K
KlyoChat

Data Processing Agreement

Last updated: May 1, 2026

This Data Processing Agreement ("DPA") is entered into between Pointerflow LLC ("KlyoChat", the "Processor") and the customer ("Controller") using the KlyoChat platform. This DPA forms part of the KlyoChat Terms of Service.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data
  • Controller: The customer who determines purposes and means of Processing
  • Processor: KlyoChat, who processes data on behalf of the Controller
  • GDPR: EU General Data Protection Regulation 2016/679

2. Processing details

Subject matter: Provision of the KlyoChat messaging automation platform

Duration: For the term of the subscription agreement

Nature and purpose: Storing and processing subscriber data to deliver messaging automation services

Types of personal data: Names, email addresses, phone numbers, social media IDs, custom fields

Categories of data subjects: The Controller's customers, subscribers, and contacts

3. Controller obligations

The Controller agrees to:

  • Have a lawful basis for processing under GDPR
  • Obtain necessary consents from data subjects
  • Provide data subjects with required privacy notices
  • Ensure data is accurate and kept up to date
  • Not instruct KlyoChat to process data unlawfully

4. Processor obligations

KlyoChat agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure authorized personnel are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all Personal Data upon termination
  • Provide information necessary to demonstrate compliance
  • Notify the Controller within 72 hours of becoming aware of a data breach

5. Sub-processors

KlyoChat uses the following sub-processors:

  • Amazon Web Services (infrastructure, US and EU regions)
  • Stripe (payment processing)
  • Postmark (transactional email)
  • OpenAI (AI features — data is not used for training)

We will notify Controllers of any new sub-processors 30 days in advance. Controllers may object; if we cannot accommodate the objection, the Controller may terminate.

6. International transfers

Where Personal Data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Copies available on request.

7. Audit rights

Controllers may request audit information to demonstrate compliance. Audits are conducted at the Controller's expense with 30 days notice, no more than once annually.

8. Contact

DPA inquiries and signed DPAs for enterprise customers:
dpo@klyochat.com