Data Processing Agreement

Last updated: 1 March 2026

This Data Processing Agreement (“DPA”) is part of the agreement between you (“Controller”) and Klai B.V. (“Processor”) for use of the Klai platform.

It applies wherever Klai processes personal data on your behalf under the GDPR (Regulation (EU) 2016/679). If you need a signed version for your records, contact rights@getklai.com.

1. Definitions

  • Personal data: information relating to an identified or identifiable natural person (Article 4(1) GDPR)
  • Processing: any operation performed on personal data (Article 4(2) GDPR)
  • Controller: you, the party that determines why and how data is processed
  • Processor: Klai B.V., processes data on your instructions

2. What Klai processes and why

Klai processes personal data to provide the service. That includes:

  • Passing your queries and documents to AI inference systems to generate responses
  • Storing session data for the duration of an active session
  • Logging access and usage data for security and operational purposes

We do not process data for any purpose beyond running the service.

3. What kind of data

That depends on what you submit. It may include names, email addresses, professional correspondence, client documents, or audio recordings. The categories are yours to define and control.

We do not knowingly process special category data under Article 9 GDPR unless we have agreed that in writing.

4. Klai’s obligations as Processor

Klai will:

  • Process personal data only on your documented instructions
  • Make sure everyone with access to the data is bound by confidentiality
  • Implement and maintain appropriate technical and organisational security measures (Article 32 GDPR)
  • Not engage new sub-processors without your prior authorisation
  • Help you respond to data subject requests under Articles 15-22 GDPR
  • Delete or return all personal data when the service ends
  • Give you everything you need to demonstrate compliance with Article 28 GDPR

5. Sub-processors

We use a small number of sub-processors to operate the service. The current list is at /docs/legal/sub-processors.

By accepting this DPA, you give general authorisation for the sub-processors on that list. We will notify you at least 14 days before adding or replacing a sub-processor, giving you time to object.

6. International transfers

All processing takes place within the EEA. We do not transfer personal data to third countries.

7. Security

Our measures include encryption in transit and at rest, access controls, authentication requirements, regular security assessments, and an incident response process.

8. Data breach notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 48 hours.

9. Audit rights

You have the right to audit Klai’s compliance with this DPA once per year, on reasonable notice and at your expense. Where third-party audit reports are available, we can provide those in lieu of an on-site audit.

10. Term

This DPA stays in force for as long as the service agreement runs. On termination, we will delete all personal data within 30 days, unless law requires us to keep it longer.

11. Contact

Klai B.V.
Lubeckweg 2
9723HE Groningen
The Netherlands
E-mail: rights@getklai.com

This document is published under CC BY 4.0. You are free to adapt it for your own organisation. Credit: Klai B.V.