Pricing

CONTACT SALES
Book a demo
a
M
CONTACT SALES
BOOK A DEMO

 

______________

Klient Data Processing Agreement (DPA) – December 3rd, 2025

Shape Description automatically generated with medium confidence

Parties

  • Customer (Controller) — The entity subscribing to the Klient PSA application.
  • Klient Inc. (Processor) — A Professional Services Automation (PSA) application built natively on Salesforce, operating as a data processor.

1. Purpose

This Data Processing Agreement (the “DPA”) forms part of the Master Subscription Agreement (MSA) between Customer and Klient Inc.
It governs Klient’s processing of personal data on behalf of the Customer within the Salesforce platform and ensures compliance with applicable data protection laws, including GDPR, UK GDPR, and CCPA.

2. Roles and Definitions

  • Customer (Controller): Determines the purposes and means of processing personal data.
  • Klient Inc. (Processor): Processes personal data solely on behalf of and in accordance with the Customer’s documented instructions — meaning Klient Inc. only processes data as necessary to deliver the service, not for its own purposes.
  • Salesforce (Subprocessor): Provides the infrastructure, hosting, and data storage for the Klient PSA application.

Personal Data means any information relating to an identified or identifiable natural person processed under this DPA.
Processing means any operation performed on personal data, such as collection, storage, or transmission.

3. Scope of Processing

Klient processes Customer Data solely to provide, operate, support, and maintain the Klient PSA application, which runs entirely within the Salesforce platform. Klient does not determine the means or purposes of processing Personal Data and does not process Personal Data outside of Salesforce. Klient does not access Customer Data except as necessary to perform support or configuration tasks requested by the Customer. Klient does not use Customer Data for its own purposes or disclose it to third parties except as required by law or directed by the Customer.

4. Data Categories and Subjects

The personal data processed may include:

  • Employee, contractor, and customer contact details (name, email, phone, title).
  • Project delivery and time tracking information.
  • Billing and invoicing records as configured by the Customer.

Data subjects include:

  • Customer employees and contractors.
  • Customer’s clients and related project stakeholders.

5. Subprocessing

Customer acknowledges and authorizes Klient Inc.’s use of Salesforce as a subprocessor.
Salesforce provides the hosting, infrastructure, and data storage services for the Klient application.
Klient Inc. may also engage limited subprocessors for integrations, support, or analytics.
All subprocessors are bound by written agreements that ensure equivalent data protection obligations.
Subprocessor Notification and Objection Rights:
Klient Inc. shall notify the Customer at least 30 days in advance of any intended addition or replacement of a Subprocessor. The Customer may object on reasonable data protection grounds within 30 days of receiving such notice. If no resolution is found within 30 days, the Customer may terminate the affected Services without penalty.

6. Security Measures

Klient Inc. maintains SOC 2 Type II compliance, ensuring its security, availability, and confidentiality controls are independently audited and verified.
Klient also implements technical and organizational measures to protect personal data, including:

  • Encryption in transit and at rest (managed by Salesforce).
  • Access control, authentication, and role-based permissions.
  • Audit logging and user activity tracking.
  • Regular security assessments and monitoring.
  • Employee confidentiality and security training.

Klient Inc. relies on Salesforce’s global security infrastructure and certifications, including ISO 27001, SOC 2, and GDPR compliance.

7. Personnel Confidentiality and Reliability

Klient Inc. ensures that any employee, contractor, or agent who has access to Personal Data is reliable and subject to appropriate confidentiality obligations. Access is limited to individuals who require it to perform their job functions under the MSA. All such personnel are informed of the confidential nature of Personal Data, receive appropriate privacy and security training, and are bound by written confidentiality agreements. These obligations survive the termination of their employment or engagement.

8. International Data Transfers

Klient Inc. does not control or determine Salesforce’s data storage locations.
Salesforce operates global data centers and may transfer data outside of the Customer’s jurisdiction — including to the United States or Canada — for redundancy, performance, and support.
These transfers are compliant with GDPR through EU Standard Contractual Clauses (SCCs) and other lawful mechanisms.

9. Data Subject Rights

Klient Inc. assists the Customer in fulfilling data subject requests (access, rectification, deletion, portability, restriction) via available Salesforce functionality.
Klient Inc. will not respond directly to a data subject request unless instructed in writing by the Customer.

10. Breach Notification

If Klient becomes aware of a Personal Data Breach affecting Customer Data that Klient can verify in its capacity as Processor, Klient will notify the Customer without undue delay and, in any case, no later than 72 hours after confirming the breach. Klient shall provide reasonable assistance to Customer in meeting its legal obligations related to such breach, limited to information within Klient’s possession or control as a Processor operating on the Salesforce platform. Nothing in this section requires Klient to notify supervisory authorities or data subjects directly unless mandated by applicable law.

11. Retention and Deletion

Klient Inc. retains Customer Data only as long as necessary to fulfill the purposes of processing under the MSA or as required by law.
Operational and support records containing limited personal data (e.g., logs, audit trails, or billing data) may be retained for up to 90 days after termination unless a longer period is required by law.
Upon termination or expiration of the MSA, Klient Inc. will delete or return Customer Data as directed, except where retention is required by law.

12. Compliance and Assistance with GDPR Articles 32–36

Klient Inc. will make available relevant documentation to demonstrate compliance with this DPA. Upon written request, Klient Inc. will provide reasonable assistance to the Customer in ensuring compliance with Articles 32–36 of the GDPR, including with respect to the security of processing, data protection impact assessments, and consultation with supervisory authorities. Such assistance shall be limited to information within Klient Inc.’s possession and control.

13. Liability and Indemnification

13.1 Liability Framework.
All liability arising under or in connection with this DPA is governed exclusively by the limitation-of-liability and exclusion-of-damages provisions set out in the Master Subscription Agreement (“MSA”). Nothing in this DPA shall operate to increase or extend either party’s liability beyond the limits agreed in the MSA.

13.2 Klient’s Obligations.
Klient shall be liable only for the processing of Personal Data to the extent Klient is acting as the Processor and only to the extent directly resulting from Klient’s failure to comply with this DPA. Klient has no liability for acts or omissions of Salesforce.com, inc. or any other subprocessor operating the hosting platform.

13.3 Indemnification.
Klient shall indemnify Customer only to the extent expressly set out in the MSA. No separate or additional indemnities apply under this DPA.

13.4 Subprocessor Liability.
Klient remains responsible for ensuring that its subprocessors are bound by written agreements containing obligations equivalent to this DPA. Klient shall not be liable for any data processing actions undertaken solely by Salesforce.com, inc. as the hosting platform provider.

14. Term and Termination

This DPA remains in effect for the duration of the MSA.
Upon termination, all processing activities shall cease except as necessary for lawful retention or return of data.

15. Governing Law

This DPA is governed by the same law and jurisdiction as the MSA.