Version 1.0 — Effective 17 June 2026

Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Klovac Terms of Service between Klovant Tech Private Limited (“Processor”) and the customer entity that has agreed to those terms (“Controller”).

1. Definitions

Terms used but not defined here have the meaning given in the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Information Technology (Amendment) Act 2008 and the Digital Personal Data Protection Act 2023 (“DPDPA”), or any successor legislation.

  • Personal Data — any information relating to an identified or identifiable natural person that the Controller submits to the Service.
  • Processing — any operation performed on Personal Data, whether automated or not.
  • Sub-processor — any third party engaged by the Processor to carry out Processing on behalf of the Controller.
  • Service — the Klovac AI chat and lead-capture platform made available at klovac.com.

2. Details of Processing

ItemDetails
Subject matterOperation of the Klovac AI chat service on behalf of the Controller
DurationFor the term of the Services agreement plus the retention period specified by the Controller (or 30 days after account deletion if no retention period is set)
Nature of processingCollection, storage, retrieval, analysis, and transmission of conversation data and lead information via automated AI processing
PurposeProviding the Controller's end-users with AI-powered support; capturing leads; generating analytics for the Controller
Categories of Personal DataChat messages, contact details (name, email, phone) voluntarily provided by end-users; device and session metadata
Categories of Data SubjectsEnd-users of the Controller's website or WhatsApp channel who interact with the Klovac chat widget

3. Controller's Obligations

The Controller shall:

  • Ensure it has a lawful basis for Processing and has provided data subjects with appropriate privacy notices before their data enters the Service.
  • Ensure that any instructions given to the Processor are lawful.
  • Promptly inform the Processor if it becomes aware that its Processing instructions infringe applicable law.

4. Processor's Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organisational security measures as set out in Annex A.
  • Not engage a Sub-processor without prior general written authorisation from the Controller (the current list in Annex B constitutes such authorisation).
  • Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection) by making available the tools described in the Service.
  • Notify the Controller without undue delay — and within 72 hours where feasible — after becoming aware of a Personal Data breach that affects the Controller's data.
  • Delete or return all Personal Data upon termination of the Services agreement, at the Controller's option, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and, on reasonable notice, permit audits conducted by the Controller or a mutually agreed third-party auditor.

5. Sub-processors

The Controller grants general authorisation for the Processor to engage the Sub-processors listed in Annex B. The Processor will give at least 14 days' notice before adding or replacing a Sub-processor. The Controller may object on reasonable grounds within that period. The Processor imposes data protection obligations on all Sub-processors equivalent to those in this DPA.

6. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or India where Sub-processors operate. For EEA data, such transfers are subject to the European Commission Standard Contractual Clauses (Module 2 or 3 as applicable). For data subject to the DPDPA, transfers comply with any framework notified by the Government of India.

7. Confidentiality

Each party shall keep the other's Personal Data strictly confidential and shall not disclose it to any third party except as required by this DPA, the Services agreement, or applicable law.

8. Liability

Each party's liability under this DPA is subject to the limitations set out in the Klovac Terms of Service. Where both parties are responsible for damage caused by a breach of this DPA, they shall be held liable in proportion to their respective responsibility.

9. Governing Law

This DPA is governed by the laws of India. Disputes shall be subject to the exclusive jurisdiction of courts in Hyderabad, Telangana. For Controllers subject to the GDPR, nothing in this clause limits the ability of the Controller to bring proceedings before the supervisory authority or courts of its EU member state of establishment.

10. Contact

Data protection enquiries, data subject rights requests, and breach notifications should be sent to: privacy@klovac.com.


Annex A — Technical and Organisational Security Measures

A.1 Access Control

  • All production data is stored in Supabase with Row-Level Security (RLS) enforced — queries are tenant-scoped at the database level.
  • API keys are encrypted at rest using AES-256-GCM before storage. Plaintext keys are never persisted.
  • Dashboard access requires authentication via Supabase Auth (email/password or Google OAuth). Sessions use short-lived JWTs with refresh rotation.
  • Privileged database operations use a service-role key scoped to backend processes only; the anon key has no write access to sensitive tables.

A.2 Data in Transit

  • All communication between clients and the Service uses TLS 1.2 or higher (enforced by Vercel and Supabase).
  • The embeddable widget communicates over HTTPS only.

A.3 Data at Rest

  • Database storage is encrypted at rest using AES-256 (managed by Supabase / AWS).
  • File uploads (PDFs, CSVs) are stored in Supabase Storage with encryption at rest.

A.4 Availability and Recovery

  • The Service is deployed on Vercel (global edge + serverless functions) with automatic failover.
  • The database is hosted on Supabase with daily automated backups and optional Point-in-Time Recovery (PITR).
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 24 hours (1 hour with PITR enabled).

A.5 Vulnerability Management

  • Error monitoring via Sentry with PII scrubbing before transmission.
  • Dependency vulnerability scanning in the CI pipeline.
  • Security patches applied within 48 hours for critical CVEs.

A.6 Personnel

  • Access to production data is restricted to authorised personnel who have agreed to confidentiality obligations.
  • Access is granted on a least-privilege basis and reviewed regularly.

Annex B — Approved Sub-processors

Sub-processorPurposeLocationData
Supabase Inc.Database, authentication, file storageUS / EU (configurable)All tenant and end-user data
Vercel Inc.Application hosting and edge deliveryGlobal (Anycast)Request logs (auto-purged after 30 days), no personal data persisted
Anthropic PBCAI language model inferenceUSChat messages sent to the model for response generation; zero data retention policy applies
Voyage AIText embedding for knowledge searchUSKnowledge source text; chat queries
Resend Inc.Transactional email deliveryUSRecipient email address, email content
Firecrawl (Mendable Inc.)Website scraping for knowledge ingestionUSURLs submitted for scraping; no personal data
Langfuse GmbHLLM observability and tracingEU (Germany)AI model inputs/outputs; traces are pseudonymised by conversation ID
Razorpay Software Pvt. Ltd.Payment processingIndiaBilling contact email; payment metadata (no card data stored by Klovac)
Sentry (Functional Software Inc.)Application error monitoringUSStack traces with PII scrubbed; request metadata

To execute a signed DPA or request a custom addendum, contact legal@klovac.com.