Klari Technologies Limited

Data Processing Agreement

Effective 11 May 2026

This DPA governs the processing of personal data by Klari Technologies Limited (Processor) on behalf of its Customer (Controller) when the Customer uses the Klari product. It is incorporated into the Klari Terms of Service.

Draft for review. Customers requiring a signed counterpart should email hello@klari.ng with their preferred amendments; Klari will counter-sign or negotiate as needed.

1. Subject matter and duration

Klari processes Customer personal data solely to provide the Klari product as described in the Terms of Service, for the duration of the subscription term. Processing ceases on termination subject to a 30-day export window.

2. Nature, purpose, and categories

  • Nature of processing: storage, structured retrieval, transformation, and presentation of compliance records (RoPA, DPIA, evidence, audit log, dossiers).
  • Purpose:enabling the Customer's Data Protection Officer to maintain NDPA-compliant records and generate regulator-facing artifacts.
  • Categories of data subjects:whatever the Customer chooses to enter in its RoPAs / DPIAs (typically the Customer's own customers, employees, and third parties).
  • Categories of personal data:the Customer's authorised user identities (email, name, organisation membership) plus any personal data the Customer chooses to record in its compliance documents.

3. Controller and Processor obligations

The Customer (Controller) determines the purposes and means of processing. The Customer warrants that it has a valid lawful basis under NDPA s.25 for instructing Klari to process the personal data in question.

Klari (Processor) will process personal data only on documented instructions from the Customer (the use of the product constitutes such instructions) and will not transfer personal data outside the European Union without the Customer's further written consent, except as described in the sub-processor list at /security.

4. Confidentiality

Klari ensures that personnel authorised to process personal data are bound by confidentiality obligations.

5. Security measures

Klari implements appropriate technical and organisational measures as described at /security, including row-level security on every tenant table, an append-only audit log, private signed storage, and a single mutation chokepoint enforcing authentication and rate limiting.

6. Sub-processors

The Customer authorises Klari to engage the sub-processors listed at /security. Klari will notify the Customer at least 14 days in advance of any addition that materially changes data location or category of access; the Customer may object in writing within that window.

7. Assistance to the Controller

Klari will assist the Customer in fulfilling its obligations to respond to data subject requests, conduct DPIAs, notify breaches, and consult with the NDPC, taking into account the nature of processing and the information available to Klari.

8. Personal data breach notification

Klari will notify the Customer without undue delay (and in any event within 24 hours) after becoming aware of a personal data breach affecting the Customer's data, to enable the Customer to meet the NDPA 72-hour notification clock under s.40.

9. Audit rights

The Customer may, on reasonable notice and no more than once per calendar year, request a written audit response covering Klari's security measures, sub-processors, and relevant policies. On-site audits are available to UHL-tier customers under bespoke terms.

10. Return and deletion

On termination of the subscription, Klari will make the Customer's tenant data available for export for 30 days, after which Klari will delete it in line with retention policies disclosed in the privacy notice. Customer may request earlier deletion in writing.

11. Governing law

This DPA is governed by the laws of the Federal Republic of Nigeria.