Keldio Data Processing Agreement

Last updated: 27 May 2026 Effective date: 27 May 2026 Document version: 1.1

This Data Processing Agreement forms part of the Keldio Platform Terms of Service and governs Keldio's processing of Customer Personal Data on behalf of Tenants. It is intended for business customers using Keldio to operate websites, funnels, CRM, email, checkout, member portals, automations, integrations, APIs, MCP tools, AI agents, and related business operations.

This DPA is not legal advice to Tenants. Tenants are responsible for obtaining their own legal, privacy, tax, marketing, and professional advice for their own business and End-User relationships.

1. Parties and effective date

This Data Processing Agreement (the "DPA") is entered into between:

Barriere Brekers B.V., trading as Keldio, a private limited company organised under the laws of the Netherlands, registered with the Dutch Chamber of Commerce (*Kamer van Koophandel*) under number 94316813, having its registered office at Groene Woud 60, 4834BC Breda, Noord Brabant, the Netherlands ("Keldio", "Processor"); and

The customer entity identified in the Order Form, the checkout acceptance, or the in-app acceptance event for the Keldio platform ("Tenant", "Customer", "Controller").

This DPA is effective on the earlier of: (a) the date the Tenant accepts the Keldio Platform Terms of Service in respect of the Workspace; (b) the date Keldio first processes Personal Data on the Tenant's behalf; or (c) the effective date of an Order Form that incorporates this DPA.

This DPA forms an integral part of, and is governed by, the Keldio Platform Terms of Service (the "Platform Terms"). Capitalised terms not defined here have the meaning given in the Platform Terms.

---

2. Definitions

For the purposes of this DPA:

"Affiliate" means, with respect to a party, any entity that controls, is controlled by, or is under common control with that party.
"Controller" has the meaning given in Article 4(7) GDPR. The Tenant is generally the Controller of Customer Personal Data.
"Customer Personal Data" means Personal Data within Customer Data (as defined in the Platform Terms) that is processed by Keldio on the Tenant's behalf in providing the Services.
"Customer Personal Data Export" means an export, disclosure, onward transfer, download, webhook delivery, API response, MCP tool response, or other movement of Customer Personal Data from Keldio-controlled infrastructure to the Tenant, an Admin User, an Agent, a Tenant-Configured Provider, or a Tenant-controlled destination.
"Legal Acceptance Event" means the technical record by which Keldio records the Tenant's clickwrap, electronic signature, order-form acceptance, or other documented acceptance of this DPA and related legal documents.
"Data Privacy Framework" or "DPF" means the EU–US Data Privacy Framework, the UK Extension to the EU–US DPF, and the Swiss–US DPF, as in force from time to time, including any successor frameworks.
"Data Subject" has the meaning given in Article 4(1) GDPR. In Keldio's context, Data Subjects are typically the Tenant's End-Users (Members, contacts, leads, attendees, booking guests, support contacts, etc.) and, where applicable, the Tenant's Admin Users.
"Data Subject Request" means a request from a Data Subject to exercise rights under Articles 12–22 GDPR (or equivalent under another applicable data-protection law), including rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making.
"Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: the GDPR; the UK GDPR and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (FADP); the Dutch Implementing Act (*Uitvoeringswet AVG*); the ePrivacy Directive 2002/58/EC and the Dutch Telecommunications Act; the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and any equivalent US state laws; and any other privacy or data-protection law applicable to the Tenant's processing.
"EEA" means the European Economic Area.
"Keldio Subprocessor" means a Subprocessor engaged by Keldio on Keldio's account to process Customer Personal Data on Keldio's behalf in providing the Services. Annex C and the published Subprocessor List identify the current Keldio Subprocessors and related provider-role notes.
"Member Data" has the meaning given in the Platform Terms — Personal Data of End-Users generated by Member Portal use (lesson progress, community posts, RSVPs, login activity, support threads).
"Personal Data" has the meaning given in Article 4(1) GDPR.
"Personal Data Breach" has the meaning given in Article 4(12) GDPR.
"Processing" has the meaning given in Article 4(2) GDPR. "Process" and "Processed" are construed accordingly.
"Processor" has the meaning given in Article 4(8) GDPR.
"SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or any successor clauses adopted by the European Commission).
"Services" means the Keldio platform Services as defined in the Platform Terms, including the Admin App, Member Portal, public storefront surfaces, MCP server, REST API, webhooks, automations, integrations, and supporting infrastructure.
"Special Category Data" means Personal Data within the categories listed in Article 9(1) GDPR (and equivalent under Dutch or other applicable law), and Personal Data relating to criminal convictions and offences within Article 10 GDPR.
"Service Provider / Contractor" has the meaning given under the CCPA/CPRA and similar US state privacy laws. Where such laws apply, Keldio acts as a Service Provider or Contractor in respect of Customer Personal Data and does not sell or share Customer Personal Data as those terms are defined under the CCPA/CPRA.
"Subprocessor" means any third party (including a Keldio Affiliate) engaged by Keldio to Process Customer Personal Data on Keldio's behalf in providing the Services.
"Supervisory Authority" has the meaning given in Article 4(21) GDPR. The competent Supervisory Authority for Tenants resident in the Netherlands is the Autoriteit Persoonsgegevens (AP).
"TOMs" means technical and organisational measures within the meaning of Article 32 GDPR. The current TOMs are described in Annex B.
"Tenant-Configured Provider" means a Third-Party Service for which the Tenant has supplied Tenant-Provided Credentials or selected a Tenant-controlled provider relationship (e.g. Mailgun, Mollie, Stripe Connect, Cloudflare Stream in BYO mode, Meta CAPI, TikTok Events, Google Ads). Tenant-Configured Providers Process Personal Data on the Tenant's account under the Tenant's contract with the Provider; they are not Keldio Subprocessors for purposes of this DPA, although Keldio is the conduit through which Tenant configures and uses them. The same provider may be a Keldio Subprocessor for one Keldio-controlled flow and a Tenant-Configured Provider for another Tenant-controlled flow.
"Third Country" means a country outside the EEA, the United Kingdom, and Switzerland that has not been recognised by the European Commission (or, for UK transfers, the UK Government) as providing an adequate level of protection for Personal Data.
"Transfer" means a transfer (including onward transfer) of Personal Data subject to the cross-border-transfer restrictions in Chapter V GDPR.

Terms not defined in this DPA or the Platform Terms have the meaning given in the GDPR.

---

3. Subject matter, scope, nature, purpose, duration, and roles

3.1 Roles

The Tenant is the Controller of Customer Personal Data.
Keldio is the Processor of Customer Personal Data, processing it on the Tenant's documented instructions in accordance with this DPA and the Platform Terms.
For a narrow set of operational data (set out in §3.5), Keldio acts as an independent Controller.
Where applicable Data Protection Law treats the Tenant and Keldio as joint controllers in respect of a particular processing operation (the parties do not currently anticipate this), the parties will negotiate a joint-controller arrangement under Article 26 GDPR before carrying out that joint-controller processing, unless the processing is required by law.
Where the Tenant itself acts as a processor on behalf of one of its own clients, the Tenant warrants that it has authority from that client to appoint Keldio as a subprocessor and to give Keldio the instructions set out in this DPA.

3.2 Subject matter and nature of processing

Keldio Processes Customer Personal Data to provide the Services as described in the Platform Terms — operating the Tenant's Workspace, hosting the Tenant's content and the Tenant's End-User-facing surfaces, sending communications on the Tenant's authority, executing automations, supporting the Tenant, securing the platform, and complying with law.

A detailed description of the processing (subject matter, categories of Data Subjects, categories of Personal Data, processing operations) is set out in Annex A. Keldio-specific processing flows (Member Portal, Ad-pixel server-side, MCP/Agents, Webhooks, Custom Domains) are described in Annexes E, F, and G.

3.3 Duration

This DPA applies for the duration of the Platform Terms and continues to apply to Customer Personal Data Keldio Processes until that data is deleted or returned in accordance with §13. Provisions that by their nature survive termination (including confidentiality, liability, audit assistance for completed processing, and dispute resolution) survive accordingly.

