Data Processing Agreement

This draft Data Processing Agreement (DPA) is provided for testnet review and is not represented as a signed production agreement. It would supplement our Terms of Service and governs Klaro's processing of personal data on behalf of vendors and their customers.

Roles

Vendor = data controller for invoice-line customer data. Klaro = processor for that data; controller for our own platform account data + KYB records.

Subject matter + duration

Klaro processes personal data only as needed to provide the platform — for as long as the vendor account exists, plus a 7-year retention window for AML records per FATF guidance.

Security

Production requirement: encrypted storage and transit, reviewed subprocessors, least-privilege internal access and strong multi-factor authentication. Control evidence must be completed before launch.

International transfers

EU↔US transfers covered by Standard Contractual Clauses (Module 2 + 3). Indian + Filipino + Brazilian vendor data hosted in regional Supabase clusters.

Breach notification

72-hour controller notification per GDPR Art. 33. Affected end-users notified per applicable local law (e.g. CPRA, DPDP in India).

Audits + signed copy

Questions about the planned signed DPA and future assurance reports can be sent to dpa@klaro.so. Public availability for < 100-vendor accounts is via this page.