Data Processing Agreement

1. Roles

You (the "Customer") are the data controller. Open Digital WEB LTD trading as Klarvo ("Klarvo") is the data processor when it processes personal data on your behalf under the Terms of Service.

Where Klarvo processes data for its own purposes (e.g. operating the marketing site, billing, fraud prevention), Klarvo acts as an independent controller and the Privacy Policy applies.

2. Scope

Klarvo processes personal data only for the purpose of providing the service: classification, obligation tracking, evidence storage, exports, billing, and notifications. Klarvo will not process personal data for any other purpose unless instructed in writing by the Customer or required by law.

3. Confidentiality

Klarvo ensures everyone authorised to process personal data is bound by confidentiality and has been informed of the requirements applicable to that personal data.

4. Security

Klarvo implements appropriate technical and organisational measures, including:

• Row-level security on every database table; cross-organisation reads are not possible.
• Encryption in transit (TLS 1.2+) and at rest (AES-256 on the database and storage layer).
• Least-privilege access for Klarvo personnel, with audit logging of any administrative access.
• Per-environment isolation (dev / staging / production) with separate credentials.
• Quarterly review of access; immediate revocation on role changes or offboarding.

5. Sub-processors

Klarvo uses the following sub-processors:

• Supabase — primary database, authentication, storage. EU region.
• Stripe — billing.
• Resend — transactional email.
• Cloudflare — CDN and edge hosting.
• The AI capability provider behind KlarvoEngine — invoked per classification.

Klarvo gives the Customer 30 days' notice of any new sub-processor and provides the right to object on reasonable grounds.

6. Data subject rights

Klarvo provides functionality in the app (export, deletion, rectification) so the Customer can respond to data-subject requests under Articles 15–22 of the GDPR. Where a request is addressed to Klarvo, Klarvo forwards it to the Customer and assists as required.

7. Personal-data breach

Klarvo notifies the Customer without undue delay (and in any case within 72 hours of awareness) of any personal-data breach affecting the Customer's data. The notice includes the nature of the breach, categories and approximate number of data subjects, likely consequences, and the measures taken or proposed.

8. International transfers

Where a sub-processor processes personal data outside the European Economic Area, Klarvo relies on the European Commission's Standard Contractual Clauses (Module 3, processor to sub-processor) and a transfer-impact assessment per EDPB guidance.

9. Audit

Klarvo provides the Customer with the security documentation reasonably required to demonstrate compliance with Article 28. The Customer may audit Klarvo on reasonable notice; audits are conducted in a way that does not disrupt the service.

10. End of processing

On termination of the Terms of Service, Klarvo deletes the Customer's personal data within 90 days, except where retention is required by law (see the Privacy Policy for the audit-log and billing retention schedules).

11. Liability

Each party's liability under this DPA is subject to the liability cap in the Terms of Service. Nothing in this DPA excludes liability that cannot be excluded by law.

12. Signed copy

On request, Klarvo provides a counter-signed PDF copy of this DPA for your records. Email hello@klarvo.io.