3.4 Purpose

Keldio Processes Customer Personal Data for the purpose of providing the Services to the Tenant under the Platform Terms, and for no other purpose, except where Keldio acts as independent Controller per §3.5 or where required by Union or Member-State law to which Keldio is subject.

3.5 Keldio as independent Controller

Notwithstanding §3.1–§3.4, Keldio acts as an independent Controller (not as Processor on the Tenant's behalf) in respect of the following limited purposes:

(a) operating the contractual relationship with the Tenant, including signup, identity verification of the Tenant's owner and Admin Users, billing, invoicing, taxation, debt recovery, and accounting;
(a1) provisioning, activating, administering, verifying, securing, suspending, and terminating Tenant Workspaces, including processing owner/admin identity, owner email, billing contact details, workspace identifiers, legal acceptance records, plan/trial/subscription state, login and magic-link records, support access records, and account-control metadata;
(b) preventing, detecting, investigating, and responding to fraud, abuse, security incidents, and breaches of the Platform Terms, Acceptable Use Policy, or Data Protection Laws;
(c) maintaining audit logs (including platform_audit_log, agent_invocations, webhook_deliveries, and equivalent operational logs) for the integrity, troubleshooting, and security of the Services;
(d) generating aggregated and de-identified analytics and metrics about platform usage and performance;
(e) complying with Keldio's own legal, tax, accounting, and regulatory obligations;
(f) defending and pursuing legal claims;
(g) communicating with Admin Users about Service updates, security notices, and (with appropriate lawful basis) marketing.

For these controller purposes Keldio's processing is governed by Keldio's Privacy Policy, not by this DPA.

3.6 Categories of Data Subjects and Personal Data

See Annex A. In summary, Data Subjects include the Tenant's End-Users (Members, contacts, leads, attendees, booking guests, contact-form submitters, course students, community participants, webinar registrants, support correspondents, recipients of Tenant communications) and the Tenant's Admin Users. Categories of Personal Data include identification data (name, email, phone), behavioural and engagement data (page views, opt-ins, purchases, click identifiers), commercial data (orders, invoices, payment metadata), content authored or uploaded by Tenants and End-Users (community posts, lesson progress, support threads), and technical data (IP, user agent, device).

---

4. Tenant's obligations as Controller

4.1 Lawful basis and notices

The Tenant warrants and undertakes that, with respect to all Customer Personal Data the Tenant uploads, imports, generates, or directs Keldio to Process:

(a) the Tenant has a valid lawful basis under Article 6 GDPR (and, for Special Category Data, Article 9(2));
(b) where required, the Tenant has obtained valid, freely given, specific, informed, and unambiguous consent from each Data Subject, and maintains records sufficient to demonstrate consent on demand from a Supervisory Authority;
(c) the Tenant has provided each Data Subject with the information required by Articles 13 and 14 GDPR, including identifying Keldio (and its Subprocessors) as a processor where the Tenant's privacy notice references its data-processing arrangements;
(d) the Tenant's End-User-facing privacy notice, terms, and consent flows are accurate, current, and consistent with the processing the Tenant is in fact directing through the Services;
(e) the Tenant has obtained any consents required for transfers, ad-pixel server-side processing, behavioural marketing, profiling, and any cookies or similar technologies the Tenant deploys via the Services.

4.2 Quality of instructions

The Tenant is responsible for the legality, accuracy, quality, and integrity of:

(a) the Customer Personal Data the Tenant supplies or directs to be Processed;
(b) the configuration of the Workspace, including the configuration of automations, integrations, segmentation, ad-pixel server-side events, retention rules, and access controls;
(c) the credentials issued under the Workspace and the parties to whom they are issued.
(d) the accuracy and authority of Workspace owner records, admin assignments, legal acceptance events, provisioning requests, API-created accounts, and account-control changes submitted by or on behalf of the Tenant.

The Tenant is responsible for the legality, accuracy, authority, and proportionality of access-control instructions, including owner/admin/support/member assignments, team invitations, API-key scopes, MCP-key scopes, agent credentials, support-access requests, and instructions sent through Admin Users, API clients, MCP clients, automations, or connected agents. Keldio may rely on authenticated access-control instructions unless Keldio has actual knowledge that the instruction is unlawful, unauthorised, technically unsafe, or conflicts with another binding instruction.

4.3 Agency, reseller, and processor-chain use

If the Tenant is an agency, consultant, reseller, implementation partner, or other service provider using Keldio for or on behalf of one of the Tenant's clients, the Tenant is solely responsible for ensuring that: (a) the Tenant has authority to upload, configure, access, and Process the relevant Personal Data in Keldio; (b) the Tenant's contract with its client authorises Keldio as a subprocessor or downstream provider where required; (c) the Tenant's client receives all required notices about Keldio and Keldio Subprocessors; and (d) instructions given to Keldio are consistent with the Tenant's instructions from its own client. Keldio is not required to verify the Tenant's authority vis-a-vis the Tenant's client unless Keldio has actual knowledge of a dispute or illegality.

4.4 Tenant-Configured Providers

The Tenant is the Controller for Personal Data the Tenant directs Keldio to transmit to a Tenant-Configured Provider (e.g. via Mailgun for email delivery, Mollie/Stripe for payments, Bundle.social for social publishing, Meta CAPI / TikTok Events / Google Ads for ad-conversion events, Cloudflare Stream in BYO mode for video). The relationship between the Tenant and each such Provider is governed by the Tenant's contract with the Provider and the Provider's own data-processing terms; Keldio is not party to that relationship and is not a joint controller in respect of it.

4.5 Special Category Data

The Tenant must not upload, generate, or direct Keldio to Process Special Category Data unless: (a) the Tenant has a lawful basis under Article 9(2) GDPR; (b) the Tenant has notified Keldio in advance and Keldio has confirmed in writing that the relevant Service module is appropriate for that data; and (c) any additional safeguards required by Data Protection Law have been implemented. Sectors that typically generate Special Category Data (medical, mental-health, religious, political, biometric, sexual-orientation) are subject to the regulated-industries clause in the Platform Terms.

4.6 Members and minors

Where the Tenant operates a Member Portal accessible to Members, the Tenant is the Controller for Member Data. The Tenant warrants that the Tenant will not knowingly use the Services to Process Personal Data of children under the age threshold applicable to the relevant Data Subject (16 in EU/EEA, 13 in the United States) without verified parental or guardian consent in compliance with Article 8 GDPR or other applicable law.

4.7 Compliance with Data Protection Laws

The Tenant complies with all Data Protection Laws applicable to the Tenant's processing through the Services, including conducting Data Protection Impact Assessments where required (Article 35 GDPR), maintaining its own Article 30 records, designating a Data Protection Officer where required, and notifying its competent Supervisory Authority and Data Subjects in accordance with Articles 33–34 GDPR for breaches that affect the Tenant's controller responsibilities.

4.8 Indemnity for controller-side breach

The Tenant shall indemnify Keldio for losses, fines, regulatory penalties, and third-party claims arising from the Tenant's breach of §4.1–§4.10 or from any inaccuracy in the warranties given in this §4. The indemnity is in addition to (not in derogation of) the indemnity in the Platform Terms.

4.9 ePrivacy, cookies, pixels, and communications

The Tenant is responsible for complying with the ePrivacy Directive, Dutch Telecommunications Act, CAN-SPAM, CASL, PECR, and equivalent marketing, cookie, and electronic-communications rules applicable to the Tenant's use of the Services. This includes configuring cookie banners, consent mode, tracking pixels, email permissions, unsubscribe handling, list-unsubscribe headers, sender identity, and suppression rules. Keldio may provide tools, but the Tenant remains responsible for whether those tools are configured lawfully for the Tenant's audience and jurisdiction.

4.10 Automated decision-making and profiling

The Tenant is responsible for assessing whether any segmentation, lead scoring, AI-assisted recommendation, automation, denial of access, pricing treatment, or other workflow configured by the Tenant constitutes profiling or automated decision-making under Article 22 GDPR or equivalent law. Keldio does not intentionally provide tools for decisions producing legal or similarly significant effects without meaningful human involvement; if the Tenant uses the Services in that way, the Tenant must implement the notices, safeguards, human review, and lawful basis required by Data Protection Laws.

