Data Processing Agreement

1. Parties

Customer (controller): the natural or legal person who registers a Clozo account and uploads/transmits personal data of third parties (e.g. clients, leads, contacts) to the service.

Processor: Andrei Diachenko, sole proprietor, trading as Clozo, Calle Covera 19, 5A, 33012 Oviedo, Asturias, Spain. NIF Z1579875X · EU VAT ESZ1579875X.

2. Subject matter and duration (Art. 28(3) opening)

Subject matter: the processing of personal data necessary to provide the Clozo service (proposal generation, electronic signing, invoice issuance and delivery, payment collection via Stripe, AI-powered text enhancement as a core service feature under Art. 6(1)(b) GDPR, optional e-invoicing format generation). Duration: from account creation until 30 days after account closure or expiry of the longest applicable legal retention period under EU/MS law (whichever is later).

3. Nature and purpose of processing (Art. 28(3)(a))

Nature: storage, transmission, transformation (e.g. PDF rendering, XML generation), and limited automated processing (PII-scrubbed AI text enhancement as a core service feature — legal basis Art. 6(1)(b) GDPR, performance of contract). Purpose: enabling the Customer to operate their freelance/SME business through Clozo. Clozo processes personal data only on the documented instructions of the Customer, including transfers to third countries, unless required to do so by Union or Member State law to which Clozo is subject; in such case, Clozo shall inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

4. Types of data and categories of data subjects (Art. 28(3))

Types of personal data: identification (name, email), business (company name, VAT ID, address, IBAN/BIC), financial (invoice amounts, payment metadata via Stripe), communication (email content, optional Crisp chat transcripts), technical (IP via Cloudflare, user-agent, browser language). Categories of data subjects: the Customer's clients, leads, billing contacts, and end recipients of Clozo-generated documents. No special categories of personal data (Art. 9) are routinely processed.

5. Obligations and rights of the controller (Art. 28(3)(d))

The Customer is responsible for (a) having a lawful basis for collecting and uploading personal data to Clozo, (b) providing data subjects with the information required by Art. 13/14, (c) responding to data subject rights requests directed to the Customer, (d) ensuring data uploaded is accurate and up to date, (e) maintaining the Customer's own RoPA under Art. 30, (f) configuring Clozo settings (e.g. retention preferences) consistent with the Customer's lawful-basis decisions.

6. Confidentiality (Art. 28(3)(b))

Clozo ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The only person with operational access today is the sole proprietor (Andrei Diachenko); employees, contractors, or sub-processor staff (Stripe, Cloudflare, Resend, etc.) are bound by their respective NDAs and DPAs.

7. Security measures (Art. 28(3)(c) + Art. 32)

Clozo implements technical and organisational measures (TOMs) appropriate to the risk, including: TLS 1.3 in transit; AES-256-equivalent at rest (Postgres on Railway EU, R2 on Cloudflare EU); JWT-based authentication with refresh-token rotation; rate-limiting on auth endpoints; daily encrypted database backups; Sentry-based incident detection; quarterly secret rotation; principle of least privilege on Railway access; staging/production environment separation. Detailed TOMs available on request to legal@useclozo.com.

8. Sub-processors (Art. 28(2) + (4))

The Customer authorises Clozo to engage the sub-processors listed in the public sub-processor register at /subprocessors. Clozo gives the Customer at least 30 days' prior notice of any intended additions or replacements via the notification mechanism described at /subprocessors (email subscription, RSS feed). The Customer may object to a new sub-processor by contacting privacy@useclozo.com within the notice period; if no acceptable accommodation can be reached, the Customer may terminate this DPA and the underlying subscription. Clozo imposes on each sub-processor the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate TOMs.

9. Assistance with data subject rights (Art. 28(3)(e))

Clozo provides self-service endpoints in the Customer dashboard (Settings → Privacy) to support the Customer in responding to data subject rights requests under Art. 15-22, including data export (Art. 20), erasure (Art. 17) with a 14-day cooling-off cancel window, and rectification (Art. 16). For requests that exceed the self-service endpoints, Clozo provides additional assistance on request to privacy@useclozo.com within reasonable time and at no additional charge for assistance limited to retrieving or deleting data the Customer cannot access via the dashboard alone.

10. Breach notification (Art. 28(3)(f) + Art. 33)

Clozo notifies the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting the Customer's data. The notification at minimum describes the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. Clozo cooperates with the Customer's own breach-notification obligations to the supervisory authority and data subjects under Art. 33 and Art. 34.

11. Deletion or return of personal data (Art. 28(3)(g))

On termination of the underlying subscription, Clozo, at the choice of the Customer, deletes or returns all personal data after the end of the provision of the services, and deletes existing copies, unless Union or Member State law requires storage of the personal data (e.g. tax invoice retention under VAT Directive 2006/112/EC Art. 244-247: minimum 6 years in NL, 10 years in DE, 8 years in PL). Where legal retention applies, Clozo isolates the retained data, limits access to what is strictly necessary for compliance, and permanently deletes the data at the end of the retention period.

12. Contact and audits (Art. 28(3)(h))

For all DPA-related questions, audit requests, or data subject rights matters, contact privacy@useclozo.com. Clozo makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable notice (30 days) and a confidentiality undertaking.