Data Processing Agreement

Last updated: December 30, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kling ("Processor") and the customer ("Controller") for the use of Kling Cloud services. This DPA applies where the Processor processes Personal Data on behalf of the Controller.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Subject: The individual to whom Personal Data relates
  • Processing: Any operation performed on Personal Data
  • Sub-processor: Any third party engaged by Processor to process Personal Data

3. Scope and Purpose

The Processor processes Personal Data only for the purpose of providing the Kling Cloud service as described in the Terms of Service. The types of Personal Data processed include contact information, email addresses, purchase history, and marketing preferences of the Controller's customers.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller without undue delay of any data breach
  • Delete or return Personal Data upon termination
  • Make available all information necessary to demonstrate compliance

5. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest using AES-256
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Employee security training and background checks
  • Physical security of data centers
  • Business continuity and disaster recovery procedures

6. Sub-processors

The Controller authorizes the use of sub-processors for the provision of the Service. The Processor maintains a list of current sub-processors at kling.to/security. The Processor will notify the Controller of any intended changes to sub-processors, allowing the Controller to object to such changes.

7. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area. Such transfers are conducted in compliance with GDPR using Standard Contractual Clauses or other approved transfer mechanisms.

8. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including access, rectification, erasure, and portability.

9. Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay (within 72 hours) and provide information necessary for the Controller to fulfill its notification obligations.

10. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections, directly or through an appointed auditor, upon reasonable notice.

11. Duration and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, the Processor will delete or return all Personal Data within 30 days, unless retention is required by law.

12. Contact

For questions about this DPA or to request a signed copy, contact privacy@kling.to.