Data Processing Agreement
Last updated: 2026-05-21
1. Purpose
This DPA governs Klyrix LLC’s processing of personal data on behalf of the Customer under GDPR Art. 28, UAE PDPL Art. 16, and KVKK Arts. 11 and 12. The Customer is the data controller; Klyrix is the data processor.
2. Scope of processing
Klyrix processes personal data only to the extent required to deliver the platform features the Customer has subscribed to — including identity, access management, audit logging, telemetry, billing, support, and other documented platform functions.
3. Customer instructions
Klyrix processes personal data only on the documented instructions of the Customer (these Terms, the DPA, and the platform configuration constitute such documentation). Any deviation requires a separate legal basis, which Klyrix will communicate before acting on it.
4. Confidentiality
All Klyrix personnel with access to Customer personal data are bound by written confidentiality obligations (employment contract or NDA). Access is restricted to the minimum required for their role.
5. Security measures
Technical and organisational measures are described in Annex II of the full DPA template (docs/compliance/gdpr-dpa-template.md) and summarised at the Trust Center. Highlights: encryption in transit (TLS 1.2+) and at rest (AES-256), MFA, SSO, RLS, partitioned append-only audit logs, secret encryption via Supabase Vault, and regular security testing.
6. Subprocessors
The Customer grants Klyrix a general written authorisation to engage subprocessors, subject to the following conditions:
- Each subprocessor is bound to confidentiality and data-protection terms substantially equivalent to this DPA.
- Klyrix remains liable to the Customer for the acts and omissions of its subprocessors.
- Klyrix publishes the current list at /legal/policies/subprocessors and provides 30 days’ advance notice of additions, during which the Customer may object.
7. International transfers
Where personal data is transferred outside the EEA / UK / UAE, Klyrix uses:
- EU SCCs (Commission Decision 2021/914), Module Two for controller-to-processor transfers from the EEA.
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs for transfers from the UK.
- UAE PDPL Art. 22 mechanisms (adequacy, SCC-equivalent contractual safeguards, or explicit consent) for transfers from the UAE.
8. Assistance with data-subject rights
Klyrix provides reasonable assistance — via platform self-service tools and via the privacy team at privacy@klyrix.com — to help the Customer respond to data-subject requests within the timelines required by applicable law.
9. Breach notification
Klyrix will notify the Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer personal data (GDPR Art. 33). UAE PDPL breach notice is provided within the reasonable time required by that statute.
10. Audit rights
The Customer may audit Klyrix’s compliance with this DPA once per twelve months, on reasonable notice and during business hours, subject to a mutual confidentiality agreement. Klyrix may satisfy this obligation by providing an equivalent third-party report (e.g. SOC 2 Type II or ISO 27001 certificate) once obtained.
11. Deletion or return of data
On termination, the Customer may elect to have Klyrix return or securely delete all Customer personal data within 60 days, except where retention is required by law (e.g. invoices for accounting / tax purposes).
12. Liability
Liability under this DPA is governed by the limitation-of-liability section of the main MSA (/legal/policies/terms), save that statutory data-protection liabilities (e.g. regulatory fines directly attributable to one party) flow to the responsible party.
13. Self-service signing
To request a counter-signed DPA, email legal@klyrix.com with your legal entity name, registered address, and contact for service of notice. We respond within 5 business days with a PDF / DOCX for execution.
14. Effectiveness
This DPA becomes effective once countersigned by both parties. The Customer may request execution of this DPA at any time during the subscription term.