K Klovex Request access

Legal

Data Processing Addendum

Last updated: 22 May 2026

This Data Processing Addendum ("DPA") forms part of the Klovex Terms of Service between Klovex (the "Processor") and the customer using the Klovex Service (the "Controller"). It applies to all Processing of Personal Data carried out by Klovex on behalf of the Controller in connection with the Service and is designed to satisfy Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given to them under the GDPR. "Customer Personal Data" means Personal Data that Klovex Processes on the Controller's behalf in connection with the Service.

2. Subject matter and duration

The subject matter of the Processing is the provision of the Klovex Service to the Controller. Processing will continue for as long as Klovex provides the Service to the Controller and for any additional period strictly necessary to fulfill the obligations described in Section 10 ("Return and deletion").

3. Nature and purpose of Processing

Klovex Processes Customer Personal Data only to:

4. Categories of Data Subjects and types of Personal Data

Categories of Data SubjectsTypes of Personal Data
Authorized users of the Controller (employees, contractors, agency operators). Name, work email, role, login credentials, IP address, activity logs.
End users that Personal Data flows through connected ad platforms. Pseudonymous identifiers and aggregated metrics retrieved by the Controller from the platforms it connects. Klovex does not request raw end-user profile data.

5. Controller's instructions

Klovex Processes Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers outside the EEA. The Service itself, together with the Terms of Service, the Privacy Policy and any in-product actions taken by the Controller, constitute the Controller's complete and final instructions. Klovex will inform the Controller without undue delay if, in its opinion, an instruction infringes applicable data protection law.

6. Confidentiality

Klovex ensures that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on data-protection responsibilities.

7. Security

Klovex implements and maintains technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. A summary is published on the Security page; the full description is available on request under NDA.

8. Sub-processors

The Controller authorises Klovex to engage sub-processors to assist with the provision of the Service. Klovex (a) imposes data-protection obligations no less protective than those in this DPA on each sub-processor and (b) remains liable for each sub-processor's compliance.

Current sub-processors

Sub-processorPurposeLocation
Vercel Inc.Application hosting and CDN.EU / US (with SCCs)
Neon Inc.Managed PostgreSQL database.EU region selected for production.
Cloudflare, Inc.DNS, TLS termination and DDoS protection.Global edge (with SCCs).
Resend, Inc.Transactional email delivery.EU / US (with SCCs).

Klovex will give Controllers reasonable advance notice of any new sub-processor by updating this page. Controllers may object to the addition of a sub-processor by emailing privacy@klovex.xyz within 14 days of the notice. If Klovex cannot offer an alternative, the Controller may terminate the affected services as its sole remedy.

9. Assistance to the Controller

Klovex assists the Controller, taking into account the nature of the Processing and the information available, in fulfilling the Controller's obligations to:

10. Return and deletion of Personal Data

On termination of the Service or earlier on the written request of the Controller, Klovex will delete or return all Customer Personal Data within 30 days, save where storage is required by EU or Member-State law. The User Data Deletion page describes the self-service path available within the Service.

11. Audits

Klovex makes available to the Controller all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are conducted at the Controller's expense, with reasonable advance notice and during regular business hours, and may be satisfied by Klovex's most recent independent third-party security assessment where one exists.

12. International transfers

Where Customer Personal Data is transferred outside the EEA / UK, Klovex relies on appropriate safeguards, in particular the European Commission's Standard Contractual Clauses (Module 3, Processor-to-Processor; or Module 2, Controller-to-Processor, as applicable) and supplementary measures where required. The SCCs are incorporated into this DPA by reference and apply between Klovex and the Controller where the Controller is established in the EEA / UK.

13. Personal Data breaches

Klovex notifies the Controller without undue delay (and in any case within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data, and provides reasonable cooperation to enable the Controller to meet its own breach-notification obligations.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions set out in the Terms of Service.

15. How to execute this DPA

If you need a counter-signed copy of this DPA for your records, email privacy@klovex.xyz with the legal name and address of your organisation. We will return a signed copy within five business days.