---

5. Keldio's obligations as Processor

5.1 Documented instructions

Keldio Processes Customer Personal Data only on the Tenant's documented instructions, except where required by Union or Member-State law to which Keldio is subject. The Tenant's instructions consist of:

(a) the Platform Terms and this DPA, which constitute the Tenant's standing instructions;
(b) the Tenant's configuration of the Workspace, which constitutes operational instructions for ongoing Processing (the "configuration-as-instruction" doctrine — i.e. when the Tenant adds a contact, builds a Workflow, schedules a campaign, configures an ad-pixel, or invokes an MCP tool, the Tenant is instructing Keldio to Process accordingly);
(c) the Tenant's actions in the Admin App, REST API, MCP, and Workspace settings;
(d) instructions delivered through Keldio's documented support channels by an Admin User or owner of the Tenant.
(e) provisioning and onboarding actions initiated through checkout, order forms, API provisioning, authorised Keldio admin actions, or support-assisted setup, to the extent those actions create or configure a Workspace on the Tenant's behalf.

If Keldio is required by law to Process Customer Personal Data otherwise than on the Tenant's instructions, Keldio will inform the Tenant of that legal requirement before Processing, unless the law prohibits doing so on important grounds of public interest.

5.2 Notice of unlawful instructions

If, in Keldio's opinion, an instruction infringes Data Protection Laws, this DPA, or the Platform Terms, Keldio will inform the Tenant without undue delay. Keldio is not required to comply with such an instruction. second sentence.)

5.3 Compliance with Data Protection Laws

Keldio complies with the Data Protection Laws applicable to a Processor in providing the Services.

5.4 Confidentiality of personnel

Keldio ensures that persons authorised to Process Customer Personal Data (including Keldio personnel and contractors with access to Workspaces) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5 Access discipline

Keldio limits access to Customer Personal Data to personnel and authorised operational accounts with a legitimate need to access it for purposes of providing the Services, support, troubleshooting, migration, billing, security, abuse investigation, compliance, or protection of the Services. Keldio uses need-to-know discipline, role-based access practices, and audit logging of support/admin access and sensitive platform events where technically available. Such logs may include actor identifiers, role or account metadata, tenant identifiers, timestamps, support-access or impersonation events, API-key metadata, and action details. These logs are Keldio independent-controller records used for security, integrity, troubleshooting, compliance, abuse prevention, and enforcement.

5.6 Cooperation with Tenant compliance

Taking into account the nature of the Processing and the information available to Keldio, Keldio assists the Tenant by appropriate technical and organisational measures, insofar as possible, in fulfilling the Tenant's obligations to:

(a) respond to Data Subject Requests (§9);
(b) ensure security of processing (§6);
(c) notify the Supervisory Authority and Data Subjects of Personal Data Breaches (§10);
(d) carry out Data Protection Impact Assessments and prior consultation (§11).

5.7 Security-by-design and default assistance

Keldio shall take data protection by design and by default into account when developing materially new Service modules that Process Customer Personal Data. This does not require Keldio to customise the Services for each Tenant, but it requires Keldio to consider access control, minimisation, retention, logging, isolation, and secure defaults in normal product development.

5.8 Out-of-scope processing

Keldio is not responsible for Personal Data the Tenant Processes outside the Services, for Personal Data Processed by Tenant-Configured Providers on the Tenant's account, for Personal Data the Tenant transmits via tools, plug-ins, or websites the Tenant operates outside Keldio infrastructure, or for Personal Data the Tenant's End-Users supply directly to a third party. The Tenant indemnifies Keldio for liabilities arising from such out-of-scope processing.

---

6. Security — Technical and Organisational Measures (TOMs)

6.1 Standard

Keldio implements and maintains TOMs appropriate to the risk presented by the Processing, including, as appropriate, the measures listed in Article 32(1) GDPR. The current TOMs are described in Annex B (Security Measures Overview).

6.2 Categories of measures

The TOMs include, at a minimum:

pseudonymisation and encryption of Personal Data where appropriate;
measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services;
the ability to restore the availability of, and access to, Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing, and evaluating the effectiveness of TOMs;
staff training, vetting, and access controls;
secure software development lifecycle practices.

6.3 Updates to TOMs

Keldio may update the TOMs from time to time, provided that such updates do not result in a material reduction of the level of security. Material reductions require Tenant notice; a Tenant may object on reasonable data-protection grounds in accordance with §7.4.

6.4 Bring-your-own credential storage

Keldio stores Tenant-Provided Credentials encrypted at rest in the tenant_api_keys table. The Tenant is responsible for credential hygiene at the source provider (rotation, scoping, revocation). A breach affecting Keldio's storage of Tenant-Provided Credentials is a Personal Data Breach for purposes of §10. A breach at the underlying Provider is the Provider's incident; Keldio will assist the Tenant with rotation but is not responsible for the Provider's security.

6.5 Support access and administrative intervention

Where Keldio personnel access a Tenant Workspace for support, troubleshooting, migration, abuse investigation, security investigation, or legal-compliance reasons, Keldio shall limit that access to personnel with a legitimate need, log access where technically available, and use reasonable minimisation. Keldio may access Workspaces without prior Tenant approval where necessary to investigate security incidents, prevent abuse, comply with law, or protect the Services or other Tenants.

6.6 Tenant-side security

The Tenant is responsible for the security of the Tenant's own infrastructure, devices, networks, downstream systems (including webhook endpoints), and credentials issued under the Workspace. Keldio is not responsible for breaches arising from compromise of the Tenant's environment.

---

7. Subprocessors

7.1 General authorisation

The Tenant grants Keldio a general written authorisation under Article 28(2) GDPR to engage Keldio Subprocessors to Process Customer Personal Data, subject to the conditions in this §7.

7.2 Current Subprocessors

The list of current Keldio Subprocessors is set out in Annex C and maintained at https://keldio.com/subprocessors. Keldio shall keep that list current.

7.3 Notice of new or replacement Subprocessors

Keldio shall notify the Tenant of the addition of, or replacement of, a Keldio Subprocessor at least 30 days before the new Subprocessor commences Processing of Customer Personal Data. Notice is given by:

(a) updating the published Subprocessor List with the proposed effective date; and
(b) email to the Tenant's billing or legal-notices address, or in-app notice that Admin Users see on next sign-in.

For Subprocessor changes that arise from a security or operational emergency, Keldio may give shorter notice, with detail of the urgency.

7.4 Right to object

Within 15 days of notice under §7.3, the Tenant may object to a proposed new or replacement Keldio Subprocessor on reasonable data-protection grounds by giving written notice to Keldio. The parties shall discuss the objection in good faith. If the parties cannot resolve the objection within 30 days, the Tenant may, as its sole and exclusive remedy, terminate the Platform Terms for the affected Service in accordance with the Platform Terms. Keldio shall refund any prepaid Fees for the period after termination.

7.5 Subprocessor obligations

Keldio shall:

(a) engage each Keldio Subprocessor under a written contract that imposes data-protection obligations no less protective than those in this DPA, including the obligations of Article 28(3) GDPR (*mutatis mutandis*);
(b) ensure each Keldio Subprocessor implements TOMs appropriate to the Processing and complies with Article 32 GDPR;
(c) where the Subprocessor is located in a Third Country, implement an appropriate transfer mechanism in accordance with §8.

7.6 Liability for Subprocessors

Keldio remains liable to the Tenant for the acts and omissions of its Keldio Subprocessors in respect of their Processing of Customer Personal Data, as if those acts and omissions were Keldio's own, subject to the liability limits in §17.

7.7 Tenant-Configured Providers

For the avoidance of doubt, Tenant-Configured Providers are not Keldio Subprocessors. The Tenant's contract with each such Provider governs that Provider's Processing. Keldio's role is the conduit through which the Tenant configures and uses the Provider; Keldio's obligations under this DPA in respect of Tenant-Configured Providers are limited to (i) transmitting Personal Data securely as configured by the Tenant, (ii) storing Tenant-Provided Credentials securely as set out in §6.4, and (iii) not Processing the Personal Data for any purpose other than as instructed by the Tenant. Annex C lists current Tenant-Configured Providers for transparency.

