In this Data Processing Agreement (DPA), the following terms have the meanings set out below:
Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1) and DPDP Act 2023.
Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
Controller: The natural or legal person that determines the purposes and means of Processing. Typically, you (the Client).
Processor: The natural or legal person that processes Personal Data on behalf of the Controller. In this case, Clepto.io.
Sub-Processor: Any natural or legal person engaged by the Processor to process Personal Data on behalf of the Controller.
Data Subject: The individual to whom Personal Data relates.
GDPR: General Data Protection Regulation (EU) 2016/679.
DPDP Act: Digital Personal Data Protection Act, 2023 (India).
Clepto.io Services: All automation, AI, and workflow services provided by Clepto.io under the Master Service Agreement.
2. Scope and Applicability
2.1 When This DPA Applies
This DPA applies to the extent that Clepto.io processes Personal Data on your behalf when providing Automation Services, including:
n8n workflow automation and data handling
Customer data processing in automated workflows
Email automation via n8n SMTP workflows
AI-powered data analysis and automation
API integrations involving Personal Data
Database storage and management on Hostinger VPS
Chat logs and interaction data from AI chatbots
2.2 Territorial Scope
This DPA complies with:
GDPR (for EU/EEA residents' data)
DPDP Act 2023 (for Indian residents' data)
Other applicable data protection laws by jurisdiction
Important: This DPA is incorporated into your Master Service Agreement with Clepto.io. In case of conflict, this DPA takes precedence regarding Personal Data processing.
3. Data Controller and Processor Roles
3.1 You Are the Data Controller
As our Client, you determine:
What Personal Data to process (scope)
Why you process it (purposes)
How long to retain it (retention period)
Who has access (data subjects)
Legal basis for processing (consent, contract, legitimate interest, etc.)
You are responsible for:
Obtaining lawful basis for processing (e.g., consent from data subjects)
Providing privacy notices to data subjects
Responding to data subject requests (access, deletion, etc.)
Conducting data protection impact assessments where required
Notifying regulators of data breaches
3.2 Clepto.io Is the Data Processor
Clepto.io processes Personal Data:
Only as instructed by you (the Controller)
For the specific purposes you define
For the duration you specify
Using the safeguards described in Section 5
Clepto.io is responsible for:
Processing data only per your written instructions
Implementing appropriate technical and organizational security measures
Managing sub-processors (with your authorization)
Assisting with data subject requests
Notifying you of data breaches without undue delay
Maintaining records of processing activities (as Processor)
Deleting or returning data upon termination
Clarity on Roles: You control what data and why. Clepto.io controls how to process it securely.
Admin access: Limited to authorized personnel only
Access logs: Maintained for security audits
5.2 Organizational Safeguards
Personnel training: Staff trained on data protection
Access restrictions: Need-to-know basis only
Confidentiality agreements: All staff bound by confidentiality
Regular audits: Access logs reviewed periodically
Incident response: Procedures in place for data breaches
5.3 Infrastructure Details
Hosting & Infrastructure:
Hostinger VPS (Europe-based, GDPR compliant)
Database: PostgreSQL on Hostinger managed infrastructure
Backups: Regular encrypted backups by Hostinger
Monitoring: 24/7 uptime monitoring
Updates: Regular security patches applied
5.4 Data Breach Notification
If a data breach occurs, Clepto.io will:
Notify you within 24 hours of discovery
Provide details: nature, scope, likely consequences
Provide contact: Designated data protection officer (contact@clepto.io)
Provide remedial actions: Steps being taken to mitigate harm
Preserve evidence: For investigation and compliance
You are responsible for: Notifying affected data subjects and regulators (as required by law, typically within 72 hours).
6. Sub-Processors
6.1 Authorized Sub-Processors
You authorize Clepto.io to engage the following sub-processors:
Sub-Processor
Location
Function
DPA Status
Hostinger
Europe
Hosting, database, backups
DPA in place
n8n (Open-Source)
Self-hosted on Hostinger
Workflow automation platform
Open-source (no DPA needed)
OpenAI
USA
AI model processing
DPA signed
Anthropic
USA
AI model processing (Claude)
DPA signed
Google
USA
AI model processing (Gemini)
DPA signed
Mistral
Europe
AI model processing
DPA signed
Perplexity
USA
Research & retrieval
In progress (Q1 2026)
Perplexity Status: DPA with Perplexity is being finalized. We recommend using Perplexity only for non-sensitive queries until DPA is confirmed. We will notify you when it's completed.
