronization, checkout and cart recovery, fulfillment and shipment updates, reporting, customer support, message automation, privacy request handling, and related operational workflows.
  • Categories of personal data: Merchant account data, staff user data, customer names, phone numbers, email addresses, billing and shipping addresses, order identifiers, order line items, order notes, fulfillment and tracking data, abandoned checkout data, webhook payload metadata, and communication history where enabled.
  • Data subjects: Merchant personnel, store customers, delivery recipients, support contacts, and other individuals whose data appears in merchant commerce or messaging workflows.

5. Security Measures

Kliovo implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption: TLS in transit and encryption controls for sensitive data where implemented.
  • Access controls: Role-based access controls, tenant isolation, and administrative access safeguards.
  • Monitoring and logging: Administrative audit logs and protected-data access logging for selected workflows.
  • Operational controls: Backup controls, production and staging separation, and documented incident response procedures.
  • Security review: Ongoing security review, hardening, and improvement of encryption coverage, access logging, and operational controls as the platform evolves.
  • Employee training: Personnel with access to personal data receive data protection and information security training appropriate to their role.

6. Sub-processors

The Customer authorizes Kliovo to engage the following sub-processors for the purpose of delivering the services:

  • Messaging providers and communications infrastructure providers, including Meta Platforms / WhatsApp.
  • Cloud hosting, database, caching, storage, and compute infrastructure providers.
  • Email delivery, support, analytics, logging, and monitoring providers.
  • Payment processors used for subscription billing and payment operations.

Kliovo will notify the Customer at least 30 days in advance of any intended addition or replacement of sub-processors. The Customer has the right to object to the appointment of a new sub-processor on reasonable grounds. If the Customer objects and Kliovo cannot reasonably accommodate the objection, either party may terminate the affected services.

A current public list of subprocessors is available at /legal/subprocessors.

7. Data Subject Rights

Kliovo will assist the Customer in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection. Kliovo will promptly notify the Customer if it receives a request directly from a data subject and will not respond to such requests independently unless authorized by the Customer. Kliovo will use reasonable efforts to assist the Customer in responding to such requests within 30 days.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, Kliovo ensures that appropriate safeguards are in place. These safeguards include the use of Standard Contractual Clauses (SCCs) adopted by the European Commission, reliance on adequacy decisions where applicable, and any additional measures necessary to ensure an essentially equivalent level of protection for the transferred data.

9. Data Breach Notification

In the event of a personal data breach, Kliovo will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Kliovo will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audit Rights

The Customer may audit Kliovo's compliance with this DPA once per calendar year, upon reasonable written notice of at least 30 days. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to Kliovo's operations. Kliovo will make available all information necessary to demonstrate compliance and will cooperate with the audit. The Customer may also engage a qualified independent third-party auditor, subject to reasonable confidentiality obligations.

11. Data Return and Deletion

Upon termination or expiry of the service agreement, Kliovo will, at the Customer's election, return all personal data to the Customer in a commonly used, machine-readable format or securely delete all personal data within 30 days. Kliovo will provide written confirmation of deletion upon request. Kliovo may retain personal data to the extent required by applicable law, in which case it will continue to protect such data in accordance with this DPA.

12. Term

This DPA is effective for the duration of the service agreement between the Customer and Kliovo. The obligations of Kliovo under this DPA shall survive termination of the service agreement to the extent necessary to fulfill any data retention obligations or to complete the return or deletion of personal data as described herein.

Contact

For questions about this Data Processing Agreement, please contact us at [email protected].