---

8. International transfers

8.1 Default — EEA-resident processing

Keldio Processes Customer Personal Data primarily within the EEA (Supabase region configured for EU; Mailgun EU configured; Mollie based in the EU; Bundle.social based in the EU; Vercel configurable). Some Subprocessors may Process Personal Data in or transfer it to the United States or other countries (Clerk, Vercel global edge, Cloudflare global edge, Vimeo, Svix, Meta, TikTok, Google as listed in Annex C).

8.2 Transfer mechanisms

Where Keldio or a Keldio Subprocessor Processes or Transfers Customer Personal Data to a Third Country, the Transfer takes place under one of the following mechanisms, in order of priority:

(a) an adequacy decision by the European Commission (or the UK Government for UK transfers) — for example, the EU–US Data Privacy Framework for self-certified US recipients;
(b) the EU SCCs (Commission Implementing Decision 2021/914), with Module 2 (controller-to-processor) for direct transfers from the Tenant to Keldio where Keldio is in a Third Country, and Module 3 (processor-to-processor) for onward transfers from Keldio to a Subprocessor in a Third Country;
(c) for UK-related transfers, the UK International Data Transfer Addendum to the SCCs, or the UK International Data Transfer Agreement;
(d) for Swiss-related transfers, the SCCs as supplemented by the requirements of the Swiss Federal Data Protection Authority;
(e) any other valid Article 46 GDPR transfer mechanism.

8.3 Incorporation of the SCCs

Where the SCCs apply, the parties agree the SCCs are incorporated into this DPA by reference, with:

the Tenant as the data exporter and Keldio as the data importer for Module 2;
in Module 3 contexts, the relevant Keldio Subprocessor as the importer and Keldio as the exporter, with the Tenant's authorisation;
Clause 7 (docking) not applicable;
Clause 9 (use of subprocessors) — option 2 (general written authorisation) with the notice period in §7.3;
Clause 11 (redress) — optional independent dispute-resolution body not included by default;
Clause 17 (governing law) — the law of the Netherlands, provided that the law selected allows Data Subjects to enforce the SCCs as required by the SCCs;
Clause 18 (forum and jurisdiction) — the courts of the Netherlands;
Annex I, II, and III completed by reference to Annexes A, B, and C of this DPA.

8.4 Transfer impact assessment

Keldio has carried out, and shall keep updated, a transfer impact assessment for each Transfer to a Third Country under the SCCs. A summary of the assessment is available on request to Tenants under appropriate confidentiality. The Tenant acknowledges that it has reviewed the published Subprocessor List and the Transfer mechanisms in §8.2 and that, on the basis of the information provided, the parties consider the Transfers to provide an essentially equivalent level of protection.

8.5 Government access

Keldio shall use reasonable efforts to challenge legally invalid government-access requests for Customer Personal Data and shall, where lawfully permitted, notify the Tenant of binding government-access requests. Keldio shall publish a transparency report describing aggregated government-access activity from time to time.

8.6 Data residency on request

The Tenant may request data-residency commitments (e.g. EU-only Processing) by contacting Keldio. Keldio is not obligated to commit to data-residency configurations beyond what is currently available; where Keldio commits to a specific configuration in writing, Keldio shall not change the configuration without the Tenant's consent.

---

9. Data Subject Requests

9.1 Routing

A Data Subject Request relating to Customer Personal Data should be addressed to the Tenant as Controller. Where Keldio receives a Data Subject Request directly from a Data Subject in respect of Customer Personal Data, Keldio shall:

(a) not respond to the request itself except to confirm receipt and direct the Data Subject to the Tenant where appropriate;
(b) notify the Tenant of the request without undue delay (usually within 5 working days);
(c) at the Tenant's instruction and cost, assist the Tenant in responding to the request.

9.2 Self-service tools

Keldio provides Workspace tools that allow the Tenant to fulfil common Data Subject Requests directly, including:

(a) access — the Tenant may export contact records, order history, and related data via the in-app exports;
(b) rectification — the Tenant may edit contact records and other Personal Data fields directly;
(c) erasure — the Tenant may delete contact records, community posts, lesson progress, and other Personal Data via the admin UI or REST API;
(d) restriction — the Tenant may suppress contacts from communications, mark records as restricted, or unsubscribe contacts;
(e) portability — the Tenant may export contact and order data in a structured, commonly used, machine-readable format (CSV/JSON);
(f) objection — the Tenant may stop further Processing for marketing by suppressing contacts.

9.3 Limitations of erasure

The Tenant acknowledges that erasure from active systems does not immediately remove Personal Data from:

(a) backups (which expire on the standard backup-retention cycle, target 30 days);
(b) audit logs and security telemetry retained under §3.5(b)–(c) and §16;
(c) agent_invocations retained for 90 days and webhook_deliveries retained per the data-retention schedule;
(d) legal-hold or tax/accounting records retained under applicable law (e.g. NL fiscal retention up to 7 years for invoices);
(e) Mailgun suppression lists, which retain identifiers expressly to prevent further communication;
(f) downstream Tenant-Configured Providers, where erasure must be requested separately by the Tenant.

Keldio assists the Tenant in identifying and addressing such limitations on request.

9.4 Identity verification

The Tenant is responsible for verifying the identity of the Data Subject and confirming the Tenant's ability to act on the request before Keldio implements any Tenant-instructed action that would alter or delete Customer Personal Data.

9.5 Tenant instructions and conflict handling

If Keldio receives conflicting instructions from multiple Admin Users, the Workspace owner, billing owner, or legal contact, Keldio may require confirmation from the Workspace owner or another authorised representative before taking action. Keldio may refuse to act on an erasure, export, or restriction instruction where Keldio reasonably believes the instruction is unauthorised, unlawful, technically unsafe, or likely to affect another Tenant or Data Subject unlawfully.

9.6 Cost of assistance

Routine Data Subject Request assistance available through the Workspace tools is included in the Services. Bespoke assistance (e.g. forensic data export across multiple modules, custom reports, on-site assistance) may be charged at Keldio's then-current professional-services rates.

---

10. Personal Data Breach notification

10.1 Notice to Tenant

Keldio shall notify the Tenant of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay after Keldio becomes aware of the Breach, with a target of within 72 hours of confirmation. Keldio may also provide preliminary notice of a suspected incident where doing so would reasonably help the Tenant protect Data Subjects, even if the incident has not yet been confirmed as a Personal Data Breach.

10.2 Content of notice

The notice shall include, to the extent then known and to the extent permitted by law:

(a) a description of the nature of the Breach, including the categories and approximate number of Data Subjects and records affected;
(b) the likely consequences of the Breach;
(c) the measures taken or proposed to address the Breach and to mitigate possible adverse effects;
(d) the name and contact details of Keldio's data-protection contact for the matter;
(e) any other information reasonably required by the Tenant to comply with its Article 33 and 34 GDPR obligations.

Where not all information is available at first notice, Keldio shall provide updates in phases as more becomes known.

10.3 Cooperation

Keldio shall cooperate with the Tenant in good faith in the investigation, mitigation, and remediation of the Breach, and shall provide reasonable assistance with any notification to a Supervisory Authority or Data Subject that the Tenant is required to make.

10.4 Tenant's notification responsibilities

The Tenant is responsible for assessing whether to notify a Supervisory Authority and/or affected Data Subjects under Articles 33 and 34 GDPR, and for making such notifications. Keldio's notice to the Tenant under this §10 does not constitute notice on behalf of the Tenant to any Supervisory Authority or Data Subject.

10.5 Mitigation

Keldio shall take prompt and appropriate steps to contain, mitigate, and remediate the Breach.

10.6 No admissions

Keldio's notice or cooperation under this §10 is not an admission of fault or liability.

