Data Processing Agreement

This Data Processing Agreement is between you, the customer, as controller, and Klaver Solutions, as processor, for the Customer Personal Data that you send through the Chernion API. It forms part of the Terms of Service and takes effect when you accept the Terms of Service or begin using the service to process Customer Personal Data. Where you act as a processor for your own customers, you enter this agreement as their sub processor authorisation chain allows, and the same terms apply between us.

Terms such as controller, processor, sub processor, personal data, processing, data subject, and personal data breach have the meaning given in the General Data Protection Regulation. Customer Personal Data means personal data contained in the content you send to the API and in the responses generated from it, processed by us on your behalf.

You are the controller and decide the purposes and means of processing Customer Personal Data. We are the processor and process it only to provide the service and on your documented instructions. For the account, billing, and security data described in the Privacy Policy, we act as a controller, and that data is outside this agreement.

We process Customer Personal Data only on your documented instructions, including about international transfers, unless the law requires otherwise, in which case we will tell you before processing where the law allows. Your instructions are this agreement, the Terms of Service, and your configuration and use of the service. We will tell you if, in our opinion, an instruction breaks data protection law.

In line with Article 28 of the General Data Protection Regulation, we will:

• Process Customer Personal Data only as set out in section 4.
• Make sure the people we authorise to process it are bound by a duty of confidentiality.
• Take the security measures described in section 9.
• Respect the conditions in section 6 for engaging sub processors.
• Help you, by appropriate technical and organisational measures and so far as possible, to respond to requests from data subjects exercising their rights.
• Help you meet your duties on security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to us.
• Delete or return Customer Personal Data as set out in section 11.
• Make available the information reasonably needed to show compliance with Article 28, as set out in section 12.

You give general authorisation for us to engage sub processors to process Customer Personal Data. Our current sub processors, including the upstream model providers that receive request content, are listed on the Sub processor list at the slug /subprocessors. We impose data protection obligations on each sub processor that are no less protective than this agreement, and we remain responsible for their performance.

We will give reasonable notice of an intended change of sub processor, by updating the Sub processor list or by another reasonable means, so you can object. If you reasonably object on data protection grounds, we will work with you in good faith to find a solution, and if we cannot, you may stop using the part of the service that needs the new sub processor and, for that part, terminate as set out in the Terms of Service.

Where processing of Customer Personal Data involves a transfer outside the European Economic Area, we rely on a lawful transfer mechanism, such as an adequacy decision or the European Commission's standard contractual clauses with any extra safeguards needed. By using the service to reach a model run outside the European Economic Area, you instruct us to make the transfer needed to provide that model.

We maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access, taking into account the state of the art, the costs, and the risks. These include encryption of data in transit, access controls and authentication, network and rate limit protections, secure handling of credentials, and logging and monitoring appropriate to the risk. We may update measures over time, provided protection is not reduced.

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and we will give you the information reasonably available to help you meet your own notification duties to authorities and data subjects. We will take reasonable steps to contain and remedy the breach.

Taking into account the nature of processing, we will help you, by appropriate measures and so far as possible, to respond to data subject requests, and to meet your duties on security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority. If a data subject contacts us directly about Customer Personal Data, we will refer them to you where appropriate.

On termination of the service, or at your request, we will delete Customer Personal Data we hold on your behalf, and existing copies, unless the law requires us to keep it, in which case we will keep it only as the law requires and keep it protected. Stored conversations and remembered facts can be deleted by you in the product at any time. The metering records we keep for billing and security do not contain the body of request content.

We will make available the information reasonably needed to show compliance with Article 28, and we will allow and contribute to audits, including inspections, conducted by you or an auditor you mandate. To protect the security and confidentiality of the service and of other customers, audits follow reasonable notice, frequency, scope, and confidentiality conditions, and we may satisfy an audit request with up to date documentation or a third party report where one is available.

Each party's liability under this agreement is subject to the limitations and exclusions in the Terms of Service. If there is a conflict between this agreement and the rest of the Terms of Service about the processing of Customer Personal Data, this agreement controls for that subject.

This agreement is governed by the laws of the Netherlands, and disputes are subject to the forum set out in the Terms of Service.

The technical and organisational measures are those described in section 8, including encryption of data in transit, access controls and authentication, optional two factor authentication for accounts, secure credential handling with keys stored only as hashes, network and rate limit protections, and logging and monitoring appropriate to the risk.

The current list of approved sub processors is maintained on the Sub processor list at the slug /subprocessors and is incorporated into this agreement by reference.