Klari Technologies Limited
Data Processing Agreement
Effective 11 May 2026
This DPA governs the processing of personal data by Klari Technologies Limited (Processor) on behalf of its Customer (Controller) when the Customer uses the Klari product. It is incorporated into the Klari Terms of Service.
1. Subject matter and duration
Klari processes Customer personal data solely to provide the Klari product as described in the Terms of Service, for the duration of the subscription term. Processing ceases on termination subject to a 30-day export window.
2. Nature, purpose, and categories
- Nature of processing: storage, structured retrieval, transformation, and presentation of compliance records (RoPA, DPIA, evidence, audit log, dossiers).
- Purpose:enabling the Customer's Data Protection Officer to maintain NDPA-compliant records and generate regulator-facing artifacts.
- Categories of data subjects:whatever the Customer chooses to enter in its RoPAs / DPIAs (typically the Customer's own customers, employees, and third parties).
- Categories of personal data:the Customer's authorised user identities (email, name, organisation membership) plus any personal data the Customer chooses to record in its compliance documents.
3. Controller and Processor obligations
The Customer (Controller) determines the purposes and means of processing. The Customer warrants that it has a valid lawful basis under NDPA s.25 for instructing Klari to process the personal data in question.
Klari (Processor) will process personal data only on documented instructions from the Customer (the use of the product constitutes such instructions) and will not transfer personal data outside the European Union without the Customer's further written consent, except as described in the sub-processor list at /security.
4. Confidentiality
Klari ensures that personnel authorised to process personal data are bound by confidentiality obligations.
5. Security measures
Klari implements appropriate technical and organisational measures as described at /security, including row-level security on every tenant table, an append-only audit log, private signed storage, and a single mutation chokepoint enforcing authentication and rate limiting.
6. Sub-processors
The Customer authorises Klari to engage the sub-processors listed at /security. Klari will notify the Customer at least 14 days in advance of any addition that materially changes data location or category of access; the Customer may object in writing within that window.
7. Assistance to the Controller
Klari will assist the Customer in fulfilling its obligations to respond to data subject requests, conduct DPIAs, notify breaches, and consult with the NDPC, taking into account the nature of processing and the information available to Klari.
8. Personal data breach notification
Klari will notify the Customer without undue delay (and in any event within 24 hours) after becoming aware of a personal data breach affecting the Customer's data, to enable the Customer to meet the NDPA 72-hour notification clock under s.40.
9. Audit rights
The Customer may, on reasonable notice and no more than once per calendar year, request a written audit response covering Klari's security measures, sub-processors, and relevant policies. On-site audits are available to UHL-tier customers under bespoke terms.
10. Return and deletion
On termination of the subscription, Klari will make the Customer's tenant data available for export for 30 days, after which Klari will delete it in line with retention policies disclosed in the privacy notice. Customer may request earlier deletion in writing.
11. Governing law
This DPA is governed by the laws of the Federal Republic of Nigeria.