---

11. Data Protection Impact Assessments and prior consultation

11.1 Assistance

Where the Tenant is required to carry out a Data Protection Impact Assessment under Article 35 GDPR, or to consult a Supervisory Authority under Article 36 GDPR, in respect of Processing through the Services, Keldio shall provide reasonable assistance, including:

(a) information about the nature of the Processing, the TOMs, and the Subprocessor list;
(b) responses to reasonable, scoped questions about the Service architecture relevant to the assessment;
(c) where appropriate, attendance at a single working session per assessment.

11.2 Cost

Routine information and the Service architecture description are included in the Services. Extensive bespoke assistance (e.g. tailored impact-assessment authoring, attendance at multiple regulator meetings) may be charged at Keldio's then-current professional-services rates, agreed in advance.

11.3 Tenant warrant

The Tenant remains responsible for completing the assessment and for any communication with the Supervisory Authority.

---

12. Audits and inspections

12.1 Information first

Keldio shall make available to the Tenant the information necessary to demonstrate compliance with Article 28 GDPR, including:

(a) this DPA;
(b) the published Subprocessor List;
(c) the TOMs (Annex B);
(d) Keldio's published Privacy Policy and Security Measures Overview;
(e) certifications and attestations Keldio has obtained from time to time (e.g. ISO/IEC 27001, SOC 2 Type II — when in place);
(f) summaries of penetration-test results (under appropriate confidentiality);
(g) responses to a reasonable number of pre-contractual or annual security questionnaires per year.

12.2 Third-party audit right

On reasonable written notice (at least 30 days, except in the case of a confirmed Breach where shorter notice may be appropriate), the Tenant may, on once-per-12-months basis (and additionally after a confirmed Breach), conduct or commission an independent third-party audit of Keldio's compliance with this DPA, subject to:

(a) the audit being conducted by a qualified independent auditor under written confidentiality and no-conflict obligations agreed with Keldio;
(b) the auditor not being a competitor of Keldio;
(c) the audit being scoped to Keldio's Processing of Customer Personal Data on the Tenant's behalf, and not extending to data of other Tenants, internal Keldio operations unrelated to the Tenant, or Keldio's commercial information;
(d) the audit being conducted during normal business hours, with minimum disruption to Keldio's operations;
(e) the audit not requiring Keldio to disclose other customers' data, breach legal hold, or breach Subprocessor confidentiality obligations;
(f) all costs being borne by the Tenant, including reasonable Keldio cooperation costs;
(g) the auditor signing an NDA with Keldio.

12.3 Findings

The Tenant shall share audit findings with Keldio promptly. The parties shall discuss findings in good faith and agree any remediation measures.

12.4 Supervisory Authority requests

This §12 does not limit Keldio's or the Tenant's obligation to cooperate with a Supervisory Authority's inspection or investigation conducted under its statutory powers.

---

13. Deletion or return of Personal Data on termination

13.1 Tenant choice

On termination or expiry of the Platform Terms (or earlier on the Tenant's written request), the Tenant may instruct Keldio to delete or return Customer Personal Data. Where the Tenant does not instruct, the default is deletion in accordance with §13.3.

13.2 Export window

The Tenant has a post-termination export window in accordance with the Platform Terms (usually 30 days standard; 90 days where Keldio terminates without cause or in a Service-wide wind-down). During this window, the Tenant retains read-only access to the Workspace and the export tools.

13.3 Deletion

After the export window, Keldio shall delete Customer Personal Data from active systems within a further 30 days, except for data retained under §13.5.

13.4 Backups

Customer Personal Data may persist in encrypted backups for the standard backup-retention period (usually 30 days from the date of last write) before being deleted through the normal backup cycle. During this residual period, Keldio Processes the data only for backup-integrity purposes.

13.5 Retained data

Keldio may retain Customer Personal Data after the deletion deadlines in §13.3–§13.4 to the extent and for the period required to comply with:

(a) legal, regulatory, tax, or accounting obligations (e.g. Dutch fiscal retention of invoices for up to 7 years);
(b) legitimate fraud-prevention, abuse-investigation, or security-incident records;
(c) defending or pursuing legal claims;
(d) preserving evidence under legal hold;
(e) Subprocessor-side suppression lists (e.g. Mailgun suppression) where retention serves a privacy-protective purpose (preventing re-mailing after unsubscribe).

Retained data is segregated and access-restricted. It is deleted when the retention rationale expires.

13.6 Aggregated and de-identified data

Aggregated and de-identified data derived from the Tenant's use is not Customer Personal Data and may be retained indefinitely.

13.7 Legal acceptance and proof records

Keldio may retain Legal Acceptance Events, document-version records, acceptance hashes, timestamps, IP addresses, user agents, and related audit evidence for as long as reasonably necessary to prove contract formation, defend legal claims, comply with law, or demonstrate compliance with Data Protection Laws. These records are Keldio controller records under §3.5 and are not deleted merely because a Workspace is deleted, unless retention is no longer necessary or required.

13.8 Confirmation

On the Tenant's written request, Keldio shall confirm in writing that deletion has been completed in accordance with this §13, with reference to data categories and dates.

---

14. AI features, agents, and the MCP server (Keldio-specific)

14.1 Tenant authorisation of agents

The Tenant may issue REST API keys and MCP keys ("Agent Credentials") to its Admin Users, contractors, partners, or to AI agents operated by Third-Party AI Providers. By issuing an Agent Credential, the Tenant authorises the holder to act on the Tenant's behalf in Processing Customer Personal Data through the Services.

Where an Agent Credential includes team-management, settings, export, legal, billing, payment, email, inbox, publication, or other sensitive scopes, the Tenant acknowledges that the connected agent may take actions with material legal, commercial, privacy, or security consequences. The Tenant remains responsible for selecting appropriate scopes, supervising agent use, reviewing logs made available by Keldio, and revoking credentials that are no longer needed or trusted.

14.2 Agent attribution

Processing performed under an Agent Credential is attributed to the Tenant for purposes of this DPA. The Tenant is the Controller of Processing initiated by an Agent. Keldio is the Processor of that activity on the Tenant's instructions, regardless of whether the actor on the Tenant's side is a human, a script, or an AI agent.

14.3 No human-approval gate

The Tenant acknowledges that MCP tool calls, REST API requests, Workflow executions, and Sequence steps execute immediately on receipt of an authenticated request and that there is no human-approval interception by Keldio. The Tenant is responsible for the lawfulness, scope, and consequences of all Processing initiated under Agent Credentials.

14.4 Logging and retention

Keldio logs Agent activity in agent_invocations for 90 days. The Tenant may inspect the log via the Workspace UI or API. The log is retained as Keldio operational data under §3.5(c).

14.5 Third-Party AI Providers

Where the Tenant has connected an AI agent operated by a Third-Party AI Provider (e.g. Anthropic, OpenAI, the Tenant's own model deployment) to the Services, the Provider's Processing is governed by the Tenant's contract with the Provider. The Provider is not a Keldio Subprocessor. The Tenant is responsible for the Provider's data-handling, training-data policy, retention, and security posture.

14.6 Keldio's use of customer data for AI training

Keldio does not use identifiable Customer Personal Data, Customer Content, or Member Data to train Keldio-operated AI models, and does not authorise Keldio Subprocessors to do so on Keldio's behalf. Keldio may use aggregated, de-identified usage signals to improve heuristics, ranking, and recommendations consistent with §3.5(d) and the Platform Terms. If Keldio later operates its own AI models trained on customer data, Keldio shall publish a clear opt-in / opt-out mechanism and amend this DPA in accordance with §19.

14.7 AI output and human review

The Tenant remains responsible for reviewing AI-generated or agent-generated Output before relying on it in legally, financially, medically, employment-related, educational, or similarly consequential contexts. Keldio Processes Customer Personal Data used by AI/Agent features on the Tenant's instructions, but Keldio does not warrant that Output is accurate, complete, lawful for the Tenant's specific use, non-discriminatory, or free of hallucinations.

14.8 Safety controls

Keldio may, without notice, throttle, scope-restrict, kill-switch, or audit Agent activity to protect the Services, other Tenants, or End-Users. Keldio's exercise of these controls is not a breach of this DPA or the Platform Terms.

