DATA PROCESSING AGREEMENT

Last Updated: August 1, 2025

This Data Processing Agreement (“DPA”) is an integral part of the service agreement (“Agreement”) between

Client (“Controller”) and

Kluk AI (“Processor”), a company incorporated under the laws of the Netherlands, registered at Hertog Hendriksingel 24, 5216BB 's-Hertogenbosch, the Netherlands, with company number 95584080.

Effective as of the date of the Agreement.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Agreement.

Processing means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, use, disclosure, erasure, or destruction.

2. Subject Matter and Duration

2.1 Processor processes Personal Data on behalf of Controller to provide Kluk AI's AI-powered website widget and related services as defined in the Agreement.

2.2 This DPA remains effective throughout the term of the Agreement and until all Personal Data has been returned or securely deleted in accordance with Section 7.

3. Categories of Personal Data and Purposes of Processing

3.1 Categories of Personal Data Processed:

  • Identifiers: names, email addresses, phone numbers, addresses, company contact details;
  • Technical Data: IP addresses, device and browser information;
  • Behavioral Data: widget interaction logs, usage data, scheduling and meeting notes;
  • Other data submitted via chat inputs or customized forms requested by Controller.

3.2 Purposes of Processing:

  • Capturing and qualifying leads;
  • Scheduling meetings and calendar sync via Cal.com;
  • Providing AI conversational assistance and insights;
  • Processing chat content via OpenAI's AI models;
  • Generating anonymized analytics for service improvement;
  • Synchronizing data as authorized by Controller.

4. Use of Subprocessors

4.1 Processor uses the following subprocessors to deliver its services:

  • OpenAI(Chat processing and data extraction, US)
  • NeonDB (Data storage, EU or US depending on client)
  • Vercel (Hosting of the widget, EU or US depending on client)
  • Cal.com (Embedded meeting scheduling, US)

4.2 Processor maintains an up-to-date list of subprocessors and will notify Controller in advance of any changes.

4.3 Processor ensures subprocessors comply with data protection obligations consistent with this DPA.

5. Data Processing Infrastructure and Transfers

5.1 Personal Data is processed primarily in data centers located in the European Union and the United States, based on the client's geographic and configuration choices.

5.2 International data transfers to subprocessors outside the EEA, including to the US, are governed by appropriate safeguards such as Standard Contractual Clauses (SCCs), including those executed by OpenAI.

5.3 Processor limits transfer of personally identifiable information where feasible, assesses risks under Schrems II, and complies with EU data protection standards.

6. Data Retention and Deletion

6.1 Processor retains Personal Data for the duration necessary to provide the services and support client insights and service improvement.

6.2 Upon termination of the Agreement or at Controller's request, Processor will delete or return all Personal Data within thirty (30) calendar days, except where retention is required by law.

6.3 Backups of Personal Data may be retained for a limited period of up to thirty (30) calendar days after termination solely for disaster recovery and legal compliance purposes.

7. Security Measures

Processor implements appropriate technical and organizational security measures, including but not limited to:

  • Encryption of Personal Data at rest and in transit (via NeonDB and secure cloud infrastructure);
  • Role-based access controls;
  • Security audits and vulnerability assessments;
  • Employee confidentiality obligations;
  • Incident response and breach management protocols.

8. Data Breach Notification

Processor shall notify Controller without undue delay and no later than seventy-two (72) hours upon becoming aware of any personal data breach impacting Controller's data, providing details and remediation steps.

9. Controller Rights and Processor Cooperation

9.1 Processor will assist Controller in responding to data subject rights requests (access, correction, deletion, portability) as reasonably possible.

9.2 Processor supports data export and deletion requests as instructed by Controller.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands. Any disputes shall be subject to the exclusive jurisdiction of the Dutch courts.

11. Liability and Indemnity

11.1 Processor's liability under this DPA is limited to direct damages caused by Processor's willful misconduct or gross negligence.

11.2 Processor is not liable for damages resulting from Controller's unlawful data input, misconfiguration, or breach of applicable laws.

11.3 Each party indemnifies the other against claims arising from breaches of this DPA attributable to their own fault.

12. Miscellaneous

12.1 This DPA constitutes the entire data processing agreement between the parties and supersedes prior communications on this subject.

12.2 Amendments to this DPA must be made in writing and signed by authorized representatives of both parties.



IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the effective date of the Agreement.


[Signatures]