Klibio
Start free trial

Legal

Data Processing Agreement (DPA)

Last updated: May 26, 2026

ℹ️

This DPA is automatically accepted ("clickwrap") upon registering with Klibio and subscribing to a plan. It is publicly published and updated when conditions change. If you process data as Klibio's sub-processor, this DPA governs that relationship.

1. Subject and Duration

This agreement governs the processing of personal data by Klibio (processor) on behalf of the customer (controller) for the provision of employee onboarding and offboarding management services. The term equals the active subscription.

2. Nature and Purpose of Processing

  • Management of employee onboarding processes.
  • Management of employee offboarding and access revocation.
  • Traceability record (audit log) of relevant actions.
  • Employee portal for process participation.

3. Categories of Data and Data Subjects

Personal data of the controller's current and former employees (name, email, role, dates, application access, action history). Ordinary data; special category data must not be introduced.

4. Klibio's Obligations as Processor

  • Process data only according to documented instructions from the controller.
  • Ensure confidentiality of personnel with data access.
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR).
  • Notify the controller of any security breach within 72 hours.
  • Assist the controller in handling data subject rights requests.
  • Delete or return data at contract termination, as requested by the controller.
  • Provide the controller with information necessary for compliance audits.

5. Sub-processors

Klibio authorises the use of sub-processors listed in the Privacy Policy. Any changes will be notified at least 30 days in advance. The controller may object to a change with justified cause.

6. International Transfers

Data is stored in the EU. Transfers to sub-processors outside the EU (Stripe, Sentry) are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Security Measures

  • AES-256 encryption for sensitive personal data at rest.
  • TLS 1.3 for all data in transit.
  • Role-based access control with least-privilege principle.
  • Immutable audit log of all relevant operations.
  • Encrypted backups with 30-day retention.
  • Servers within the EU (eu-central-1).

8. Contact

For any question related to this DPA: privacidad@klibio.eu

Privacy Policy · Terms of Service · Cookie Policy