---

15. Tenant-Configured Providers (Keldio-specific)

15.1 Conduit role

Where the Tenant has configured a Tenant-Configured Provider (Mailgun, Mollie, Stripe Connect, Cloudflare Stream in BYO mode, Bundle.social, Meta CAPI, TikTok Events API, Google Ads, etc.), Keldio's role in respect of that Provider is the conduit: Keldio uses the Tenant's credentials to act on the Tenant's account at the Provider as the Tenant has configured.

15.2 Data flows

Annex G describes the Personal Data flows for the principal Tenant-Configured Providers. The Tenant warrants that the Tenant has obtained the Data Subject consents and provided the notices required for each such flow (e.g. consent for ad-pixel server-side conversion events to Meta CAPI / TikTok Events / Google Ads).

15.3 Keldio's obligations

In respect of Tenant-Configured Providers, Keldio's DPA obligations are limited to:

(a) transmitting Personal Data in accordance with the Tenant's configuration;
(b) storing Tenant-Provided Credentials securely (§6.4);
(c) not Processing the Personal Data for any purpose other than as instructed.

15.4 Webhooks and external destinations

Where the Tenant configures webhooks, API exports, automations, MCP calls, or other outbound deliveries to Tenant-controlled or third-party destinations, Keldio's responsibility ends when Keldio has securely transmitted the payload according to the Tenant's configuration, except to the extent of Keldio's own transmission error. The Tenant is responsible for the receiving endpoint, authentication, logging, retention, onward disclosure, and security of the destination.

15.5 No DPA between Keldio and Tenant-Configured Providers

Keldio is not in a Subprocessor relationship with Tenant-Configured Providers in respect of the Tenant's account at those Providers. The Tenant is responsible for the Tenant's contract and DPA with each Provider.

---

16. Records of processing activities (Article 30)

16.1 Keldio's records

Keldio maintains records of its Processing activities as required by Article 30(2) GDPR, including the categories of Processing carried out on behalf of each Tenant (in aggregate where a Tenant has not requested specific records), the categories of Subprocessors, the international transfers, and the TOMs.

16.2 Production on request

Keldio shall make these records available to a Supervisory Authority on request and to the Tenant on reasonable written request, subject to redaction for confidential information of other customers.

16.3 Tenant's records

The Tenant remains responsible for maintaining its own Article 30(1) records as Controller.

---

17. Liability

17.1 Bridge to the Platform Terms

The limitation-of-liability provisions of the Platform Terms apply to liability arising under or in connection with this DPA, except as expressly provided in this §17.

17.2 Insurance-first principle

To the extent Keldio is liable for damage arising under this DPA, Keldio's liability is in the first instance limited to the amount paid out by Keldio's insurer in respect of the relevant claim (where such cover is in place).

17.3 Aggregate cap where insurance does not respond

Where Keldio's insurer does not (or does not fully) cover the damage, Keldio's aggregate liability under this DPA — together with all liability under the Platform Terms in respect of the same matter — is capped per the Platform Terms (usually 12 months of Fees actually paid; €100 for Trial / no-fee accounts), subject to the carve-outs in the Platform Terms.

17.4 No multiplication of caps

The DPA cap and the Platform Terms cap are aggregated, not stacked. The same matter cannot be compensated twice.

17.5 Indirect damages excluded

Each party excludes liability for indirect, incidental, special, consequential, punitive, or exemplary damages, loss of profits, loss of revenue, loss of business, loss of goodwill, loss of opportunity, or loss of anticipated savings, in each case to the maximum extent permitted by law.

17.6 Third-party-failure exclusion

Failures in the services of third parties — including Keldio Subprocessors, Tenant-Configured Providers, hosting providers, telecommunications providers, internet routing, energy providers, government infrastructure, and other suppliers — are not attributable to Keldio, and Keldio is not liable for damage caused by such failures, except to the extent of Keldio's responsibility for Keldio Subprocessors under §7.6.

17.7 Tenant indemnity

The Tenant's indemnity in §4.8 applies to losses, fines, regulatory penalties, and third-party claims arising from the Tenant's controller-side breach.

17.8 Carve-outs

Notwithstanding this §17, neither party limits or excludes liability for: fraud; wilful misconduct; gross negligence; death or personal injury caused by negligence; or any liability that cannot lawfully be limited or excluded under applicable law.

17.9 Regulatory fines

Where a Supervisory Authority imposes a fine on a party under Article 83 GDPR (or equivalent), that fine is borne by the party against whom it is imposed, except where the fine arises wholly or substantially from the other party's breach of this DPA, in which case the breaching party shall indemnify the other up to the cap in §17.3 and subject to the carve-outs in §17.8.

---

18. Term, termination, and survival

18.1 Term

This DPA applies for the duration of the Platform Terms.

18.2 Termination

This DPA terminates automatically when the Platform Terms terminate. Termination of this DPA does not affect the Tenant's continuing rights in respect of Customer Personal Data already Processed.

18.3 Survival

The provisions of this DPA that, by their nature, are intended to survive termination — including §3.5 (Keldio's controller purposes), §10 (breach notification, for events occurring during the term), §13 (deletion or return), §16 (records), §17 (liability), §20 (governing law) — survive accordingly.

18.4 Order of precedence

In the event of conflict between this DPA and the Platform Terms, this DPA controls in respect of the Processing of Personal Data; the Platform Terms control in all other respects. In the event of conflict between this DPA and the SCCs (where incorporated), the SCCs control in respect of the matters they govern.

---

19. Changes to this DPA

19.1 Right to update

Keldio may update this DPA from time to time:

(a) to reflect changes in Data Protection Laws or guidance from a Supervisory Authority;
(b) to reflect changes in the Subprocessor List in accordance with §7;
(c) to reflect changes in Keldio Service architecture that affect Processing;
(d) to correct errors or inconsistencies; and
(e) for other reasonable reasons consistent with the data-protection rights of Data Subjects.

19.2 Notice

Material changes (changes that materially expand Processing, materially reduce Tenant rights, materially weaken security, or materially change the international-transfer mechanism) take effect at least 30 days after notice is given to Admin Users by email and in-app notice. Non-material changes take effect on posting.

19.3 Right to terminate on material change

If the Tenant objects in writing within 30 days of notice of a material change on reasonable data-protection grounds, and the parties cannot resolve the objection within a further 30 days, the Tenant may terminate the affected Service in accordance with the Platform Terms. Keldio shall refund any prepaid Fees for the period after termination.

---

20. General provisions

20.1 Governing law

This DPA is governed by the laws of the Netherlands.

20.2 Jurisdiction

Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands. Each party may seek injunctive relief in any court of competent jurisdiction.

20.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions are not affected. The parties shall replace the invalid provision with a valid provision that most closely reflects the parties' original intent.

20.4 Language

The English version of this DPA is the binding version. A Dutch translation may be made available for convenience; in the event of conflict, the English version prevails — unless mandatory Dutch consumer-protection law requires otherwise for a particular Tenant.

20.5 Entire agreement

This DPA, together with the Platform Terms, the Acceptable Use Policy, the published Subprocessor List, and any applicable Order Form, constitutes the entire agreement of the parties in respect of the Processing of Personal Data and supersedes any prior data-processing arrangements between the parties.

20.6 Assignment

Neither party may assign this DPA without the other's prior written consent, except as permitted by the Platform Terms (which permits Keldio assignment to an Affiliate or successor in connection with a merger, acquisition, or restructuring on notice).

20.7 Notices

Notices under this DPA may be given in accordance with the Platform Terms. Formal notices to Keldio for purposes of this DPA should also be sent to legal@keldio.com and copied to dpo@keldio.com (when in place).

20.8 Counterparts and electronic signature

This DPA may be executed in counterparts and by electronic acceptance. Click-to-sign acceptance via the Keldio Workspace constitutes valid execution.

---

21. Acceptance evidence and version control

21.1 Clickwrap and acceptance records

The Tenant may accept this DPA by checkbox, checkout acceptance, in-app clickwrap, API/order-form acceptance, electronic signature, or continued use after a material-change notice where the Platform Terms permit that mechanism. Keldio shall record a Legal Acceptance Event for clickwrap or in-app acceptance.

