KlusAI
Possibilities Research
AI Strategy Custom Development Model Training MLOps & Infrastructure AI Compliance & Risk Pricing Calculator
Enterprise Partnerships Student Program
About Us Careers Security
Log in Get in Touch
Legal

Data Processing Agreement

Last updated: December 31, 2025

This Data Processing Agreement ("DPA") forms part of the Agreement between KlusAI Labs SRL ("KlusAI", "Processor"), a company registered in Cluj-Napoca, Romania, and the Customer ("Controller") and governs the processing of personal data by KlusAI on behalf of the Customer.

EU-Based Processor: As an EU-established company, your data is processed within EU jurisdiction. No transatlantic data transfers, no US CLOUD Act exposure.

Enterprise Customers: To execute a customized DPA for your organization, please contact [email protected].

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR
  • "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any third party engaged by KlusAI to process Personal Data
  • "Supervisory Authority" means the Romanian Data Protection Authority (ANSPDCP) or other competent EU supervisory authority

2. Scope of Processing

KlusAI will process Personal Data only:

  • In accordance with the Customer's documented instructions
  • For the purpose of providing the agreed services
  • In compliance with the GDPR and applicable Romanian and EU data protection laws
  • Within the European Union, unless otherwise agreed in writing

3. Customer Obligations

The Customer warrants that:

  • It has a lawful basis for processing the Personal Data under Article 6 GDPR
  • It has provided appropriate notices to Data Subjects under Articles 13 and 14 GDPR
  • The processing instructions comply with applicable laws
  • It will not submit special categories of data (Article 9 GDPR) without prior agreement

4. KlusAI Obligations

KlusAI agrees to:

  • Process Personal Data only on documented instructions from the Customer (Article 28(3)(a) GDPR)
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (Article 32 GDPR)
  • Assist the Customer in responding to Data Subject requests (Articles 15-22 GDPR)
  • Delete or return Personal Data upon termination of services
  • Make available information necessary for compliance audits

5. Security Measures

KlusAI implements comprehensive security measures including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and multi-factor authentication
  • Regular security assessments and penetration testing
  • Incident detection and response procedures
  • Business continuity and disaster recovery
  • Employee security training

KlusAI maintains ISO 27001 certification for information security management. See our Security page for details.

6. Sub-processors

The Customer authorizes KlusAI to engage Sub-processors subject to:

  • Written contracts imposing equivalent data protection obligations
  • Prior notice of new Sub-processors with opportunity to object
  • KlusAI remaining liable for Sub-processor compliance
  • Sub-processors being EU-based or subject to appropriate safeguards

A current list of Sub-processors is available upon request.

7. International Transfers

As an EU-based processor, KlusAI processes Personal Data within the European Union by default. Personal Data may be transferred outside the EEA only with appropriate safeguards:

  • Standard Contractual Clauses (EU Commission Decision 2021/914)
  • Adequacy decisions where applicable
  • Binding Corporate Rules where applicable
  • Explicit consent of the Data Subject for specific transfers

8. Data Subject Rights

KlusAI will assist the Customer in responding to Data Subject requests under Articles 15-22 GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

9. Data Breach Notification

KlusAI will notify the Customer without undue delay (and within 48 hours where feasible) upon becoming aware of a Personal Data breach, in accordance with Article 33 GDPR, including:

  • Nature of the breach and categories of data affected
  • Approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

10. Audit Rights

Upon reasonable notice, KlusAI will make available:

  • Documentation demonstrating compliance with this DPA and Article 28 GDPR
  • ISO 27001 audit reports and certificates
  • Responses to security questionnaires
  • On-site audits (subject to reasonable scope, timing, and confidentiality requirements)

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • KlusAI will delete or return Personal Data within 30 days, at Customer's choice
  • Deletion will be certified upon request
  • Backup retention is subject to technical requirements (maximum 90 days)

12. Governing Law and Supervisory Authority

This DPA is governed by the laws of Romania. For GDPR-related matters, the competent supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Website: www.dataprotection.ro

Where the Customer is established in another EU Member State, the Customer's lead supervisory authority shall also have competence for matters relating to the Customer's obligations.

13. Contact

For DPA-related inquiries, contact us at [email protected].

KlusAI Labs SRL
Cluj-Napoca, Romania