Pricing
    About UsCareersContactPartnersPressStatus
    Start FreeLog in

    Data Processing Agreement

    Last updated: January 30, 2025

    This Data Processing Agreement ("DPA") forms part of the agreement between Klarvo and Customer for the provision of the EU AI Act compliance platform services ("Services").

    1. Definitions

    In this DPA:

    • "Controller" means the Customer who determines the purposes and means of processing Personal Data.
    • "Processor" means Klarvo, which processes Personal Data on behalf of the Controller.
    • "Personal Data" means any information relating to an identified or identifiable natural person.
    • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
    • "Data Subject" means an identifiable natural person whose Personal Data is processed.
    • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

    2. Roles and Responsibilities

    2.1 Customer as Controller

    The Customer acts as the Controller for Personal Data processed through the Services. The Customer is responsible for:

    • Ensuring lawful basis for processing
    • Providing appropriate notices to Data Subjects
    • Ensuring accuracy of Personal Data
    • Responding to Data Subject requests

    2.2 Klarvo as Processor

    Klarvo acts as a Processor, processing Personal Data only on documented instructions from the Customer. Klarvo will:

    • Process Personal Data only as instructed by the Customer
    • Ensure personnel are bound by confidentiality obligations
    • Implement appropriate technical and organizational measures
    • Assist the Customer with Data Subject requests
    • Delete or return Personal Data upon termination

    3. Subject Matter and Details of Processing

    3.1 Subject Matter

    The provision of the Klarvo EU AI Act compliance platform, including AI system inventory, classification, evidence management, and reporting features.

    3.2 Duration

    Processing will continue for the duration of the Services agreement and as required for data retention obligations.

    3.3 Nature and Purpose

    Processing is necessary to provide the Services, including storing and organizing compliance data, generating reports, and facilitating user access.

    3.4 Types of Personal Data

    • User account data (name, email, job title)
    • Usage data and access logs
    • Any Personal Data included in Customer's compliance documentation

    3.5 Categories of Data Subjects

    • Customer employees and authorized users
    • Individuals referenced in Customer's compliance data

    4. Security Measures

    Klarvo implements appropriate technical and organizational measures including:

    • Encryption of data at rest and in transit
    • Access controls and authentication
    • Regular security testing and monitoring
    • Incident detection and response procedures
    • Employee security training
    • Physical security controls for data centers

    For details, see our Security page.

    5. Sub-Processors

    5.1 Authorization

    The Customer authorizes Klarvo to engage sub-processors for the provision of Services. Klarvo will:

    • Maintain a list of current sub-processors
    • Notify the Customer of changes to sub-processors
    • Ensure sub-processors are bound by equivalent data protection obligations

    5.2 Current Sub-Processors

    NamePurposeLocation
    Cloud Infrastructure ProviderHosting and infrastructureEU (Germany)
    Database ProviderDatabase servicesEU (Germany)
    Email ProviderTransactional emailEU

    6. Data Subject Rights

    Klarvo will assist the Customer in responding to Data Subject requests including:

    • Access to Personal Data
    • Rectification of inaccurate data
    • Erasure ("right to be forgotten")
    • Restriction of processing
    • Data portability
    • Objection to processing

    7. Data Breach Notification

    In the event of a Personal Data breach, Klarvo will:

    • Notify the Customer without undue delay (and within 48 hours where feasible)
    • Provide information about the nature and scope of the breach
    • Describe measures taken to address the breach
    • Assist the Customer with regulatory notifications

    8. International Transfers

    Klarvo primarily processes data within the European Economic Area. Where transfers outside the EEA are necessary:

    • Transfers are made to countries with an adequacy decision
    • Or subject to Standard Contractual Clauses (SCCs)
    • Supplementary measures are applied where required

    9. Audit Rights

    Klarvo will make available information necessary to demonstrate compliance with this DPA. The Customer may:

    • Request and review audit reports and certifications
    • Conduct or mandate audits with reasonable notice

    10. Data Deletion

    Upon termination of Services, Klarvo will:

    • Provide an option to export Customer data
    • Delete all Personal Data within 30 days of termination
    • Certify deletion upon request

    Data may be retained longer if required by applicable law.

    11. Liability

    Each party's liability under this DPA is subject to the limitations set forth in the main Services agreement.

    12. Contact

    For DPA inquiries:

    • Email: dpa@klarvo.com
    • DPO: dpo@klarvo.com