21.2 Contents of Legal Acceptance Event

A Legal Acceptance Event should record, where available: Tenant ID, Workspace ID, accepting user ID, email address, name/company, timestamp, IP address, user agent, acceptance source, exact checkbox or button text, accepted document types, document version numbers, document URLs, document content hashes, and related checkout/order/session identifiers.

21.3 Versioned legal documents

Keldio shall maintain versioned records of this DPA and other legal documents accepted by the Tenant, sufficient to reconstruct the text accepted at the time of acceptance. A public URL may change over time; the acceptance record should identify the accepted version and content hash.

21.4 CRM projection

Keldio may display acceptance status in the Keldio super-admin CRM as a Legal Acceptance card, timeline event, downloadable proof certificate, or similar operational projection. The CRM projection is for convenience. The Legal Acceptance Event and versioned legal-document record are the source of truth.

21.5 Re-acceptance

Keldio may require re-acceptance of this DPA where Keldio makes material changes, where required by law, or where a Tenant upgrades to a Service module that materially changes Processing. Re-acceptance creates a new Legal Acceptance Event and does not overwrite prior acceptance records.

---

Annex A — Description of Processing

A.1 Subject matter of Processing

The provision of the Keldio platform Services to the Tenant under the Platform Terms.

A.2 Duration of Processing

For the duration of the Platform Terms, plus the deletion / retention periods set out in §13.

A.3 Nature of Processing

Hosting, storage, organisation, structuring, retrieval, consultation, use, transmission, alignment, combination, restriction, erasure, and destruction of Personal Data; sending of communications on Tenant authority; execution of Tenant-configured automations; provision of the Tenant's Member Portal; processing of orders, invoices, and payments via Tenant-Configured Providers; transmission of server-side ad-conversion events to Tenant-Configured Providers; delivery of webhooks to Tenant-registered endpoints; provision of analytics and reporting; provision of support.

A.4 Purpose of Processing

Providing the Services to the Tenant, including operating the Tenant's business processes through the Workspace.

A.5 Categories of Data Subjects

The Tenant's contacts and leads;
The Tenant's customers and former customers (purchasers of the Tenant's products or services);
The Tenant's Members (course students, community participants, members of the Tenant's Member Portal);
The Tenant's webinar registrants and attendees;
The Tenant's booking guests;
Recipients of the Tenant's communications (email, social, transactional);
Senders of public contact-form submissions to the Tenant;
The Tenant's Admin Users, owners, and team members;
Authors of community posts within the Tenant's Workspace;
Holders of Tenant-issued REST API keys, MCP keys, and webhook secrets, and persons acting under such credentials.

A.6 Categories of Personal Data

Identification data — name, email, phone, postal address, social handles, profile picture.
Account / credential data — usernames, hashed authentication tokens (Keldio does not store passwords in plaintext), session identifiers (via Clerk).
Commercial data — purchase history, subscription status, invoice records, refund records, payment-provider customer IDs, payment-provider transaction IDs (no card numbers — those remain at Mollie / Stripe).
Behavioural / engagement data — page views, opt-ins, form submissions, click events, lesson progress, community posts, support thread participation.
Marketing-attribution data — UTM parameters, ad-platform click identifiers (fbclid, gclid, ttclid, li_fat_id, twclid), Meta fbc/fbp cookies, referrer URL, landing page.
Communication content — inbound and outbound email bodies; social posts; community posts; support thread messages; webinar chat lines; AI-drafted communications.
Member-portal usage data — lesson_progress (started_at, completed_at), event_rsvps, community_members, course_enrollments, member login activity.
Booking data — booker name, email, phone, time slot, notes.
Webinar and video data ? registration data, attendance data, chat data, recordings, replay access records, uploaded video files, video metadata, viewer/request metadata, and related troubleshooting or delivery logs.
Ad-conversion data (server-side) — hashed email, hashed phone, IP, user agent, click identifier, transmitted to Meta CAPI / TikTok Events / Google Ads on Tenant configuration.
Technical data — IP address, user agent, device data, browser data, log data.
Special Category Data — only where the Tenant directs Processing in accordance with §4.5.

A.7 Frequency

Continuous Processing for the duration of the Services.

A.8 Retention

For the duration of the Platform Terms, plus the deletion and retention periods set out in §13.

---

Annex B — Technical and Organisational Measures (TOMs)

B.1 Confidentiality (Article 32(1)(b))

Encryption of Personal Data in transit via TLS 1.2+ for all customer-facing endpoints.
Encryption of Personal Data at rest via Supabase storage encryption.
Encryption of Tenant-Provided Credentials at rest in the tenant_api_keys table.
SHA-256 hashing of REST API keys and MCP keys; plaintext shown only at issuance.
Authentication via Clerk for Admin Users and Members.
Multi-factor authentication available for Admin Users; required for Keldio personnel with production access.
Role-based access control with least-privilege defaults.
Tenant data isolation enforced by application-layer scoping (tenant_id on every relevant table) with selective Postgres Row-Level Security.

B.2 Integrity (Article 32(1)(b))

Audit logging of sensitive admin actions (platform_audit_log).
Logging of agent invocations (agent_invocations, 90-day retention).
Logging of webhook deliveries (webhook_deliveries).
Webhook signing with rotatable HMAC secrets.
Database integrity via PostgreSQL constraints, foreign keys, transactions.
Source-control review for production changes.

B.3 Availability and resilience (Article 32(1)(b))

Hosted on managed cloud infrastructure with provider-managed uptime (Vercel, Supabase).
Database backups taken on the schedule provided by Supabase; backup retention disclosed in §13.4.
Monitoring of platform health, error rates, and Subprocessor health.
Incident response procedure with on-call coverage.

B.4 Restoration (Article 32(1)(c))

Backup-restore procedures tested periodically.
Documented rollback path for production deployments.

B.5 Testing and evaluation (Article 32(1)(d))

Periodic penetration testing (usually at least annually once revenue justifies; otherwise on material architectural change).
Responsible-disclosure policy (when published).
Internal security review for new features and Subprocessor changes.
Annual review of TOMs.

B.6 Personnel

Confidentiality undertakings for all personnel with access to Customer Personal Data.
Security awareness training for personnel.
Background checks for personnel with production access (where lawful in the relevant jurisdiction).
Removal of access promptly on personnel departure or role change.

B.7 Subprocessor management

Pre-engagement security and data-protection review of new Subprocessors.
Written contracts with each Keldio Subprocessor imposing Article 28(3) obligations *mutatis mutandis*.
Annual Subprocessor review.

B.8 Vendor and supply-chain

Patching and dependency-updating procedures.
Use of vetted libraries and frameworks.

B.9 Incident response

Documented incident-response playbook covering: detection, triage, containment, eradication, recovery, lessons learned.
Breach-notification target of 72 hours from confirmation (§10.1).

B.10 Physical security

All Customer Personal Data is hosted in third-party data centres operated by Keldio Subprocessors. Physical security is managed by the relevant Subprocessor and is documented in the Subprocessor's published security materials.

B.11 Pseudonymisation and minimisation

Pseudonymisation applied where appropriate (e.g. hashed PII in ad-conversion server-side calls).
Data-minimisation by design in new features.

