Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Agreement between Klarion and Customer and applies when Klarion processes Personal Data on Customer’s behalf in connection with the Services.

​

1. Definitions

1.1 Controller / Processor. “Controller,” “Processor,” “Personal Data,” “Personal Data Breach,” “Subprocessor,” and “Processing” have the meanings given in GDPR (where applicable). Under U.S. state privacy laws, Klarion acts as a “service provider” or “processor,” as applicable, and Customer acts as a “business” or “controller.”

1.2 Customer Personal Data. Personal Data included in Customer Data that Klarion processes under the Agreement.

1.3 Security Measures. Administrative, technical, and organizational measures described in Annex 2.

​

2. Roles and scope

2.1 Roles. Customer is the Controller of Customer Personal Data; Klarion is the Processor.

2.2 Processing instructions. Klarion will process Customer Personal Data only on documented instructions from Customer, including those in the Agreement, unless required by law.

2.3 Details of processing. The subject matter, duration, nature/purpose, categories of Personal Data, and categories of data subjects are described in Annex 1.

​

3. Confidentiality and personnel

Klarion will ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.

​

4. Security

Klarion will implement and maintain the Security Measures in Annex 2 and may update them provided the overall level of security is not materially reduced.

​

5. Subprocessors

5.1 Authorization. Customer grants Klarion general authorization to engage Subprocessors.

5.2 List and notice. Klarion will maintain an up-to-date list of Subprocessors in Annex 3 (or via a posted webpage referenced in Annex 3). Klarion will provide advance notice of material changes (e.g., adding/removing Subprocessors) via reasonable means (email or posting) and allow Customer to object on reasonable data protection grounds within a stated period (e.g., 10 business days).

5.3 Flow-down. Klarion will impose written data protection obligations on Subprocessors consistent with this DPA and remains responsible for their performance.

​

6. Data subject requests

Klarion will provide reasonable assistance to Customer to respond to data subject requests (access, deletion, etc.) to the extent Customer cannot address the request through the Services, and subject to reimbursement of reasonable costs where appropriate.

​

7. Personal Data Breach

Klarion will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and provide information reasonably needed for Customer’s obligations.

​

8. International data transfers

8.1 Transfers. If Customer Personal Data is transferred from the EEA/UK/Switzerland to a country not deemed adequate, the parties will rely on a valid transfer mechanism.

8.2 SCCs. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:

• Module: Module Two (Controller to Processor) (and Module Three if applicable for Processor-to-Processor situations initiated by Customer).

• The Annexes to the SCCs are completed by Annex 1 (processing details) and Annex 2 (security measures) of this DPA.

• The competent supervisory authority and governing law are selected consistent with Customer’s EU establishment (or, if none, as specified in the SCCs).

8.3 UK Addendum / Swiss. Where applicable, the UK International Data Transfer Addendum and Swiss requirements apply by incorporation and necessary modifications.

​

9. Deletion or return

Upon termination/expiration, Klarion will (at Customer’s choice, where supported) return Customer Personal Data and/or delete it within a commercially reasonable period, unless retention is required by law. Deletion timelines and mechanics may be further specified in the Order Form or in-product settings.

​

10. Audits and compliance

Customer may audit Klarion’s compliance with this DPA no more than once annually (and no more than once per incident) with reasonable notice, subject to confidentiality and security requirements. Klarion may satisfy audit requests by providing a SOC 2 report or similar independent assessment when available.

​

11. U.S. state privacy law terms

To the extent applicable:

• Klarion will not “sell” or “share” Customer Personal Data (as defined by applicable law).

• Klarion will process Customer Personal Data only to provide the Services and as permitted by the Agreement.

• Klarion will not combine Customer Personal Data with other customers’ personal data except as permitted by law and the Agreement (e.g., security, fraud prevention, and de-identified aggregation).

• ​

12. Order of precedence

If there is a conflict between this DPA and the Terms, this DPA controls with respect to Personal Data processing.

 

 

Annex 1 — Processing details

Subject matter: Processing Customer Data (including Customer Personal Data) to provide customer feedback analytics, issue detection, classification, reporting, and alerting.

Duration: Subscription Term plus limited retention period as described in Section 9.

Nature and purpose: Hosting, ingestion, transformation, analysis, classification, summarization, alerting, reporting, support, security monitoring, and service improvement (as permitted).

Categories of data subjects: Customer’s employees, contractors, end users, customers, and other individuals whose communications appear in feedback sources.

Categories of Personal Data: Names, emails, usernames, internal IDs, message content in tickets/chats/surveys, metadata (timestamps, product area, account identifiers), and other Personal Data included in Customer Data.

Special categories: Not intended; only processed if Customer includes them in Customer Data.

​

 

Annex 2 — Security measures 

• Access controls (role-based access, least privilege)

• Encryption in transit and at rest

• Logical segregation by customer/account

• Security monitoring and logging

• Vulnerability management and patching

• Backup and recovery procedures

• Incident response program

• Personnel confidentiality and security training

​

​

 

Annex 3 — Subprocessors

Klarion may use infrastructure and service providers such as:

• Cloud hosting / storage

• Email delivery provider 

• Analytics/monitoring provider

• AI model provider(s)
   

Current customers may request the current list of Klarion Subprocessors by emailing dpa@klarion.ai