6.2 Changes to Sub-Processors
If Clepto.io engages a new sub-processor, we will:
Notify you at least 30 days in advance
Provide details about the new sub-processor and processing
Allow you to object (within 14 days)
Provide alternative solutions if you object
Inform you of any remediation measures
Notification channel: Email to contact@clepto.io or your registered account email.
You must provide data subjects with information about processing, including:
Identity of the controller and processor
Purposes of processing
Legal basis for processing
Recipients of data (including Clepto.io as processor)
Retention period
Data subject rights
Contact for privacy inquiries
7.2 Data Subject Rights Support
Data subjects have the right to:
Access: Request a copy of their Personal Data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion (right to be forgotten)
Restriction: Limit how data is processed
Portability: Receive data in machine-readable format
Objection: Object to certain types of processing
Not to be subject to automated decision-making: For decisions with legal effects
7.3 Clepto.io's Support
When you receive a data subject request, Clepto.io will:
Assist you in responding to requests
Provide access to data stored in your account within 10 business days
Delete data upon your instruction within 30 days
Correct data upon your request without delay
Restrict processing of specific data upon your instruction
Provide data in CSV/JSON format for portability requests
Data Subject Requests: Forward all requests to contact@clepto.io with subject line "Data Subject Request - [Type]". We will prioritize and assist within 5 business days.
8. International Data Transfers
8.1 Data Location
Personal Data is stored and processed:
Primary: Hostinger VPS in Europe (GDPR-compliant jurisdiction)
AI Processing: May be transferred to USA-based AI providers (OpenAI, Anthropic, Google) with appropriate safeguards
EU providers: Mistral (Europe-based, no transfer needed)
8.2 Transfer Mechanisms for USA Processors
For transfers to USA-based AI providers, Clepto.io relies on:
Standard Contractual Clauses (SCCs) with all USA sub-processors
Data Processing Agreements incorporating GDPR-compliant terms
Supplementary safeguards to mitigate data access risks
EU-to-US data transfer agreements where available
8.3 Your Obligations
You are responsible for:
Ensuring lawful basis for international transfers
Informing data subjects about transfers and safeguards
Complying with any supplementary transfer requirements in your jurisdiction
Data Localization: If you require data to remain within the EU/UK only, please contact contact@clepto.io to discuss alternatives. Some features (e.g., OpenAI AI processing) may be unavailable with this restriction.
9. Liability and Indemnification
9.1 Limitation of Liability
Each party's total liability under this DPA is limited to the fees paid in the 12 months preceding the claim (or €500,000, whichever is greater), except for:
Data breaches caused by the Processor's gross negligence or willful misconduct
Violations of data subject rights
Infringement of applicable data protection laws
9.2 Indemnification
Clepto.io will indemnify you against claims arising from:
Clepto.io's breach of this DPA
Data breaches caused by Clepto.io's security failures
Unauthorized disclosure of Personal Data by Clepto.io personnel
You will indemnify Clepto.io against claims arising from:
Your breach of applicable data protection laws
Your instructions to process data unlawfully
Your failure to obtain proper consent from data subjects
10. Term and Termination
10.1 Duration
This DPA remains in effect for the duration of your service agreement with Clepto.io, plus any applicable data retention period.
10.2 Termination Effects
Upon termination of your service:
Days 1-30: Your account marked for deletion; you can request data export
Days 31-60: Personal data permanently deleted from database
Days 61+: Only legal/audit logs retained (if required by law)
Certificate: Deletion confirmation provided to you
Exceptions: Clepto.io may retain data if required by law (e.g., Indian tax law: 7-year retention for business records).
10.3 Data Return or Deletion
You can request:
Return of all your data (in CSV, JSON, or other format)
Immediate deletion of your account and data
Archive of your data for historical purposes
Process: Email contact@clepto.io with "Data Return/Deletion Request" subject line. We will respond within 24 hours and complete within 30 days.
