Legal
Data Processing Agreement
This DPA forms part of the Terms of Service and applies to the extent Klynk processes personal data on the Customer's behalf.
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Klynk Technologies Inc. (“Klynk”, the “Processor”) and the Customer (the “Controller”), and applies to the extent Klynk processes personal data on the Customer’s behalf that is subject to data-protection laws such as the GDPR, UK GDPR, or CCPA/CPRA (“Data Protection Laws”).
1. Roles and scope
- The Customer is the controller of the personal data it and its users submit to the Service (“Customer Personal Data”); Klynk is the processor.
- For data about the Customer’s own account users (logins, roles, audit logs), Klynk acts as an independent controller as described in the Privacy Policy.
- Details of processing are set out in Annex 1; security measures in Annex 2; authorized subprocessors in the Subprocessor List.
2. Processing instructions
Klynk will process Customer Personal Data only:
- to provide, maintain, and support the Service as described in the Terms and product documentation (including email synchronization, ticket creation, AI-assisted features, automations, data imports, and email sending);
- per the Customer’s configuration and its users’ actions in the Service, which constitute documented instructions; and
- as required by applicable law, in which case Klynk will inform the Customer unless legally prohibited.
Klynk will not sell Customer Personal Data, nor retain, use, or disclose it for any purpose other than providing the Service (including the CCPA meaning of “sell”/“share”).
3. Confidentiality
Klynk ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations, and that access is limited to what is needed to operate and support the Service. Platform-staff access to a tenant workspace occurs only for support and data-migration purposes and is recorded in an audit trail available to the Customer on request.
4. Security
Klynk implements appropriate technical and organizational measures described in Annex 2, including encryption in transit and at rest, per-tenant row-level isolation, least-privilege access, and audit logging. Klynk may update these measures provided the overall level of protection is not reduced.
5. Subprocessors
- The Customer authorizes the subprocessors in the Subprocessor List.
- Klynk will bind each subprocessor to data-protection obligations materially equivalent to this DPA and remains liable for their performance.
- Klynk will update the Subprocessor List before adding or replacing a subprocessor and will provide notice (via the list page and/or email to account owners) at least 14 days before the new subprocessor processes Customer Personal Data. The Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the affected service and receive a pro-rata refund of prepaid fees.
6. Data subject requests
Taking into account the nature of the processing, Klynk will assist the Customer with appropriate technical and organizational measures to respond to data-subject requests (access, correction, deletion, export, restriction). If a data subject contacts Klynk directly about data controlled by the Customer, Klynk will refer the request to the Customer without undue delay.
7. Personal data breach
Klynk will notify the Customer without undue delay, and no later than 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own notification obligations, cooperating in the investigation and remediation.
8. Data protection impact assessments
Klynk will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent the required information is available to Klynk.
9. Deletion and return
- During the term, the Customer can delete Customer Personal Data through the Service.
- Upon termination, and following the 30-day wind-down in the Terms, Klynk will delete Customer Personal Data from active systems (and from backups on the normal rotation schedule), except where retention is required by law. Before deletion, the Customer may export its data via the Service’s export features or by written request.
10. Audits
Klynk will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audits or certifications of its infrastructure providers. Where Data Protection Laws grant the Customer an audit right, it may be exercised no more than once per 12 months, on 30 days’ notice, during business hours, without disrupting the Service, and subject to confidentiality.
11. International transfers
Klynk processes Customer Personal Data in the United States. Where Customer Personal Data protected by EU/UK Data Protection Laws is transferred to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller → processor) and the UK Addendum, which are incorporated by reference, with the details in Annex 1 and the security measures in Annex 2 completing the clauses.
12. Liability
Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service, except where Data Protection Laws do not permit such limitation.
Annex 1 — Details of processing
- Subject matter: provision of the Klynk CRM and support platform.
- Duration: the term of the Customer’s subscription plus the wind-down period.
- Nature and purposes: hosting and storage; email synchronization and sending; ticket and record management; AI-assisted classification, drafting and search; automation workflows; bulk data import; reporting; support.
- Categories of data subjects: the Customer’s clients and prospects (including insurance policyholders), the Customer’s agents and broker contacts, and the Customer’s staff who appear in business records.
- Categories of personal data: identification and contact data (name, email, phone, postal address), date of birth, professional data (license numbers and expiry dates, employer), insurance policy data (policy numbers, premiums, dates, status, documents), communications (email content and attachments, support tickets, notes), marketing preferences and consent records.
- Special categories: the Service is not designed for special-category data; however, email content and documents submitted by the Customer may incidentally contain such data (e.g. health information in an insurance context). The Customer is responsible for ensuring a lawful basis.
- Frequency: continuous, for the duration of the subscription.
Annex 2 — Technical and organizational measures
- Encryption: TLS 1.2+ in transit; encryption at rest for databases and file storage.
- Tenant isolation: every database query is scoped to the requesting tenant through enforced row-level security policies; file storage paths are tenant-scoped with matching access policies.
- Access control: role-based access within tenants; least-privilege service credentials; platform-staff access to tenant data restricted to support/migration purposes and fully audit-logged (who, when, what changed).
- Authentication: hashed passwords, short-lived session tokens; OAuth (never password storage) for connected mailboxes.
- Email infrastructure: mailbox access via revocable OAuth grants through Nylas; sending through authenticated, signed (DKIM) domains.
- AI processing: performed via API providers contractually prohibited from training on customer content; AI usage is logged.
- Availability and resilience: managed cloud infrastructure with backups; background jobs are idempotent and checkpointed.
- Data minimization in migration: bulk import staging files are deleted automatically after import completion or cancellation.
- Secure development: code review, automated test suites, dependency updates, and static analysis as part of the engineering process.
- Personnel: confidentiality obligations; access revoked on role change or departure.
Annex 3 — Authorized subprocessors
See the maintained Subprocessor List.
Run insurance distribution from one connected platform.
See how Klynk connects MGA operations, broker CRM, marketplace discovery, workflows, and AI-assisted service in one operating system.