This Data Processing Agreement ("DPA") supplements Kloup's Terms of Service and applies whenever Customer's use of the Service involves the processing of personal data subject to GDPR, UK GDPR, LGPD, or other materially equivalent data-protection law (collectively, "Data Protection Laws"). By using the Service, Customer is deemed to have entered into this DPA in addition to the Terms. Signed counterparts (and module-specific Standard Contractual Clauses) are available on request from legal@kloup.com.
1. Definitions
Capitalised terms used but not defined here have the meaning given in the Terms or in Data Protection Laws. "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", "Process / Processing", and "Personal Data Breach" have the meanings given in GDPR Article 4 (or the analogous provision under other Data Protection Laws).
2. Roles and responsibilities
- Customer is the Controller of Personal Data submitted to the Service.
- Kloup is the Processor, acting on Customer's documented instructions (the Terms, this DPA, and Customer's configuration of the Service).
- Customer warrants that it has a lawful basis to submit Personal Data to the Service, has provided required notices to Data Subjects, and has obtained any consents required by Data Protection Laws.
- Kloup processes Personal Data only to provide the Service and as otherwise instructed by Customer in writing, except where Data Protection Laws require otherwise (in which case Kloup will inform Customer first unless prohibited).
3. Subject matter, duration, nature, and purpose
- Subject matter: Processing of Personal Data submitted by Customer to the Service.
- Duration: For the term of the Customer's subscription, plus any retention windows required by law.
- Nature and purpose: To provide the fundraising-CRM functionality of the Service, including hosting, transmission, integration with third parties at Customer's direction, and the AI, email, and enrichment features the Customer enables.
4. Categories of Data Subjects and Personal Data
Categories of Data Subjects:
- Customer's authorised users (founders, employees, advisors, board members);
- Customer's contacts (investors, partners, prospects, vendors);
- Attendees of meetings or recipients of emails surfaced via Customer's connected Google integration.
Categories of Personal Data:
- Identifiers: name, email, phone, social profile URLs, profile photos.
- Professional data: employer, role, fund or firm affiliation, investor focus, notes.
- Communication metadata: meeting attendees, calendar invites, email subject lines, send / open / reply timestamps via the Google integration.
- File contents Customer uploads to the data room.
- Authentication metadata (login times, IP, user agent) for security and abuse prevention.
Customer should not submit special-category data (Article 9 GDPR) to the Service unless expressly necessary and lawful. Submission of such data is at Customer's own risk and on Customer's lawful basis.
5. Sub-processors
- Customer authorises Kloup to engage Sub-processors to provide the Service. A current list (with name, country, and processing role) is published in our Security and Privacy pages and available in full under NDA.
- Kloup imposes on each Sub-processor data-protection obligations no less protective than those in this DPA.
- Kloup remains liable to Customer for Sub-processor performance.
- Kloup will notify Customer at least 30 days before adding or replacing any Sub-processor that processes Personal Data ("Sub-processor Change Notice"). Customer may object on reasonable data-protection grounds; if Kloup cannot accommodate the objection, Customer may terminate the affected portion of the Service for convenience and receive a pro-rated refund of pre-paid fees for the unused term.
6. Security measures
Kloup implements and maintains the technical and organisational measures described in our Security page, which Customer confirms are appropriate to protect Personal Data given the nature, scope, context, and purposes of processing and the risk to Data Subjects. Highlights:
- TLS 1.2+ in transit, AES-256 at rest;
- Application-layer encryption of OAuth refresh tokens with envelope encryption;
- Multi-tenant isolation enforced at every API call;
- Internal access restricted to a small group, gated by SSO + hardware key, and audit-logged;
- Mandatory code review, dependency scanning, and CI-only deploys;
- Audit logging of authentication, admin actions, and data-room access;
- Documented incident-response plan with 72-hour notification.
7. Personal Data Breach
Kloup will notify Customer without undue delay and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data, providing the information reasonably required by Customer to meet its own obligations under Data Protection Laws (including GDPR Articles 33 and 34). Kloup will reasonably cooperate with Customer in investigating, mitigating, and remediating the Breach. Notification is not an admission of fault or liability by Kloup.
8. Data Subject requests
Kloup will assist Customer (taking into account the nature of processing and the information available to Kloup) in responding to Data Subject requests for access, correction, deletion, restriction, portability, and objection. Most self-service tooling (export, deletion, role review) is available through the Service. For requests requiring our direct assistance, email privacy@kloup.com.
9. Cooperation with supervisory authorities
Kloup will reasonably cooperate with Customer in responding to legitimate enquiries from supervisory authorities, including providing information necessary to demonstrate compliance and, where applicable, supporting Data Protection Impact Assessments and prior consultations.
10. Hosting location and international transfers
Kloup hosts and processes Personal Data primarily in the United States. Production databases, object storage, and the application workers that read and write Personal Data are hosted on Cloudflare's network with primary storage in the eastern United States. Cloudflare's anycast edge serves cached and static assets from globally distributed nodes; the canonical record of Personal Data lives in the United States.
Some Sub-processors operate in the United States, the European Union, the United Kingdom, or other regions. The current list with countries of processing is published in our Privacy Policy and available in full under NDA.
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not subject to an adequacy decision (including the United States, except where the EU-US Data Privacy Framework or analogous mechanism applies and the receiving Sub-processor is certified), Kloup relies on the European Commission's Standard Contractual Clauses (Module Two, Implementing Decision (EU) 2021/914), incorporated by reference into this DPA, with the optional clause 7 (docking) and clause 11(a) (independent dispute resolution body) at Customer's election. The UK International Data Transfer Addendum (issued by the ICO) applies to transfers from the UK; the Swiss Federal Data Protection and Information Commissioner is the competent authority for transfers from Switzerland, with the SCCs amended accordingly. For transfers subject to LGPD, Kloup relies on the international-transfer mechanisms permitted under Article 33, including standard contractual clauses approved by ANPD.
Kloup has assessed transfer risks (Schrems II) for each destination country and applies supplementary technical measures (encryption in transit and at rest, application-layer envelope encryption of OAuth refresh tokens, minimal-context AI calls under zero-retention agreements, challenge of disproportionate access requests where lawful). A summary Transfer Impact Assessment is available under NDA.
11. Audits and information rights
- Customer may, at its expense and no more than once per 12 months (and additionally as required by a supervisory authority or after a Personal Data Breach), audit Kloup's compliance with this DPA via reasonable written information requests.
- To the extent the audit can be satisfied by existing certifications, audit reports (e.g. SOC 2 Type II), or our security questionnaire, Customer agrees to accept those in lieu of an on-site audit.
- For any on-site audit, the parties will agree on scope, timing, and confidentiality safeguards in advance, and audits will not unreasonably interfere with Kloup's operations or other customers' data.
12. Return and deletion
On request, and at the latest on termination of the subscription, Kloup will (at Customer's election) return Customer's Personal Data via export tooling or delete it. Personal Data is removed from live systems immediately on workspace deletion and from encrypted backups within 35 days, except where retention is required by law (in which case Kloup will continue to protect the data and limit further processing).
13. Confidentiality
Kloup ensures that personnel authorised to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and are trained on data-protection responsibilities.
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. Nothing in this DPA limits liability that cannot be limited under Data Protection Laws (including liability to Data Subjects).
15. Order of precedence
In the event of a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA controls. Where this DPA conflicts with the Standard Contractual Clauses, the SCCs control.
16. Contact
DPA, privacy, or supervisory enquiries: privacy@kloup.com.
Data Protection Officer: dpo@kloup.com.
Security incidents: security@kloup.com.