Product

AI Analyst Vibe Reporting Confidence & Citations AI Memory Connectors
Pricing Security About Blog Documentation

Compare — AI Analysts

vs Zenlytic vs Hex vs Kaelio

Compare — Traditional BI

vs ThoughtSpot vs Tableau vs Power BI vs Looker vs Looker Studio vs Metabase vs Mode

Compare — Data integration

vs Coupler.io

Solutions

Marketing Teams Sales Teams Finance Teams Product Teams Executives
Sign in

Legal

Data Processing Agreement

Last updated: April 30, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Klairr Terms of Service (the "Agreement") between Ask Klairr — AI Solutions LTD, a private company limited by shares incorporated under the laws of the Republic of Cyprus ("Klairr" or "Processor"), and the Customer ("Controller"). It applies whenever Klairr processes Personal Data on behalf of the Controller in connection with the Service.

By creating an account or using the Service, Customer accepts this DPA on behalf of itself and any Authorized Affiliate. If you require a counter-signed copy, contact legal@klairr.com.

1. Definitions

Capitalized terms used in this DPA but not defined here have the meanings given in the Agreement or, where applicable, in Regulation (EU) 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR") and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and other Data Protection Laws applicable to the processing of Personal Data under the Agreement (collectively, "Data Protection Laws").

  • "Personal Data" has the meaning given in Article 4(1) GDPR.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Sub-Processor" means any third party engaged by Klairr that processes Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Decision 2021/914 (Module Two: Controller-to-Processor), as amended.

2. Subject-Matter, Duration, Nature, and Purpose of Processing (Art. 28(3))

  • Subject-matter: The processing of Personal Data necessary for Klairr to provide the Service, including AI-assisted question answering against Customer-connected data sources, conversation history, organisational AI Memory, audit logging, support, and billing.
  • Duration: The term of the Agreement, plus the data export and deletion periods set out in Section 11 of this DPA.
  • Nature: Hosted software-as-a-service. Processing operations include collection, storage, transmission to Sub-Processors, organisation, retrieval, consultation, use, restriction, erasure, and destruction.
  • Purpose: Performance of the Agreement and provision of the Service to the Controller.
  • Type of Personal Data: User account data (name, business email, hashed credentials, organisation, role); question text and conversation context; AI Memory content; up to twenty (20) rows of query result samples per question (which may include any Personal Data present in the Controller's connected data sources at the moment of query); usage and audit metadata; error telemetry; and billing identifiers.
  • Categories of Data Subjects: Controller's authorised users, Controller's customers, employees, contractors, prospects, and any other natural persons whose Personal Data is present in Controller's connected data sources and is referenced by a query.

3. Roles of the Parties

Controller is the controller and Klairr is the processor of Personal Data within the meaning of the Data Protection Laws. Each party will comply with its obligations under the Data Protection Laws. Controller is solely responsible for the accuracy, quality, and lawfulness of Personal Data and the means by which Controller acquired Personal Data.

4. Processor Obligations under Article 28(3)(a)–(h)

4.1 Documented Instructions (Art. 28(3)(a))

Klairr will process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by Union or Member State law to which Klairr is subject. The Agreement, this DPA, and Controller's use of the Service through its documented configurations constitute Controller's complete and final instructions to Klairr. Klairr will inform Controller if, in its opinion, an instruction infringes Data Protection Laws.

4.2 Confidentiality of Personnel (Art. 28(3)(b))

Klairr ensures that personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received appropriate training on the protection of Personal Data.

4.3 Security Measures (Art. 28(3)(c) / Art. 32)

Klairr will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, as set out in Annex II (Security Measures) below.

4.4 Engagement of Sub-Processors (Art. 28(3)(d) and 28(2)/(4))

Controller grants Klairr general written authorisation to engage Sub-Processors to perform specific processing activities on Controller's behalf. The current list of authorised Sub-Processors is published at klairr.com/legal/subprocessors and is incorporated into this DPA by reference.

Klairr will impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA. Klairr remains liable to Controller for the performance of each Sub-Processor's obligations.

Klairr will notify Controller at least thirty (30) days before adding or replacing any Sub-Processor, by email and by updating the Sub-Processors page. Controller may object on reasonable data-protection grounds during that window by emailing legal@klairr.com. If the parties cannot resolve the objection in good faith, Controller may terminate the affected portion of the Agreement and receive a refund for the unused portion.

4.5 Assistance with Data Subject Rights (Art. 28(3)(e))

Taking into account the nature of the processing, Klairr will assist Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR. The Service includes self-service export, correction, and deletion functionality which Controller may use to fulfil such requests directly. For requests that cannot be fulfilled through self-service tools, Klairr will provide reasonable assistance within fifteen (15) business days of a verified request from Controller.

4.6 Assistance with Security, Breach Notification, DPIA, and Prior Consultation (Art. 28(3)(f) / Arts. 32–36)

Klairr will assist Controller, taking into account the nature of processing and the information available to Klairr, in ensuring compliance with the obligations under Articles 32 to 36 GDPR. Klairr will notify Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Controller's Personal Data, providing the information described in Article 33(3) GDPR to the extent then known and supplemented as further information becomes available.

4.7 Return or Deletion at End of Processing (Art. 28(3)(g))

On termination or expiry of the Agreement, Klairr will, at Controller's choice, return or delete all Personal Data, subject to the data export and deletion windows set out in Section 11 of this DPA. Klairr may retain Personal Data only to the extent required by Union or Member State law and, in such case, will protect the confidentiality and security of the retained Personal Data.