---

Annex C — Subprocessors and Tenant-Configured Providers

C.1 Keldio Subprocessors (Process on Keldio's account)

#	Subprocessor	Capability	Location of Processing	Transfer mechanism (if outside EEA)
1	Vercel Inc.	Hosting, edge compute, custom-domain SDK	Global edge; primary US	EU SCCs
2	Supabase Inc.	PostgreSQL database, object storage, RLS	EU configured (primary)	EU SCCs for any non-EEA fallback
3	Clerk Inc.	Authentication for Admin Users and Members	US	EU SCCs / DPF if Clerk self-certifies
4	Svix Inc.	Webhook signature verification (Clerk inbound)	US	EU SCCs / DPF
5	Cloudflare, Inc.	DNS, security, caching, edge/network services, and Cloudflare Stream where Keldio uses a Keldio-controlled account	Global	EU SCCs / DPF where applicable

C.2 Tenant-Configured Providers (Process on Tenant's account; not Keldio Subprocessors)

#	Provider	Capability	Location	Tenant relationship
5	Mailgun Technologies, Inc.	Email delivery (per-tenant key + domain)	EU region configured	Tenant has Mailgun account; Tenant accepts Mailgun terms; Tenant signs Mailgun DPA
6	Mollie B.V.	Payment processing	EU (NL)	Tenant has Mollie account; Tenant accepts Mollie terms
7	Stripe, Inc. (Stripe Connect)	Payment processing (alternative to Mollie)	US/EU	Tenant has Stripe Connect account
8	Cloudflare, Inc. (Stream) — BYO mode	Video hosting and delivery (Tenant's CF account)	Global	Tenant has Cloudflare account
9	Bundle.social	Social-media publishing aggregator	EU	Tenant connects social accounts via Bundle
10	Meta Platforms, Inc. (Conversions API)	Server-side ad-conversion tracking	US	Tenant has Meta Business
11	TikTok Pte. Ltd. (Events API)	Server-side ad-conversion tracking	US/SG	Tenant has TikTok for Business
12	Google LLC (Google Ads MP)	Server-side ad-conversion tracking	US	Tenant has Google Ads
13	Vimeo, Inc. (legacy lessons)	Video embed (no API call from Keldio)	US	Embed only — Tenant or Keldio holds legacy content

C.3 Hybrid provider-role note (Cloudflare Stream)

Where the Tenant uses Keldio's default Cloudflare Stream account (not BYO mode), Cloudflare acts as a Keldio Subprocessor for video Processing and is included in C.1. Where the Tenant connects its own Cloudflare account or credentials, Cloudflare Stream acts as a Tenant-Configured Provider for that flow and is included in C.2.

C.4 Optional / dormant

AI Providers (Anthropic, OpenAI, etc.) — only where the Tenant has connected an Agent. These Providers Process on the Tenant's account; they are not Keldio Subprocessors.

---

Annex D — EU Standard Contractual Clauses

The Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference, with the following parameters:

Module 2 (Controller-to-Processor) applies to direct Transfers from the Tenant (as data exporter) to Keldio (as data importer) where Keldio's Processing takes place outside the EEA.
Module 3 (Processor-to-Processor) applies to onward Transfers from Keldio (as exporter) to a Keldio Subprocessor (as importer) where the Subprocessor Processes outside the EEA.
Clause 7 (Docking) — not applicable.
Clause 9 (Subprocessors) — Option 2 (general written authorisation), with the notice procedure in §7.3.
Clause 11 (Redress) — independent dispute-resolution body not included by default.
Clause 17 (Governing law) — Netherlands, subject to the SCCs' mandatory requirements.
Clause 18 (Forum and jurisdiction) — Netherlands.
Annex I.A (List of parties) — the parties identified in §1 of this DPA.
Annex I.B (Description of transfer) — Annex A of this DPA.
Annex I.C (Competent supervisory authority) — Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) for Tenants resident in the Netherlands; otherwise the supervisory authority of the EEA Member State of the Tenant's main establishment.
Annex II (Technical and organisational measures) — Annex B of this DPA.
Annex III (List of subprocessors) — Annex C of this DPA.

For UK-related Transfers, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (B.1.0) is incorporated by reference, with Tables 1–4 completed by reference to the Annexes of this DPA. For Swiss-related Transfers, the SCCs apply with the supplementary requirements of the Swiss FDPIC.

---

Annex E — Member Portal data flow (Keldio-specific)

E.1 Description

The Member Portal at /learn is a Tenant-branded surface through which the Tenant's End-Users (Members) access content the Tenant publishes (courses, community, events, billing). Members authenticate via Clerk using a credential created for them either by the Tenant manually or automatically on purchase.

E.2 Personal Data Processed

Member identification (name, email).
Member authentication state (Clerk session).
Member usage (lesson_progress, event_rsvps, community posts, login activity).
Member-Tenant communications (support threads originating in the Member Portal).

E.3 Roles

The Tenant is the Controller of Member Data.
Keldio is the Processor of Member Data on the Tenant's instructions.
Clerk is a Keldio Subprocessor for authentication.

E.4 Data Subject Rights

A Member's Data Subject Request is routed to the Tenant. Where a Member contacts Keldio directly, Keldio refers the Member to the Tenant (§9.1).

E.5 Continuity on termination

On termination of the Platform Terms, Member access to Member Portal content ceases per §13 and the Platform Terms. Keldio is not in a contractual relationship with Members and undertakes no obligation to communicate with Members on the Tenant's behalf except as agreed in writing.

---

Annex F — AI / Agent / MCP processing (Keldio-specific)

F.1 Description

The Tenant may issue Agent Credentials to AI agents, scripts, or partner systems. These connect to the REST API or to the MCP server at /api/mcp and execute Processing operations on the Tenant's Workspace.

F.2 Personal Data Processed

Whatever the Tenant's Workspace contains, depending on the tools called: contacts, orders, communications, member data, etc.

F.3 Roles

The Tenant is the Controller of all Processing under Agent Credentials (§14.2).
Keldio is the Processor on the Tenant's instructions.
Third-Party AI Providers operating Agents are not Keldio Subprocessors (§14.5).

F.4 No human-approval gate

Agent activity executes without Keldio's human review (§14.3).

F.5 Logging and retention

Agent invocations are logged for 90 days (§14.4).

F.6 Tenant warranties

The Tenant warrants that Agent Credentials are issued only to parties bound by appropriate confidentiality and lawful-processing obligations, and that the Tenant has scoped credentials appropriately for the intended Processing.

F.7 Keldio's safety controls

Keldio may throttle, scope-restrict, kill-switch, or audit Agent activity to protect the Services (§14.8).

F.8 No AI training on identifiable data

Keldio does not use identifiable Customer Personal Data to train Keldio-operated AI models (§14.6).

---

Annex G — Ad-pixel server-side processing (Keldio-specific)

G.1 Description

Where the Tenant has configured Meta Conversions API, TikTok Events API, or Google Ads Measurement Protocol, Keldio transmits server-side conversion events containing Personal Data on the Tenant's account at the relevant Provider.

G.2 Personal Data Processed

Hashed (SHA-256) email address;
Hashed phone number;
Click identifier (fbclid, gclid, ttclid, li_fat_id, twclid);
IP address;
User agent;
Conversion event metadata (event name, value, currency, timestamp).

G.3 Roles

The Tenant is the Controller of these Transfers; the Tenant has obtained any required Data Subject consent and provided notice.
The relevant ad Provider (Meta, TikTok, Google) is an independent Controller of the data the Provider receives.
Keldio is the conduit; Keldio Processes the data only to format and transmit it on the Tenant's instructions.

G.4 Tenant warranties

The Tenant warrants that:

the Tenant has obtained valid consent (or another lawful basis) from each Data Subject for the ad-conversion server-side flow;
the Tenant's End-User-facing privacy notice and cookie banner disclose the flow;
the Tenant complies with the receiving Provider's terms (Meta Business Tools terms, TikTok Business Products terms, Google Ads policies).

G.5 Keldio's role

Keldio's role is limited to the conduit function. Keldio is not responsible for the ad Provider's Processing after receipt or for the lawfulness of the Tenant's underlying configuration choices.

---

Annex H — Competent Supervisory Authority

For Tenants resident in the Netherlands: Autoriteit Persoonsgegevens (AP), address: Hoge Nieuwstraat 8, 2514 EL Den Haag, the Netherlands; website: https://autoriteitpersoonsgegevens.nl.

For Tenants resident in another EEA Member State, the competent Supervisory Authority is the data-protection authority of that Member State.

For UK Tenants, the competent Supervisory Authority is the Information Commissioner's Office (ICO).

For Swiss Tenants, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC).

For Tenants resident outside the EEA / UK / Switzerland but Processing data of EEA Data Subjects, the competent Supervisory Authority is determined under Article 56 GDPR (one-stop-shop where applicable).