Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service between Klyna (the "Processor") and you, the business or person installing a Klyna tool on a site that processes personal data of EU, UK, or California residents (the "Controller"). It is pre-signed by Klyna by being published here. You accept it by continuing to use the Klyna tools.
A signed PDF copy is available on request at privacy@klyna.dev. Most customers don't need one; this page is the operative document.
1. Roles
You are the Controller of personal data processed through your WordPress site, Shopify store, or browser session. Klyna acts as a Processor only where we receive personal data on our infrastructure — primarily the anonymous install ping described in the Privacy Policy. The Klyna plugin or app itself runs on your infrastructure and is not a transfer of data to us.
2. Scope and subject matter
- Subject matter: the provision of the Klyna tools to the Controller.
- Duration: as long as the Controller uses a Klyna tool that sends data to our endpoints.
- Nature and purpose: aggregate install metrics, support, and security.
- Types of data: daily hashed site identifier, plugin/app version, host platform version, locale, country derived from IP and then discarded.
- Categories of data subjects: the Controller and its system administrators. We do not process the Controller's end-users' personal data on our servers.
3. Klyna's obligations
- Process personal data only on documented instructions from the Controller (this DPA).
- Ensure personnel with access are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Annex II).
- Assist the Controller with data-subject requests and DPIAs to the extent we can.
- Notify the Controller of a personal-data breach without undue delay (within 72 hours where feasible).
- Delete or return personal data at the end of the engagement, unless retention is required by law.
4. Sub-processors (Annex I)
Klyna uses the following sub-processors to deliver the service. We will update this list before adding a new one and you can object at privacy@klyna.dev.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Static hosting of klyna.dev and admin panel | USA / EU edge |
| Cloudflare, Inc. | DNS, WAF, and the ping endpoint edge | Global edge |
| Resend, Inc. | Transactional email (support replies, admin auth) | USA |
| GitHub, Inc. | Source code hosting, release artefacts | USA |
| Fastmail Pty Ltd | Inbox for hello@klyna.dev / security@klyna.dev | Australia / USA |
5. International transfers
Where personal data is transferred out of the EEA, UK, or Switzerland, the transfer is covered by the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor, version of 4 June 2021) and the UK Addendum to the EU SCCs. Those clauses are incorporated by reference; the data exporter is the Controller and the data importer is Klyna.
6. Security measures (Annex II)
- TLS 1.2+ in transit; AES-256 at rest on managed providers.
- BYOK keys encrypted in your DB with
sodium_crypto_secretboxtied to yourAUTH_KEY/ Shopify shop secret. Never returned in REST responses, never logged. - Argon2id password hashing and WebAuthn-required login on the admin panel.
- 15-minute idle session timeout, IP-bound session cookies, 5-req/min login rate-limit.
- WAF rate-limit on the ping endpoint (1 req/site/day), IP dropped before write, payloads >2KB rejected.
- Dependabot and
npm/composer/bundle auditin CI; release blocked on high-severity findings. - Signed release artefacts (cosign) with checksums published on
/downloads. - Quarterly internal pentest of each Klyna repo; results summarised on /legal/security.
7. Audits
Klyna will respond to reasonable written audit questionnaires once per twelve-month period. Because the studio is small, we cannot host on-site audits, but we will provide our latest security summary and SOC-style attestation from sub-processors where they publish one.
8. Liability
Liability under this DPA is subject to the limits in the Terms of Service.
9. Signature
This DPA is signed by Klyna on the "Effective" date above by publication on klyna.dev. The Controller accepts it by continuing to use Klyna tools after that date. A countersigned PDF is available on request.
Questions? Email hello@klyna.dev. Security reports go to security@klyna.dev.