LEGAL · DPA

Data Processing Addendum.

The KlindrOS Data Processing Addendum (DPA) governs how we process personal data on behalf of customers. It applies to enterprise customers subject to GDPR, the Indonesian Personal Data Protection Law (UU PDP), or similar regimes, and supplements the Master Service Agreement.

Last updated: 11 May 2026

This page is a public summary of what the DPA contains and how to obtain the executable version. The executable DPA is countersigned by KlindrOS and the customer entity, and prevails over any inconsistency with this summary.

01What the DPA covers

The executable DPA includes the following terms, aligned with GDPR Articles 28 and 32 and UU PDP equivalents:

Roles. KlindrOS acts as a Processor on behalf of the Customer (Controller) for personal data processed via the Service.
Purpose and scope. Processing is limited to providing the Service per the Order Form and documented Customer instructions.
Standard Contractual Clauses (SCCs). EU-approved SCC Module 2 is attached for transfers of EU personal data outside the EEA.
Sub-processors. We maintain a sub-processor list (below), notify Customer of changes, and pass through the same protections we offer.
Security measures. Technical and organisational measures including encryption in transit and at rest, access controls, audit logging, and incident response.
Incident notification. We notify Customer within 72 hours of becoming aware of a personal data breach affecting their data.
Data subject rights. We assist Customer in responding to access, correction, deletion, and portability requests from data subjects.
Audit rights. Customer may audit our compliance with the DPA once per year, on reasonable notice, subject to confidentiality.
Return or deletion. On termination, we return or delete Customer Data within 90 days, subject to legal retention obligations.

02Current sub-processor list

The following sub-processors process personal data on behalf of KlindrOS to deliver the Service. We notify customers of additions or replacements at least 30 days in advance, allowing reasonable objection.

Sub-processor	Service	Data categories	Location
Apify Inc	Public social profile scraping for KScore diagnostics	Submitted social handles, public profile data	United States
OpenAI, L.L.C.	AI-generated profile audit and growth recommendations (KScore Personal paid tier)	Scraped public profile data, persona preferences	United States
PT Kharisma Catur Mandala (Duitku)	Payment processing for KScore Personal and subscription billing	Payment metadata, billing contact, transaction history	Indonesia
Hostinger International Limited	VPS hosting and SMTP delivery for transactional email	All Service data at rest; email recipient address and content	Lithuania / European Union
Google LLC	Google Analytics 4, reCAPTCHA v3, Google Fonts	Website usage, IP address, browser metadata	United States
Microsoft Corporation	Microsoft Clarity session analytics	Website usage, IP address (truncated), session recordings	United States
IPGeolocation Inc	IP-to-country lookup for locale suggestion	Visitor IP address (looked up server-side, not stored)	Canada
Ghost Foundation Ltd	Ghost CMS hosting for the KlindrOS blog	Blog reader IP and visit metadata (analytics-only)	Singapore

03Security measures

We maintain a documented information security programme, including:

Encryption. TLS 1.2+ for data in transit. AES-256 for data at rest in databases and backups.
Access control. Role-based access for KlindrOS personnel; production access limited to staff with a documented business need.
Audit logging. Production application and infrastructure events are logged and reviewed for anomalies.
Vulnerability management. Regular scanning of dependencies and infrastructure; patches applied per severity SLA.
Backups. Encrypted backups with tested restore procedures.
Personnel. Background checks for staff with production access; annual security awareness training; signed confidentiality undertakings.
Vendor due diligence. Sub-processors are reviewed for security and privacy posture before onboarding.

Detailed control descriptions are available under NDA from dpo@klindros.com.

04Incident notification

If we become aware of a personal data breach involving Customer Data, we will:

Notify the affected Customer within 72 hours of becoming aware.
Describe the nature of the breach, categories and approximate number of data subjects and records affected.
Communicate likely consequences and the measures we have taken or propose to take.
Provide updates as our investigation progresses.
Cooperate with the Customer's notification to supervisory authorities or data subjects, where required by law.

05Data subject rights handling

If we receive a data subject request (access, correction, deletion, portability, objection) directly via our website or DPO inbox concerning Customer Data, we will forward it to the Customer for handling, unless instructed otherwise. We assist the Customer in responding within statutory timelines by providing technical means to fulfil the request.

06Getting the executable DPA

Customers who require a signed DPA can request the executable version by emailing dpo@klindros.com with their legal entity name and the regimes that apply (GDPR, UU PDP, etc.). We typically counter-sign within five business days.

Request the executable DPA