This Data Processing Agreement (“DPA”) forms part of the Agreement between Klarion and Customer and applies when Klarion processes Personal Data on Customer’s behalf in connection with the Services.
1.1 Controller / Processor. “Controller,” “Processor,” “Personal Data,” “Personal Data Breach,” “Subprocessor,” and “Processing” have the meanings given in GDPR (where applicable). Under U.S. state privacy laws, Klarion acts as a “service provider” or “processor,” as applicable, and Customer acts as a “business” or “controller.”
1.2 Customer Personal Data. Personal Data included in Customer Data that Klarion processes under the Agreement.
1.3 Security Measures. Administrative, technical, and organizational measures described in Annex 2.
2.1 Roles. Customer is the Controller of Customer Personal Data; Klarion is the Processor.
2.2 Processing instructions. Klarion will process Customer Personal Data only on documented instructions from Customer, including those in the Agreement, unless required by law.
2.3 Details of processing. The subject matter, duration, nature/purpose, categories of Personal Data, and categories of data subjects are described in Annex 1.
Klarion will ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.
Klarion will implement and maintain the Security Measures in Annex 2 and may update them provided the overall level of security is not materially reduced.
5.1 Authorization. Customer grants Klarion general authorization to engage Subprocessors.
5.2 List and notice. Klarion will maintain an up-to-date list of Subprocessors in Annex 3 (or via a posted webpage referenced in Annex 3). Klarion will provide advance notice of material changes (e.g., adding/removing Subprocessors) via reasonable means (email or posting) and allow Customer to object on reasonable data protection grounds within a stated period (e.g., 10 business days).
5.3 Flow-down. Klarion will impose written data protection obligations on Subprocessors consistent with this DPA and remains responsible for their performance.
Klarion will provide reasonable assistance to Customer to respond to data subject requests (access, deletion, etc.) to the extent Customer cannot address the request through the Services, and subject to reimbursement of reasonable costs where appropriate.
Klarion will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and provide information reasonably needed for Customer’s obligations.
8.1 Transfers. If Customer Personal Data is transferred from the EEA/UK/Switzerland to a country not deemed adequate, the parties will rely on a valid transfer mechanism.
8.2 SCCs. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:
8.3 UK Addendum / Swiss. Where applicable, the UK International Data Transfer Addendum and Swiss requirements apply by incorporation and necessary modifications.
Upon termination/expiration, Klarion will (at Customer’s choice, where supported) return Customer Personal Data and/or delete it within a commercially reasonable period, unless retention is required by law. Deletion timelines and mechanics may be further specified in the Order Form or in-product settings.
Customer may audit Klarion’s compliance with this DPA no more than once annually (and no more than once per incident) with reasonable notice, subject to confidentiality and security requirements. Klarion may satisfy audit requests by providing a SOC 2 report or similar independent assessment when available.
To the extent applicable:
If there is a conflict between this DPA and the Terms, this DPA controls with respect to Personal Data processing.
Subject matter: Processing Customer Data (including Customer Personal Data) to provide customer feedback analytics, issue detection, classification, reporting, and alerting.
Duration: Subscription Term plus limited retention period as described in Section 9.
Nature and purpose: Hosting, ingestion, transformation, analysis, classification, summarization, alerting, reporting, support, security monitoring, and service improvement (as permitted).
Categories of data subjects: Customer’s employees, contractors, end users, customers, and other individuals whose communications appear in feedback sources.
Categories of Personal Data: Names, emails, usernames, internal IDs, message content in tickets/chats/surveys, metadata (timestamps, product area, account identifiers), and other Personal Data included in Customer Data.
Special categories: Not intended; only processed if Customer includes them in Customer Data.
Klarion may use infrastructure and service providers such as:
Current customers may request the current list of Klarion Subprocessors by emailing dpa@klarion.ai