4.8 Information and Audit Rights (Art. 28(3)(h))

Klairr will make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. Klairr will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, as follows:

  • Controller is entitled to receive, on reasonable written request and not more than once per twelve (12) months, Klairr's then-current security and compliance documentation (which may include third-party security reports, summaries of penetration tests, and applicable certification reports).
  • Where the documentation under the preceding bullet is reasonably insufficient to satisfy a regulator's request or demonstrate compliance, Controller may, on reasonable prior written notice and at its own expense, conduct an audit through a mutually agreed independent auditor, subject to confidentiality undertakings, during normal business hours, and in a manner that does not unreasonably interfere with Klairr's operations or breach Klairr's obligations to other customers.
  • Costs of any audit conducted by or for Controller are borne by Controller, unless the audit reveals a material breach of this DPA by Klairr, in which case Klairr will reimburse Controller's reasonable costs.

5. International Transfers

Application data is hosted in the European Union. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission (or, as applicable, by the UK or Swiss authority), the transfer is governed by the EU Standard Contractual Clauses (Module Two, Controller-to-Processor), as supplemented by the UK International Data Transfer Addendum and the Swiss adaptation, as applicable. The SCCs are incorporated into this DPA by reference, with docking clauses, as follows:

  • Module: Two (Controller-to-Processor).
  • Clause 7 (Docking): Optional clause is included.
  • Clause 9 (Sub-Processors): Option 2 (general written authorisation) with a 30-day notice period as set out in Section 4.4 of this DPA.
  • Clause 11 (Redress): Optional independent dispute resolution body is excluded.
  • Clause 17 (Governing Law): The law of the Republic of Cyprus.
  • Clause 18 (Choice of Forum and Jurisdiction): The competent courts of the Republic of Cyprus.
  • Annex I.A: Klairr is the data importer; Controller is the data exporter.
  • Annex I.B: As described in Section 2 of this DPA (Subject-matter, types, categories).
  • Annex I.C: Office of the Commissioner for Personal Data Protection of the Republic of Cyprus.
  • Annex II: The security measures set out in Annex II of this DPA.
  • Annex III: The Sub-Processors listed at klairr.com/legal/subprocessors.

6. UK and Swiss Transfers

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, in force 21 March 2022). For transfers from Switzerland, the parties incorporate the SCCs with the adaptations recognised by the Swiss Federal Data Protection and Information Commissioner.

7. Special Category Data

The Service is not designed to process special categories of Personal Data within the meaning of Article 9 GDPR. Controller agrees not to make special category data queryable through connected data sources unless Controller has established a lawful basis under Article 9(2) GDPR and has notified Klairr in writing in advance.

8. Liability

Each party's liability under or in connection with this DPA is governed by the limitation of liability provisions of the Agreement (Section 14 of the Terms of Service). Liability that cannot lawfully be limited or excluded under applicable Data Protection Laws or other mandatory law is not limited by this DPA.

9. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs as incorporated above, the SCCs prevail.

10. Governing Law and Jurisdiction

This DPA is governed by the law of the Republic of Cyprus and the parties submit to the jurisdiction of the competent courts of the Republic of Cyprus, except where mandatory consumer protection laws of a Data Subject's residence require otherwise (see Section 18.5 of the Terms of Service).

11. Data Export and Deletion at Termination

On termination or expiry of the Agreement, Klairr will make Controller's Personal Data available for export, in JSON and CSV format, for thirty (30) days through the Service's built-in export functionality. After that period, Klairr will delete Personal Data from active systems within thirty (30) days, subject to a backup retention schedule of thirty (30) days, after which deletion is complete. Klairr will provide written confirmation of deletion on Controller's reasonable request.

12. Processor Contact

Processor: Ask Klairr — AI Solutions LTD
Jurisdiction of Incorporation: Republic of Cyprus
Legal: legal@klairr.com
Data Protection Officer: dpo@klairr.com
EU/EEA Lead Supervisory Authority: Office of the Commissioner for Personal Data Protection of the Republic of Cyprus

Annex I — Description of Processing

The description of processing required under Annex I of the SCCs is set out in Section 2 of this DPA.

Annex II — Security Measures

Klairr maintains the following technical and organisational security measures, which it may update from time to time provided the overall level of security is not materially diminished:

  • Encryption. Strong TLS for data in transit. Industry-standard symmetric encryption for application data and data-source credentials at rest.
  • Access control. Role-based access control on the platform. Least-privilege access for Klairr personnel. Multi-factor authentication for production access.
  • Tenant isolation. Logical separation of Customer data at the application layer; no cross-tenant data access.
  • Read-only enforcement. Write and schema-modifying database operations are blocked at the application layer regardless of underlying database role.
  • Credential handling. Data-source credentials are encrypted at rest, never logged, never displayed after initial configuration, and never accessible in plaintext to support staff.
  • Audit logging. Tamper-evident audit trail covering authentication events, query execution, administrative actions, and AI Memory changes, retained for twelve (12) months.
  • Vulnerability and incident management. Documented security incident response process; periodic vulnerability assessment.
  • Personnel. Confidentiality undertakings from all personnel; security and privacy training on hiring and at least annually thereafter.
  • Backup and recovery. Encrypted backups with a thirty (30)-day rolling retention.
  • Sub-processor governance. Each Sub-Processor is subject to a written contract with data-protection terms no less protective than this DPA.

Annex III — Authorised Sub-Processors

The list of authorised Sub-Processors, including each Sub-Processor's name, role, and processing location, is published at klairr.com/legal/subprocessors and is updated whenever the list changes. That page is the canonical and authoritative list.